of 11

206622186 29423055 Graphical Password Authentication

Published on 2 weeks ago | Categories: Documents | Downloads: 5 | Comments: 0






 A Paper Presentation on




The most common common computer computer authenticat authentication ion method is to use

alphanumeri alphan umerical cal usernames and passwords. passwords. This method has been shown to have significant drawbacks. For example, users tend to pick passwords that can be easily guessed. On the other hand, if a password is hard to guess, then it is often hard to remember.   To address this problem, some researchers have developed authentication methods that use pictures as passwords. In this paper, we conduct a compre comprehen hensiv sivee survey survey of the existi existing ng graphi graphical cal passwo password rd techni technique ques. s. We classify these techniques into two categories: recognition-based and recall-based approaches. We discuss the strengths and limitations of each method and point out the future research directions in this area.   We also try to answer two important questions: “Are graphical  passwords as secure as text-based passwords?”; “What are the major design d esign and implementation issues for graphical passwords”. In this paper , we are conducting a comprehensi comprehensive ve survey of existing existing graphical graphical image image password password authentication authentication tech techni niqu ques es.A .Als lso o we ar aree he here re prop propos osin ing g a ne new w te tech chni niqu quee fo forr gr grap aphi hica call authentication.



2 authentication

method odss,



 biometrics, have been used. In this  paper, however, we will focus on anothe ano therr alt altern ernati ative: ve: using using pictur pictures es as  passwords. Graphical password schemes have been  proposed as a possible alternative to text-based schemes, motivated partially  by the fact that humans can remember  pictures better than text; psychological st stud udie iess

supp suppor orts ts

such such

as assu sump mpti tion on..

Pi Pict ctur ures es ar aree ge gene nera rall lly y ea easi sier er to be


remembered or recognized than text. In

Human factors are often considered the

ad addi diti tion on,, if th thee nu numb mber er of po poss ssib ible le  pictures is sufficiently large, the possible

weake wea kest st link link in a co comp mpute uterr se secu curi rity ty sy syst stem em.. po poin into tout ut that that ther theree ar aree thre threee major ma jor area areass

wher wheree

hu huma man-c n-com omput puter er

interaction inter action is important: important: authenticat authentication, ion, secu securi rity ty

op oper erat atio ions ns,,

an and d

deve develo lopi ping ng

secure systems. Here we focus on the authe aut hent ntic icat atio ion n

probl problem em.O .On n

the the other other

hand, passwords that are hard to guess or  break are often hard to remember. Studies showed that since user can only remember





 passwords, they tend to write them down or will will us usee the the sa same me pa pass sswo word rdss for for diff differ eren entt

ac acco coun unts ts..


ad addr dres esss

the the

 problems with traditional username password


 password space of a


 password scheme may exceed that of text-based schemes and thus presumably of offe ferr be bett tter er re resi sist stanc ancee to di dict ctio iona nary ry att attack acks. s. Becaus Becausee of these these advanta advantages ges,, there is a growing interest in gr grap aphi hica call

pa pass sswo word rd..

In ad addi diti tion on


workstation and web log-in applications, gr grap aphi hical cal pa pass sswor words ds have have al also so be been en applie app lied d to ATM machines machines and mobile mobile devices. In






compre com prehens hensive ive survey survey ofthe ofthe existi existing ng graphical password techniques. We will discuss the strengths and limitations of

alternative each method and also point out future




research directions in this area. In this

this approach is that such systems can be

 paper, we want to answer the following

expensive, and the identification process


can be slow and often unreliable.


 Are

graphical passwords as secure

However, this type of technique provides he highest level of security.

as text passwords?   What

are the major design and implementation issues for graphical  passwords?

Knowledge based techniques are the most widely used authentication techniques and include both text-based

Ove rview Overvi ew of the Aut Authen hentic ticati ation on Methods: Current authentication methods can be

 picture-based techniques can be further divided into two categories: recognition-

divided into

 based and recall-based graphical

Three main areas:  Token

and picture-based passwords. The


techniques, a user is presented with a set of images and the user passes the

authentication  Biometric

techniques. Using recognition-based


authentication  Knowledge

authentication by recognizing and identifying the images he or she selected


authentication Token based techniques, such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance

during the registration stage. Using recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage.

