SlideShare a Scribd company logo

idoc.pub_a-seminar-report-on-graphical-password-authentication.pdf

R
RohitSabale4

Graphical password authentication system

Engineering
1 of 16
Download to read offline
A SEMINAR REPORT ON GRAPHICAL PASSWORD AUTHENTICATION 02:23:00 / Benjamin Ohepo / No comments GRAPHICAL PASSWORD AUTHENTICATION A SEMINAR REPORT BY ABALI LEYAZIBA VICTOR CS/12/055 SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE FACULTY OF SCIENCE, MADONNA UNIVERSITY, ELELE CAMPUS IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF BACHELOR OF SCIENCE (B.Sc.) DEGREE IN COMPUTER SCIENCE. Supervised by: Mrs. Adanma C.E. DECEMBER, 2015 TABLE OF CONTENTS Title-------------------------------------------------------------------------------------------------------------1 Certification---------------------------------------------------------------------------------------------------4 Dedication-----------------------------------------------------------------------------------------------------5 Acknowledgement-------------------------------------------------------------------------------------------6
Abstract--------------------------------------------------------------------------------------------------------7 Chapter one: Introduction 1.1 Background of study------------------------------------------------------------------------------------8 1.2 Problem statement---------------------------------------------------------------------------------------8 1.3 Aims and Objectives------------------------------------------------------------------------------------9 1.4 Scope of study-------------------------------------------------------------------------------------------9 1.5 Justification of study-----------------------------------------------------------------------------------10 1.6 Limitations----------------------------------------------------------------------------------------------10 1.7 Glossary-------------------------------------------------------------------------------------------------10 1.8 Organization of chapters------------------------------------------------------------------------------11 Chapter two: Literature review---------------------------------------------------------------------------12 Chapter three: Findings 3.1 Why graphical passwords----------------------------------------------------------------------------14 3.2 Classification of current authentication methods-------------------------------------------------14 3.2.1 Token based authentication------------------------------------------------------------------------14 3.2.2 Biometric based authentication--------------------------------------------------------------------14 3.2.3 Knowledge based authentication------------------------------------------------------------------15 3.2.3.1 Recognition based---------------------------------------------------------------------------------15 3.2.3.2 Recall based----------------------------------------------------------------------------------------15 3.2.4 Hybrid systems---------------------------------------------------------------------------------------16 3.3 Traditional authentication methods------------------------------------------------------------------16 3.4 Locimetric passwords----------------------------------------------------------------------------------17 3.4.1 Passpoints----------------------------------------------------------------------------------------------17 3.4.2 Cued click points-------------------------------------------------------------------------------------18 3.5 Other graphical password authentication schemes-------------------------------------------------19 3.5.1 Hash visualization technique------------------------------------------------------------------------19 3.5.2 Draw A Secret-----------------------------------------------------------------------------------------19 3.5.3 Passfaces-----------------------------------------------------------------------------------------------20
3.6 Is a graphical password as secure as text based password? ---------------------------------------21 3.6.1 Brute force search-------------------------------------------------------------------------------------22 3.6.2 Dictionary attacks-------------------------------------------------------------------------------------22 3.6.3 Guessing-----------------------------------------------------------------------------------------------22 3.6.4 Spyware-----------------------------------------------------------------------------------------------22 3.6.5 Shoulder surfing--------------------------------------------------------------------------------------23 3.6.6 Social engineering-----------------------------------------------------------------------------------23 3.7 Advantages---------------------------------------------------------------------------------------------23 3.8 Disadvantages------------------------------------------------------------------------------------------23 Chapter four: Conclusion and recommendation 4.1 Summary-----------------------------------------------------------------------------------------------24 4.2 Recommendation-------------------------------------------------------------------------------------24 4.3 Conclusion---------------------------------------------------------------------------------------------24 References---------------------------------------------------------------------------------------------------25 DECLARATION I, ABALI LEYAZIBA VICTOR, hereby declare that this Seminar report on GRAPHICAL PASSWORD AUTHENTICATION was been documented and presented by me, and it is a record of my research work. This particular piece of work has never been presented in any previous application for a degree program. All sources of data in this research are duly acknowledged. (Student) Signature Date ABALI.L.VICTOR ………….….……….......... ......…………………… MRS EBERENDU-OGU ………….….……….... ......……………………
