206622186 29423055 Graphical Password Authentication
Content
1
A Paper Presentation on
GRAPHICAL PASSWORD AUTHENTICATION
Abstract
The most common common computer computer authenticat authentication ion method is to use
alphanumeri alphan umerical cal usernames and passwords. passwords. This method has been shown to have significant drawbacks. For example, users tend to pick passwords that can be easily guessed. On the other hand, if a password is hard to guess, then it is often hard to remember. To address this problem, some researchers have developed authentication methods that use pictures as passwords. In this paper, we conduct a compre comprehen hensiv sivee survey survey of the existi existing ng graphi graphical cal passwo password rd techni technique ques. s. We classify these techniques into two categories: recognition-based and recall-based approaches. We discuss the strengths and limitations of each method and point out the future research directions in this area. We also try to answer two important questions: “Are graphical passwords as secure as text-based passwords?”; “What are the major design d esign and implementation issues for graphical passwords”. In this paper , we are conducting a comprehensi comprehensive ve survey of existing existing graphical graphical image image password password authentication authentication tech techni niqu ques es.A .Als lso o we ar aree he here re prop propos osin ing g a ne new w te tech chni niqu quee fo forr gr grap aphi hica call authentication.
2 authentication
method odss,
such
as
biometrics, have been used. In this paper, however, we will focus on anothe ano therr alt altern ernati ative: ve: using using pictur pictures es as passwords. Graphical password schemes have been proposed as a possible alternative to text-based schemes, motivated partially by the fact that humans can remember pictures better than text; psychological st stud udie iess
supp suppor orts ts
such such
as assu sump mpti tion on..
Pi Pict ctur ures es ar aree ge gene nera rall lly y ea easi sier er to be
Introduction:
remembered or recognized than text. In
Human factors are often considered the
ad addi diti tion on,, if th thee nu numb mber er of po poss ssib ible le pictures is sufficiently large, the possible
weake wea kest st link link in a co comp mpute uterr se secu curi rity ty sy syst stem em.. po poin into tout ut that that ther theree ar aree thre threee major ma jor area areass
wher wheree
hu huma man-c n-com omput puter er
interaction inter action is important: important: authenticat authentication, ion, secu securi rity ty
op oper erat atio ions ns,,
an and d
deve develo lopi ping ng
secure systems. Here we focus on the authe aut hent ntic icat atio ion n
probl problem em.O .On n
the the other other
hand, passwords that are hard to guess or break are often hard to remember. Studies showed that since user can only remember
a
limited
number
of
passwords, they tend to write them down or will will us usee the the sa same me pa pass sswo word rdss for for diff differ eren entt
ac acco coun unts ts..
To
ad addr dres esss
the the
problems with traditional username password
authentication,
password space of a
graphical
password scheme may exceed that of text-based schemes and thus presumably of offe ferr be bett tter er re resi sist stanc ancee to di dict ctio iona nary ry att attack acks. s. Becaus Becausee of these these advanta advantages ges,, there is a growing interest in gr grap aphi hica call
pa pass sswo word rd..
In ad addi diti tion on
to
workstation and web log-in applications, gr grap aphi hical cal pa pass sswor words ds have have al also so be been en applie app lied d to ATM machines machines and mobile mobile devices. In
this
paper,
we
conduct
a
compre com prehens hensive ive survey survey ofthe ofthe existi existing ng graphical password techniques. We will discuss the strengths and limitations of
alternative each method and also point out future
3
research directions in this area. In this
this approach is that such systems can be
paper, we want to answer the following
expensive, and the identification process
questions:
can be slow and often unreliable.
Are
graphical passwords as secure
However, this type of technique provides he highest level of security.
as text passwords? What
are the major design and implementation issues for graphical passwords?
Knowledge based techniques are the most widely used authentication techniques and include both text-based
Ove rview Overvi ew of the Aut Authen hentic ticati ation on Methods: Current authentication methods can be
picture-based techniques can be further divided into two categories: recognition-
divided into
based and recall-based graphical
Three main areas: Token
and picture-based passwords. The
based
techniques, a user is presented with a set of images and the user passes the
authentication Biometric
techniques. Using recognition-based
based
authentication Knowledge
authentication by recognizing and identifying the images he or she selected
based
authentication Token based techniques, such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance
during the registration stage. Using recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage.