Recognition Based Techniques

security. For example, ATM cards are

Dhamija and Perrig proposed a

generally used together with a PIN

graphical authentication scheme based


on the HashVisualization technique . In their system, the user is asked to select a

Biometric based authentication

certain number of images from a set of

techniques, such as fingerprints, iris

random pictures generated by a

scan, or facial recognition, are not yet

 program . Later, the user will be required

widely adopted. The major drawback of




to identify the pre selected images in

authenticated, a user needs to recognize

order to be authenticated. The results

 pass-objects and click inside the convex

showed that 90% of all participants

hull formed by all the pass-objects.In

succeeded in the authentication using

order to make the password hard to

this technique, while only 70%

guess, Sobrado and Birget suggested

succeeded using text-based passwords

using 1000 objects, which makes the

and PINS. The average log-in time,

display very crowded and the objects

however, is longer than the traditional

almost indistinguishable, but using fewer

approach. A weakness of this system is

objects may lead to a smaller password

that the server needs to store the seeds of

space, since the resulting convex hull

the portfolio images of each user in plain

can be large. In their second algorithm, a

text. Also, the process of selecting a set

user moves a frame (and the objects

of pictures from the picture database can

within it) until the pass object on the

 be tedious and time consuming for the user.

frame lines up with the other two passobjects. The authors also suggest repeating the process a few more times to minimize the likelihood of logging in  by randomly clicking or rotating. The main drawback of these algorithms is that the log in process can be slow.


Random images used by Dhamija and Perrig

Sobrado and Birget developed a graphical password technique that deals with the shoulder-surfing problem. In the first scheme, the system will will display a

A shoulder-surfing resistant graphical password scheme

number of pass-objects (pre-selected by user) among many other objects. To be

Man, et al. proposed another shoulder-


  surfing resistant algorithm. In this

5  passwords.

algorithm, a user selects a number of  pictures as pass-objects. Each passobject has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each An example of Passfaces

scene contains several pass-objects (each in the form of a randomly chosen

Jansen et al proposed a graphical

variant) and many decoy-objects. The

 password mechanism for mobile

user has to type in a string with the

device .during the

unique codes corresponding to the pass-

enrollment stage, a user selects a theme

object variants present in the scene as

(e.g. sea, cat, etc.) which consists of

well as a code indicating the relative location of the pass-objects in reference

thumbnail p  


to a pair of eyes. The argument is that it is very hard to crack this kind of


 password even if the whole authentication process is recorded on video because where is no mouse click to give away the pass-object information. However,

 photos and then registers a

this method still requires users to

sequence of images as a password

memorize the alphanumeric code for

.During the authentication, the user

each pass-object variant. Hong, et al.

must enter the registered images in the

later extended this approach to allow the

correct sequence. One drawback of

user to assign their own codes to pass-

this technique is that since the number

object variants. However, this method

of thumb nail images is limited to 30,

still forces the user to memorize many

the password space is small. Each

text strings and therefore suffer from the

thumbnail image is assigned a

many drawbacks of text-based

numerical value, and the sequence of



6 selection will generate a numerical

authentication, the user is asked to re-

 password. The result showed that the

draw the picture. If the drawing touches

image sequence length was generally

the same grids in the same sequence,

shorter than the textural password

then the user is authenticated. Jermyn, et

length. To address this problem, two


 pictures can be combined to compose a

suggested that given reasonable-length

new alphabet element, thus expanding

 passwords in a 5 X 5 grid, the full

the image alphabet size.

 password space of DAS is larger than that of the full text password space.