(Supervisor) Signature Date MRS EBERENDU-OGU …………......…………… …………………......…. (Head of Department) Signature Date DEDICATION This report is dedicated to all those who have helped me in one way or another to get to where I am in my educational career and also the almighty God who gives me strength in all my endeavors. ACKNOWLEDGEMENT This Seminar report was completed as a result of support from many people, although not all of them can be mentioned. I wish to express my sincere gratitude to God for his protection, providence, guidance and above all, for sustaining me. I am greatly indebted to my good supervisor Mrs. Adanma C.E. for her useful and necessary observation, suggestions, contribution and corrections. I would not have been able to achieve anything in this research without your supervision. May God enrich you greatly in every area of life. Finally i wish to express my appreciation to my parents for their love and support. ABSTRACT Graphical password authentication is a form of authentication that requires the recall and selection of an image or points in an image inputted during the registration stage in a graphical user interface. Passwords provide security mechanism for authentication and protection of services against unwanted access to resources. A graphical based password is one promising alternatives of textual passwords. The most common computer authentication method in use today is alphanumerical usernames and passwords. This method has been shown to have significant drawbacks. Users tend to choose memorable passwords that are easy for attackers to guess, but strong system assigned passwords are difficult for users to remember. Using a graphical password, users click on images rather than type alphanumeric characters. Today, the most secure form of authentication is biometric based but the problem with biometric is that they are
very expensive to use but an alternative which is less expensive and more secure is the use of graphical passwords. CHAPTER ONE INTRODUCTION 1.1 Background Of The Study: Computer systems and the information they store and process are valuable resources which need to be protected. Computer security systems must also consider the human factors such as ease of a use and accessibility. Current secure systems suffer because they mostly ignore the importance of human factors in security (Rachna Dhamija and Adrian Perrig., 2000). A key area in security research is authentication, the determination of whether a user should be allowed access to a given system or resource. Traditionally, alphanumeric passwords are used for authentication but they are known to have usability and security problems. A password authentication system should encourage strong and less predictable passwords while maintaining memorability and security. A password is a secret that is shared by the verifier and the user, they are simply secrets that are provided by the user upon request by a recipient and are often stored on a server in an encrypted form so that a penetration of the file system does not reveal password lists (www.objs.com/survey/authent.html, 2011). Graphical passwords (GP) use pictures (Parkinson, 2005) instead of texts and are partially motivated by the fact that humans can remember pictures more easily than a string of characters. The idea of graphical passwords was originally described by Greg Blonder in 1996 and since then several researchers have proposed different graphical password authentication schemes, in Blonder’s description of the concept an image would appear on the screen, and the user would click on a few chosen regions of it. If the correct regions were clicked in, the user would be authenticated. An important advantage of GP is that they are easier to remember than textual passwords. Human beings have the ability to remember faces of people, places they visit and things they have seen for a longer duration. An important advantage of Graphical Passwords is that they are easier to remember compared to textual passwords. Thus, graphical passwords provide a means for making more user-friendly passwords while increasing the level of security. 1.2 Problem Statement: Graphical passwords introduce us to a whole new form of authentication. The most common form of authentication used today is the used of alphanumeric texts and this form of authentication has been proven to be prone to several forms of attacks such as guessing, social engineering, spywares, dictionary attacks, shoulder surfing and even hidden cameras. It can be frustrating to keep up with all the passwords since it is not a recommended that someone uses one password for more than one account or computer program or device. One of the main problems graphical passwords tend to solve is the problem of a user using a weak password so that he/she won’t forget it and at times when users are encouraged to use strong passwords, they tend to use it for all their accounts and also users keep their passwords where attackers can access because of the fact that they don’t want to memorize it. Since it is easier to remember pictures than text, graphical passwords tend to enhance security and at thesame time make it easier for the user to use.