Recognition Based Techniques
security. For example, ATM cards are
Dhamija and Perrig proposed a
generally used together with a PIN
graphical authentication scheme based
number.
on the HashVisualization technique . In their system, the user is asked to select a
Biometric based authentication
certain number of images from a set of
techniques, such as fingerprints, iris
random pictures generated by a
scan, or facial recognition, are not yet
program . Later, the user will be required
widely adopted. The major drawback of
4
to identify the pre selected images in
authenticated, a user needs to recognize
order to be authenticated. The results
pass-objects and click inside the convex
showed that 90% of all participants
hull formed by all the pass-objects.In
succeeded in the authentication using
order to make the password hard to
this technique, while only 70%
guess, Sobrado and Birget suggested
succeeded using text-based passwords
using 1000 objects, which makes the
and PINS. The average log-in time,
display very crowded and the objects
however, is longer than the traditional
almost indistinguishable, but using fewer
approach. A weakness of this system is
objects may lead to a smaller password
that the server needs to store the seeds of
space, since the resulting convex hull
the portfolio images of each user in plain
can be large. In their second algorithm, a
text. Also, the process of selecting a set
user moves a frame (and the objects
of pictures from the picture database can
within it) until the pass object on the
be tedious and time consuming for the user.
frame lines up with the other two passobjects. The authors also suggest repeating the process a few more times to minimize the likelihood of logging in by randomly clicking or rotating. The main drawback of these algorithms is that the log in process can be slow.
Random images used by Dhamija and Perrig
Sobrado and Birget developed a graphical password technique that deals with the shoulder-surfing problem. In the first scheme, the system will will display a
A shoulder-surfing resistant graphical password scheme
number of pass-objects (pre-selected by user) among many other objects. To be
Man, et al. proposed another shoulder-
surfing resistant algorithm. In this
5 passwords.
algorithm, a user selects a number of pictures as pass-objects. Each passobject has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each An example of Passfaces
scene contains several pass-objects (each in the form of a randomly chosen
Jansen et al proposed a graphical
variant) and many decoy-objects. The
password mechanism for mobile
user has to type in a string with the
device .during the
unique codes corresponding to the pass-
enrollment stage, a user selects a theme
object variants present in the scene as
(e.g. sea, cat, etc.) which consists of
well as a code indicating the relative location of the pass-objects in reference
thumbnail p
.
to a pair of eyes. The argument is that it is very hard to crack this kind of
password even if the whole authentication process is recorded on video because where is no mouse click to give away the pass-object information. However,
photos and then registers a
this method still requires users to
sequence of images as a password
memorize the alphanumeric code for
.During the authentication, the user
each pass-object variant. Hong, et al.
must enter the registered images in the
later extended this approach to allow the
correct sequence. One drawback of
user to assign their own codes to pass-
this technique is that since the number
object variants. However, this method
of thumb nail images is limited to 30,
still forces the user to memorize many
the password space is small. Each
text strings and therefore suffer from the
thumbnail image is assigned a
many drawbacks of text-based
numerical value, and the sequence of
6 selection will generate a numerical
authentication, the user is asked to re-
password. The result showed that the
draw the picture. If the drawing touches
image sequence length was generally
the same grids in the same sequence,
shorter than the textural password
then the user is authenticated. Jermyn, et
length. To address this problem, two
al.
pictures can be combined to compose a
suggested that given reasonable-length
new alphabet element, thus expanding
passwords in a 5 X 5 grid, the full
the image alphabet size.
password space of DAS is larger than that of the full text password space.
RECALL BASED
Reproduce a drawing:
.