Reproduce a drawing:



Draw-a-Secret (DAS) technique proposed by Jermyn, et al

 Nali and Thorpe conducted further A graphical password scheme proposed by Jansen, et al

analysis of the “Draw-A-Secret (DAS)” scheme. In their study, users were asked

Jermyn, et al. proposed a technique,

to draw a DAS password on paper in

called “Draw - a - secret (DAS)”, which

order to determine if there are

allows the

 predictable characteristics in the

user to draw their unique password .A

graphical passwords that people choose.

user is asked to draw a simple picture on

The study did not find any predictability

a 2D

in the start and end points for DAS

grid. The coordinates of the grids

 password strokes, but found that certain

occupied by the picture are stored in the

symmetries (e.g. crosses and rectangles),

order of the drawing. During

letters, and numbers were common. The




“PassPoint” system by Wiedenbeck, et

. Here we are poposing a new algorithm

al. extended Blonder’s idea by


eliminating the predefined boundaries

images.when a ;user tries to register over

and allowing arbitrary images to be

a network we will ask him or her to selet

used. As a result, a user can click on any

a theme or sequence of pictures from

 place on an image (as opposed to some

al alre ready ady gi give ven n im image age fr fram ame. e.Th Thee lo loca call host downloads an image frame which

 pre-defined areas) to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated,

auth authen enti tica cattion

usi using

gr grap aphi hica call

contains various themes of sequence of  pictures which act as passwords,these are given by server. Since any image is

the user must click within the tolerance

made of pixels we have its gray level

of their chosen pixels and also in the

concentration. In this way the image will

correct sequence . This technique is

 be distorted and cant be in original

 based on the discretization method

form form.s .so o it is not not ea easy sy fo forr ha hack cker er to

 proposed by Birget, et al. . Because any  picture can be used and because a

reproduce the original form of image. The flow chart of the proposed technique

 picture may contain hundreds to thousands of memorable points, the  possible password space is quite large.

is given below. Step 1:User will select an image from data base as  password

Step 8 User will allow sufing on website

Other wise go Step 2:Image clustering will takes  place

An image used in the Passpoint Sytem, Wiedenbeck, et al

Step 3:Distributes the clusters throughout image space

If  passwor  d mathces

Step 7: image gets compared to original

New Technique For Graphical Password Authentica Authentication tion

Step 4:password stores as encrypted

Step 6 Server reproduce encrypted image using neural networks

to 5 step




Step 5:For login user wll again asked to  pick up an image from database


Block diagram for the New Technique Is a graphical password as secure as text-based password? Very Ver y litt little le rese resear arch ch ha hass be been en do done ne to study the difficulty of cracking graphical  passwords. Because graphical passwords are not widely used in practice, there is no repo report rt on re real al ca case sess of brea breaki king ng






automatical autom atically ly generate generate accurate accurate mouse mouse motion to imitate human input, which is  particularly difficult for recall based graphical passwords. Overall, we believe a graphical password is less vulnerable to brute force attacks than a text-based  password.

Dictionary attacks

graphi gra phical cal passwo passwords rds.. Here Here we briefl briefly y

Since recognition based graphical

exam some some of the possib possible le techni techniques ques

 passwords involve mouse input instead

for breaking graphical passwords and try

of keyboard input, it will be impractical

to do a co comp mpar aris ison on with with te text xt-b -bas ased ed

to carry out dictionary attacks against


this type of graphical passwords. For

Brute force search

some recall basedgraphical passwords it

The main main defens defensee against against brute brute force force sear search ch is to ha have ve a su suff ffic icie ient ntly ly la larg rgee  password space. Text-based passwords have a password space of 94^N, where  N is the length of the password, 94 is the number of Printable characters excluding

is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text based dictionary attack. More research is needed in this area. Overall, we believe graphical  passwords are less vulnerable to

SPACE. SPAC E. Some Some grap graphi hica call pa pass sswo word rd techniques have been shown to provide a  password space similar to or larger than that




Recognition Recogni tion based graphical graphical passwords passwords tend ten d to have small smaller er passwo password rd spaces spaces than the recall based methods. It is more difficult to carry out a brute forc forcee aatt ttac ack k aga again inst st

dictionary attacks than text-based  passwords.