1.3 Aims and objectives: One of the major issues in this modern day is security. The process of authentication tries to enhance security but the common means of authentication (use of alphanumeric passwords) today are known to have significant disadvantages. Attackers now have different means of accessing a particular system or account and because of this, other means of authentication are now becoming rampant. Biometric based authentication is regarded to be the most secure means of authentication but unlike the text based forms of authentication which are relatively inexpensive, biometric based are very expensive to use. This is where the concept of graphical password authentication come in, they are cheap, easy to use, offer more security (than text based passwords) and also take into consideration, the user factor. The aim of this report is to create awareness that there is an alternative to using text based passwords and this alternative is secure, cheap and relatively easy to use. 1.4 Scope of the study: This report focuses on graphical password authentication and the different forms commonly used today. It also highlights the advantages graphical passwords have over text based passwords and the forms of attack you can be prone to while using graphical passwords. This report does not delve deep into the traditional form of authentication (text based) and biometric form of authentication. 1.5 Justification Of Study: I selected this research topic because I’m interested in finding a more secure alternative to text based passwords. The topic opens my eye to a totally different form of authentication that is easy to use and also more secure compared to text based passwords. 1.6 Limitations Of Study: The main limitation of using a graphical password is that they are more vulnerable to shoulder surfing than the traditional text based passwords. An attacker can capture a password by direct observation or by recording the individual’s authentication session while inserting passwords in public. This is referred to as shoulder-surfing. Another limitation is that the login process is slow when graphical passwords are used and this can sometimes annoy the user. 1.7 Glossary: i. Password Hardening: Password hardening is any one of a variety of measures taken to make it more difficult for an intruder to circumvent the authentication process. Password hardening may take the form of multifactor authentication, by adding some component to the username/password combination, or may be policy-based. ii. PassPhrase: A passphrase is a string of characters longer than the usual password (which is typically from four to 16 characters long) that is used in creating a digital signature or in an encryption or a decryption of a message. Passphrases are often up to 100 characters in length. iii. ShoulderSurfing: This can be said to be the process of an attacker capturing a user’s password by direct observation (such as looking over one’s shoulder) or by recording the user’s authentication session. iv. Attacker: This can be anyone who tries to gain access to someone’s account without the knowledge of the user either with a good or a bad motive.
v. Tolerance value: It is the value which indicates the degree of closeness to the actual click point. Vi. Tolerance region: The area around an original click point accepted as correct since it is unrealistic to expect user to accurately target an exact pixel. vii. Success rate: It is the rate which gives the number of successful trails for a certain number of trials. The success rates are calculated as the number of trails completed without errors or restarts. 1.8 Organization of chapters: Chapter one introduces the concept of graphical password authentication. It contains a brief history on the concept of graphical password authentication, a background study on the study (graphical password authentication), the areas of graphical password authentication this research covers, what this research is aimed at achieving and also some of the limitations of using graphical passwords. Chapter two highlights some of the researchers who have made a big impact in order to make graphical passwords reach the heights it has reached today. This chapter contains different expert views on the concept of graphical password authentication. Chapter three contains all my findings during the course of the research. This chapter tries to explain what graphical password is all about and also some of the different forms of authentication used today. It also highlights the advantages graphical passwords have over text based passwords and also the security problems one is likely to face with the use of graphical passwords. Chapter four contains a brief summary on the key points in this research and it also contains a recommendation for future researchers on the concept of graphical password authentication. CHAPTER TWO LITERATURE REVIEW For over a century, psychology studies have recognized the human brain’s apparently superior memory for recognizing and recalling visual information