Draw-a-Secret (DAS) technique proposed by Jermyn, et al
Nali and Thorpe conducted further A graphical password scheme proposed by Jansen, et al
analysis of the “Draw-A-Secret (DAS)” scheme. In their study, users were asked
Jermyn, et al. proposed a technique,
to draw a DAS password on paper in
called “Draw - a - secret (DAS)”, which
order to determine if there are
allows the
predictable characteristics in the
user to draw their unique password .A
graphical passwords that people choose.
user is asked to draw a simple picture on
The study did not find any predictability
a 2D
in the start and end points for DAS
grid. The coordinates of the grids
password strokes, but found that certain
occupied by the picture are stored in the
symmetries (e.g. crosses and rectangles),
order of the drawing. During
letters, and numbers were common. The
7
“PassPoint” system by Wiedenbeck, et
. Here we are poposing a new algorithm
al. extended Blonder’s idea by
of
eliminating the predefined boundaries
images.when a ;user tries to register over
and allowing arbitrary images to be
a network we will ask him or her to selet
used. As a result, a user can click on any
a theme or sequence of pictures from
place on an image (as opposed to some
al alre ready ady gi give ven n im image age fr fram ame. e.Th Thee lo loca call host downloads an image frame which
pre-defined areas) to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated,
auth authen enti tica cattion
usi using
gr grap aphi hica call
contains various themes of sequence of pictures which act as passwords,these are given by server. Since any image is
the user must click within the tolerance
made of pixels we have its gray level
of their chosen pixels and also in the
concentration. In this way the image will
correct sequence . This technique is
be distorted and cant be in original
based on the discretization method
form form.s .so o it is not not ea easy sy fo forr ha hack cker er to
proposed by Birget, et al. . Because any picture can be used and because a
reproduce the original form of image. The flow chart of the proposed technique
picture may contain hundreds to thousands of memorable points, the possible password space is quite large.
is given below. Step 1:User will select an image from data base as password
Step 8 User will allow sufing on website
Other wise go Step 2:Image clustering will takes place
An image used in the Passpoint Sytem, Wiedenbeck, et al
Step 3:Distributes the clusters throughout image space
If passwor d mathces
Step 7: image gets compared to original
New Technique For Graphical Password Authentica Authentication tion
Step 4:password stores as encrypted
Step 6 Server reproduce encrypted image using neural networks
to 5 step
8
Step 5:For login user wll again asked to pick up an image from database
Block diagram for the New Technique Is a graphical password as secure as text-based password? Very Ver y litt little le rese resear arch ch ha hass be been en do done ne to study the difficulty of cracking graphical passwords. Because graphical passwords are not widely used in practice, there is no repo report rt on re real al ca case sess of brea breaki king ng
The
attack
programs
need
to
automatical autom atically ly generate generate accurate accurate mouse mouse motion to imitate human input, which is particularly difficult for recall based graphical passwords. Overall, we believe a graphical password is less vulnerable to brute force attacks than a text-based password.
Dictionary attacks
graphi gra phical cal passwo passwords rds.. Here Here we briefl briefly y
Since recognition based graphical
exam some some of the possib possible le techni techniques ques
passwords involve mouse input instead
for breaking graphical passwords and try
of keyboard input, it will be impractical
to do a co comp mpar aris ison on with with te text xt-b -bas ased ed
to carry out dictionary attacks against
passwords.
this type of graphical passwords. For
Brute force search
some recall basedgraphical passwords it
The main main defens defensee against against brute brute force force sear search ch is to ha have ve a su suff ffic icie ient ntly ly la larg rgee password space. Text-based passwords have a password space of 94^N, where N is the length of the password, 94 is the number of Printable characters excluding
is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text based dictionary attack. More research is needed in this area. Overall, we believe graphical passwords are less vulnerable to
SPACE. SPAC E. Some Some grap graphi hica call pa pass sswo word rd techniques have been shown to provide a password space similar to or larger than that
of
text-based
passwords.
Recognition Recogni tion based graphical graphical passwords passwords tend ten d to have small smaller er passwo password rd spaces spaces than the recall based methods. It is more difficult to carry out a brute forc forcee aatt ttac ack k aga again inst st
dictionary attacks than text-based passwords.