Guessing Unfortunately, it seems that graphical  passwords are often predictable, a serious problem typically associated with text-based passwords. For example, studies on the Passface technique have

grap graphi hica call

 passwords than text-based passwords.

shown that people often choose weak


and predictable graphical passwords.

involving only a small number of users.

 Nali and Thorpe’s study revealed

We still do not have convincing

similar predictability among the

evidence demonstrating that graphical

graphical passwords created with the

 passwords are easier to remember than

DAS technique . More research efforts

text based passwords.

are needed to understand the nature of graphical passwords created by real

A major complaint among the users of

world users.

graphical passwords is that the password

Shoulder surfing  

Like text based passwords, most of

registration and log-in process take too long, especially in recognition-based

the graphical passwords are vulnerable

approaches. For example, during the

to shoulder surfing. At this point, only a

registration stage,a user has to pick

few recognition-based techniques are

images from a large set of selections.

designed to resist shoulder-surfing .  None of the recall-based based

During authentication stage, a user has to scan many images to identify a few

techniques are considered


should-surfing resistant.

Users may find this process long and tedious. Because of this and also because

What are the major design and implementation implement ation issues of graphical passwords ?

most users are not familiar with the graphical passwords, they often find graphical passwords less convenient than

 Security In the above section, we have briefly examined thesecurity issues with graphical passwords.


text based passwords.

 Reliability The major design issue for recall-based methods is the reliability and accuracy of

One of the main arguments for graphical

user input recognition. In this type of

 passwords is that pictures are easier to

method, the error tolerances have to be

remember than text strings. Preliminary


user studies presented in some research

carefully – overly high tolerances may

 papers seem to support this. However,

lead to many false positives while overly low tolerances may lead to many false

current user studies are still very limited,

negatives. In addition, the more error


tolerant the program, the more


vulnerable it is to attacks.

 preliminary analysis suggests that it is

 Storage and communication communication

mor oree

Graphical passwords require much more storage spacethan text based passwords.


di difffi ficu cult lt




br brea eak k


gr grap aphi hica call

 passwords using the traditional attack meth me thod odss su such ch as br brut utee fo forc rcee se sear arch ch,,

Tens of thousands of pictures may have to be maintained in a centralized

dictionary dicti onary attack,or attack,or spyware. spyware. However, However, since there is not yet wide deployment of

database. Network transfer delay is also


a concern for graphical passwords,

pa passsword

systems ems,


vulner vul nerabi abilit lities ies of graphi graphical cal passwo passwords rds

especially for recognition-based

are still not fully understood.

techniques in which a large number of

Overall, the current graphical password

 pictures may need to be displayed for

te techn chniq iques ues ar aree st stil illl im imma matu ture. re. Much Much

each round of verification.

more mo re re rese sear arch ch an and d us user er st stud udie iess ar aree



The past decade has seen a

needed for graphical password techni tec hniques ques to achieve achieve higher higher levels levels of

grow growin ing g inte intere rest st in us usin ing g grap graphi hica call

maturity and usefulness.

 passwords as an alternative to the


traditional text-based passwords. In this  paper,



com compreh prehen enssive grap graphi hica call curren cur rentt


su surrvey vey

pa pass sswo word rd


exi existi sting

te tech chni niqu ques es..

graphi graphical calpas passwo sword rd


The The

techni technique quess

can be classi classifi fied ed into into two catego categorie ries: s: reco recogn gnit itio ionn-ba base sed d

an and d

re reca call ll-b -bas ased ed

techniques.. Althou oug gh


main ain



graphi gra phical cal passw password ordss is that that people people are  better




 passwords than text-based passwords, the existing user studies are very limited and there is not yet convincing convincing evidence

[1] A. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security Systems," presented at CHI, Extended Abstracts (Workshops). Ft. Lauderdale, Florida, USA., 2003. [2] A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM , vol. 42, pp. 41-46, 1999. [3] K. Gilhooly, "Biometrics: Getting Back to Business," in Computerworld, May 09, 09, 2000.

Sponsor Documents


No recommend documents

Or use your account on DocShare.tips


Forgot your password?

Or register your new account on DocShare.tips


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in