as opposed to verbal or textual information. The most widely accepted theory explaining this difference is the dual-coding theory (Pavio, 2006), suggesting that verbal and non-verbal memory (respectively, word-based and image-based) are processed and represented differently in the mind. Images are mentally represented in a way that retains the perceptual features being observed and are assigned perceived meaning based on what is being directly observed. Text is represented symbolically, where symbols are given a meaning cognitively associated with the text, as opposed to a perceived meaning based on the form of the text. A generally accepted fact in graphical password authentication is that graphical passwords are prone to shoulder surfing attacks. Because of this, several researchers have studied the graphical password scheme and come up with techniques that reduce the shoulder surfing problem. Another drawback graphical passwords have is that they can be guessed if the attacker is persistent to try all possible inputs. In order to make the password hard to guess; (Sobrado.L and Birget.J.C, 2002) suggested using 1000 objects, which makes the display very crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller password space, since the resulting convex hull can be large. In their second algorithm, a user
moves a frame (and the objects within it) until the passobject on the frame lines up with the other two pass-objects. The authors also suggest repeating the process a few more times to minimize the likelihood of logging in by randomly clicking or rotating. The main drawback of this algorithm is that the log in process can be slow. Figure 2.1 A shoulder-surfing resistant graphical password scheme (Sobrado.L and Birget.J.C, 2002) (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) proposed another shoulder-surfing resistant algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass-object has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each scene contains several pass-objects (each in the form of a randomly chosen variant) and many decoy-objects. The user has to type in a string with the unique codes corresponding to the pass-object variants present in the scene as well as a code indicating the relative location of the passobjects in reference to a pair of eyes. The argument is that it is very hard to crack this kind of password even if the whole authentication process is recorded on video because where is no mouse click to give away the pass-object information. However, this method still requires users to memorize the alphanumeric code for each pass-object variant. (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) later extended this approach to allow the user to assign their own codes to pass-object variants. Figure 2.2 shows the log-in screen of this graphical password scheme. However, this method still forces the user to memorize many text strings and therefore suffer from the many drawbacks of text-based passwords. Figure 2.2 Another shoulder surfing resistant scheme developed by (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002). A challenge for designers is to identify memory aids for legitimate users, that cannot be leveraged by attackers to guess passwords. Furthermore, systems allowing some degree of user choice should encourage randomization of user-chosen sequences as well as individual items, to avoid divide and conquer guessing attacks. It remains an open question whether systems can be designed such that user choice does not significantly weaken security, or whether a successful combination of system suggestion and user choice can be devised.
CHAPTER THREE FINDINGS 3.1 Why Graphical Passwords? Graphical password authentication is a means of authentication that requires the recall and selection of images or sections of an image inputted during the registration phase in a graphical user interface. Today, access to computer systems is most often based on the use of alphanumeric passwords. Though, users have difficulty remembering a password that is long and random- appearing. Instead, they create short, simple, and insecure passwords. Graphical passwords have been designed to try to make passwords more memorable and easier for people to use and, therefore, more secure. Using a graphical password, users click on images rather than type alphanumeric characters. 3.2 Classification of Current Authentication Methods Due to recent events of thefts and terrorism, authentication has become more important for an organization to provide an accurate and reliable means of authentication. Currently the authentication methods can be broadly divided into three main areas. Token based, Biometric based, and Knowledge based authentication. 3.2.1 Token Based Authentication: It is based on “What You Possess”. For example Smart Cards, a driver’s license, credit card, a university ID card etc. It allows users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token (which offers access to a specific resource for a time period) to the remote site. Many token based authentication systems also use knowledge based techniques to enhance security. Token based techniques, such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance security. For example, ATM cards are generally used together with a PIN number. 