Guessing Unfortunately, it seems that graphical passwords are often predictable, a serious problem typically associated with text-based passwords. For example, studies on the Passface technique have
grap graphi hica call
passwords than text-based passwords.
shown that people often choose weak
and predictable graphical passwords.
involving only a small number of users.
Nali and Thorpe’s study revealed
We still do not have convincing
similar predictability among the
evidence demonstrating that graphical
graphical passwords created with the
passwords are easier to remember than
DAS technique . More research efforts
text based passwords.
are needed to understand the nature of graphical passwords created by real
A major complaint among the users of
world users.
graphical passwords is that the password
Shoulder surfing
Like text based passwords, most of
registration and log-in process take too long, especially in recognition-based
the graphical passwords are vulnerable
approaches. For example, during the
to shoulder surfing. At this point, only a
registration stage,a user has to pick
few recognition-based techniques are
images from a large set of selections.
designed to resist shoulder-surfing . None of the recall-based based
During authentication stage, a user has to scan many images to identify a few
techniques are considered
pass-images.
should-surfing resistant.
Users may find this process long and tedious. Because of this and also because
What are the major design and implementation implement ation issues of graphical passwords ?
most users are not familiar with the graphical passwords, they often find graphical passwords less convenient than
Security In the above section, we have briefly examined thesecurity issues with graphical passwords.
Usability
text based passwords.
Reliability The major design issue for recall-based methods is the reliability and accuracy of
One of the main arguments for graphical
user input recognition. In this type of
passwords is that pictures are easier to
method, the error tolerances have to be
remember than text strings. Preliminary
set
user studies presented in some research
carefully – overly high tolerances may
papers seem to support this. However,
lead to many false positives while overly low tolerances may lead to many false
current user studies are still very limited,
negatives. In addition, the more error
tolerant the program, the more
to
vulnerable it is to attacks.
preliminary analysis suggests that it is
Storage and communication communication
mor oree
Graphical passwords require much more storage spacethan text based passwords.
support
di difffi ficu cult lt
this
to
argument.
br brea eak k
Our
gr grap aphi hica call
passwords using the traditional attack meth me thod odss su such ch as br brut utee fo forc rcee se sear arch ch,,
Tens of thousands of pictures may have to be maintained in a centralized
dictionary dicti onary attack,or attack,or spyware. spyware. However, However, since there is not yet wide deployment of
database. Network transfer delay is also
graphical
a concern for graphical passwords,
pa passsword
systems ems,
the
vulner vul nerabi abilit lities ies of graphi graphical cal passwo passwords rds
especially for recognition-based
are still not fully understood.
techniques in which a large number of
Overall, the current graphical password
pictures may need to be displayed for
te techn chniq iques ues ar aree st stil illl im imma matu ture. re. Much Much
each round of verification.
more mo re re rese sear arch ch an and d us user er st stud udie iess ar aree
Conclusion:
The past decade has seen a
needed for graphical password techni tec hniques ques to achieve achieve higher higher levels levels of
grow growin ing g inte intere rest st in us usin ing g grap graphi hica call
maturity and usefulness.
passwords as an alternative to the
References:
traditional text-based passwords. In this paper,
we
have
com compreh prehen enssive grap graphi hica call curren cur rentt
conducted
su surrvey vey
pa pass sswo word rd
of
exi existi sting
te tech chni niqu ques es..
graphi graphical calpas passwo sword rd
a
The The
techni technique quess
can be classi classifi fied ed into into two catego categorie ries: s: reco recogn gnit itio ionn-ba base sed d
an and d
re reca call ll-b -bas ased ed
techniques.. Althou oug gh
the
main ain
argument
for
graphi gra phical cal passw password ordss is that that people people are better
at
memorizing
graphical
passwords than text-based passwords, the existing user studies are very limited and there is not yet convincing convincing evidence
[1] A. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security Systems," presented at CHI, Extended Abstracts (Workshops). Ft. Lauderdale, Florida, USA., 2003. [2] A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM , vol. 42, pp. 41-46, 1999. [3] K. Gilhooly, "Biometrics: Getting Back to Business," in Computerworld, May 09, 09, 2000.