3.2.2 Biometric Based Authentication: Biometrics (ancient Greek: bios ="life", Merton ="measure") is the study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. It is based on “What You Are”. It uses physiological or behavioral characteristics like fingerprint or facial scans and iris or voice recognition to identify users. A biometric scanning device takes a user's biometric data, such as an iris pattern or fingerprint scan, and converts it into digital information a computer can interpret and verify. Biometric based authentication techniques, such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable. However, this type of technique provides the highest level of security. A biometric-based authentication system may deploy one or more of the biometric technologies: voice recognition, fingerprints, face recognition, iris scan, infrared facial and hand vein thermo grams, retinal scan, hand and finger geometry, signature, gait, and keystroke dynamics. Biometric
identification depends on computer algorithms to make a yes/no decision. It enhances user service by providing quick and easy identification. 3.2.3 Knowledge Based Authentication: Knowledge Based Authentication (KBA) is based on using “What You Know” to identify you. For example; a Personal Identification Number (PIN), password or pass phrase. It is an authentication scheme in which the user is asked to answer at least one "secret" question. Knowledge Based Authentication is often used as a component in multifactor authentication and for self-service password retrieval. Knowledge based techniques are the most widely used authentication techniques and include both text-based and picture-based passwords. The picture-based techniques can be further divided into two categories: 3.2.3.1 Recognition Based Graphical Techniques: With recognition-based techniques, a user is presented with a set of images and the user passes the authentication stage by recognizing and identifying the Images he or she selected during the registration stage. Recognition-based systems, also known as cognometric systems or locimetric systems, generally require that users memorize a portfolio of images during password creation, and then to log in, must recognize their images from among decoys. Humans have exceptional ability to recognize images previously seen, even those viewed very briefly. 3.2.3.2 Recall Based Graphical Techniques: With recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage.Recall- based graphical password systems are occasionally referred to as drawmetric system because users recall and reproduce a secret drawing. In these systems, users typically draw their password either on a blank canvas or on a grid (which may arguably act as a mild memory cue). Recall is a difficult memory task because retrieval is done without memory prompts or cues. 3.2.4 Hybrid systems: These can be described as the combination of two or more schemes, i.e the combination of recognition and recall based techniques or the combination of textual passwords with graphical password schemes. The process of withdrawing money from a bank with the use of an ATM is an example of a hybrid system. It combines knowledge based authentication methods with token based authentication, the ATM card is the token (something you have) and the PIN required is knowledge based (what you know). 3.3 TRADITIONAL AUTHENTICATION TECHNIQUES Authentication has traditionally centered on ‘what you know’. This concept has, in the past, been embodied in Personal Identification Numbers (PINs) and passwords. The fallibility of passwords and PINs is exemplified in several well-known shortcomings implicit in their use. For example, people share passwords; they have an inherent difficulty in remembering strong passwords (i.e. those consisting of upper-and-lowercase letters, numbers, and non-alphanumeric characters) and, as a consequence, often stick passwords to the desktop for everyone to see. The password problem arises largely from limitations of humans’ long-term memory (LTM). Once a password has been chosen and learned the user must be able to recall it to log in. But, people regularly forget their passwords. Decay and interference explain why people forget their passwords. Items in memory may compete with a password and prevent its accurate recall. A password that is not used frequently will be even more susceptible to forgetting. A further complication is that users have many passwords for computers, networks, and web sites. The large number of passwords increases interference and is likely to lead to forgetting or confusing passwords. Users typically cope with the password problem by decreasing their memory load at the expense of security. First, users write down their passwords. Second, when they have multiple
passwords, they use one password for all systems or trivial variations of a single password. In terms of security, a password should consist of a string of 8 or more random characters, including upper and lower case alphabetic characters, digits, and special characters. A random password does not have meaningful content and must be memorized by rote, but rote learning is a weak way of remembering. As a result, users are known to ignore the recommendations on password choice. A survey carried out in the Madonna University Miami boys hostel shows that users choose short, simple passwords that are easily guessable. For example, “password,” personal names of family members, names of pets, and dictionary words. To users the most important issue is having a password that can be remembered reliably so they can get on with their real work. 3.4 Locimetric Passwords: In locimetric systems, users identify and select specific locations within one or more images. The images act as memory cues to aid recall. Examples of such systems include passpoints and cued click points. 3.4.1 PassPoints: In PassPoints, a password consists of a sequence of five click-points on a given image (see Figure3.2 ). Users may select any pixel(s) in the image as click-points for their password. To log in, they repeat the sequence of clicks in the correct order, within a system-defined tolerance square of the original click-points. The primary security problem is hotspots: different users tend to select similar click-points as part of their passwords. Attackers who gain knowledge of these hotspots through harvesting sample passwords or through automated image processing techniques can build attack dictionaries and more successfully guess PassPoints passwords. A dictionary attack consists of using a list of potential passwords (ideally in decreasing order of likelihood) and trying each on the system in turn to see if it leads to a correct login for a given account. Attacks can target a single account, or can try guessing passwords on a large number of accounts in hopes of breaking into any of them. fig 3.2 password consists of five(5) ordered clicks of an image. 3.4.2 Cued-Click Points: They were designed to reduce patterns and to reduce the usefulness of hotspots for attackers. Rather than five click-points on one image, CCP uses one click-point on five different images shown in sequence. The next image displayed is based on the location of the previously entered click-point (see Figure 3.3), creating a path through an image set. Users select their images only to the extent that their click-point determines the next image. Creating a new password with different click-points results in a different image sequence. The claimed advantages are that password entry becomes a true cued-recall scenario, where each image triggers the memory of a corresponding click-point. Remembering the order of the click-
points is no longer a requirement on users, as the system presents the images one at a time. Cued Click Points also provides implicit feedback claimed to be useful only to legitimate users. When logging on, seeing an image they do not recognize alerts users that their previous click-point was incorrect and users may restart password entry. Explicit indication of authentication failure is only provided after the final click-point, to protect against incremental guessing attacks. In cued click points, pattern based attacks seem ineffective. Although attackers must perform proportionally more work to exploit hotspots, results showed that hotspots remained a problem. Fig 3.3 users select one click-point per image. The next image displayed is determined by the current click-point. 3.5 Other Graphical Password Authentication Schemes : 3.5.1 Hash Visualization Technique: This graphical password authentication scheme was based on the Hash Visualization. In this system, the user is asked to select a certain number of images from a set of random pictures generated by a program during the registration stage. Later, the user will be required to identify the preselected images in order to be authenticated. The average log-in time, however, is longer than the traditional approach of using alphanumeric passwords. A weakness of this system is that the server needs to store the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures from the picture database can be tedious and time consuming for the user. 3.5.2 Draw A Secret (DAS): This is the first recall based graphical password authentication to be produced. It allows the user to draw their unique password (figure 3.4). A user is asked to draw a simple picture on a 2D grid. The coordinates of the grids occupied by the picture are stored in the order of the drawing. During authentication, the user is asked to re-draw the picture. If the drawing touches the same grids in the same sequence, then the user is authenticated. Jermyn, et al. suggested that given reasonable-length passwords in a 5 X 5 grid, the full password space of DAS is larger than that of the full text password space.
Fig 3.4 Draw-A-Secret technique. 3.5.3 Passface : “Passface” is a technique developed by Real User Corporation (Real User Corperation, 2006). The basic idea is as follows; the user will be asked to choose four images of human faces from a face database as their future password during registration. In the authentication stage, the user sees a grid of nine faces, consisting of one face previously chosen by the user and eight decoy faces (figure 3.5). The user recognizes and clicks anywhere on the known face. This procedure is repeated for several rounds. The user is authenticated if he/she correctly identifies the four faces. The technique is based on the assumption that people can recall human faces easier than other pictures. Studies have shown that Passfaces are very memorable over long intervals. With the use of passfaces, there are four(4) different rounds of authentication. During registration, the user selects four(4) faces as his/her password. At the authentication stage the user is presented with nine(9) different faces in each round of authentication. The user is only authenticated after the final round of selection. One significant drawback of using passface is the problem of shoulder surfing. Fig 3.5 Examples of passfaces-Realuser.com 3.6 Is a graphical password as secure as text based password? Very little research has been done to study the difficulty of cracking graphical passwords. Because graphical passwords are not widely used, in practice there is no report on real cases of breaking graphical passwords. Here, some of the possible techniques for breaking graphical passwords are examined and are compared with text-based passwords. These techniques include: 3.6.1. Brute force search The main defense against brute force search is to have a sufficiently large password space. Text- based passwords have a password space of 94^N, where N is the length of the password, 94 is the number of printable characters excluding SPACE. Some graphical password techniques have been shown to provide a password space similar to or larger than that of text-based passwords. Recognition based graphical passwords tend to have smaller password spaces than the recall based methods. It is more difficult to carry out a brute force attack against graphical passwords than text-based passwords. The attack programs need to automatically generate accurate mouse motion to imitate human input, which is particularly difficult for recall based graphical passwords. Overall, we believe a graphical password is less vulnerable to brute force attacks compared to text-based password. 3.6.2 Dictionary attacks
Since recognition based graphical passwords involve mouse input instead of keyboard input, it will be impractical to carry out dictionary attacks against this type of graphical passwords. For some recall based graphical passwords, it is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text based dictionary attack. More research is needed in this area. Overall, it is believed that graphical passwords are less vulnerable to dictionary attacks compared to text-based passwords. 3.6.3 Guessing Unfortunately, it seems that graphical passwords are often predictable, a serious problem typically associated with text-based passwords. For example, studies on the Passface technique have shown that people often choose weak and predictable graphical passwords. Studies revealed similar predictability among the graphical passwords created with the DAS technique. More research efforts are needed to understand the nature of graphical passwords created by real world users. 3.6.4 Spyware Except for a few exceptions, key logging or key listening spyware cannot be used to break graphical passwords. It is not clear whether “mouse tracking” spyware will be an effective tool against graphical passwords. However, mouse motion alone is not enough to break graphical passwords. Such information has to be correlated with application information, such as window position and size, as well as timing information. 3.6.5 Shoulder surfing Like text based passwords, most of the graphical passwords are vulnerable to shoulder surfing. At this point, only a few recognition-based techniques are designed to resist shoulder-surfing. None of the recall-based based techniques are considered should-surfing resistant. 3.6.6 Social engineering Comparing to text based password, it is less convenient for a user to give away graphical passwords to another person. For example, it is very difficult to give away graphical passwords over the phone. Setting up a phishing web site to obtain graphical passwords would be more time consuming. Overall, it is believed graphical passwords are more difficult to break down using the traditional attack methods like brute force search, dictionary attack, and spyware. There is a need for more in-depth research that investigates possible attack methods against graphical passwords. 3.7 Advantages
i. A graphical password authentication system is relatively inexpensive to implement. ii. Graphical passwords provide a way of making user friendly passwords. iii. Graphical passwords are not vulnerable to dictionary attacks. iv. It is less convenient for a user to give away graphical passwords to another person. 3.8 Disadvantages i. Password registration and login process takes too long login process is slow ii. Most users are not familiar with the graphical passwords, they often find graphical passwords less convenient and time consuming. iii. Graphical passwords are prone to shoulder surfing. This is because of their graphic nature, nearly all graphical password scheme are prone to shoulder surfing. CHAPTER 4 CONCLUSION 4.1 Summary: The past decade has seen a growing interest in using graphical passwords as an alternative to the traditional text-based passwords. In this report is a comprehensive research on existing graphical password techniques. The current graphical password techniques can be classified into two categories: recognition-based and recall-based techniques. Although the main argument for graphical passwords is that people are better at memorizing graphical passwords than text-based passwords, the existing user studies are very limited and there is not yet convincing evidence to support this argument. My research suggests that it is more difficult to break graphical passwords using the traditional attack methods such as brute force search, dictionary attack, or spyware. However, since there is not yet wide deployment of graphical password systems, the vulnerabilities of graphical passwords are still not fully understood. 4.2 Recommendation: Although the use of graphical passwords is not as secure as other forms of authentication like the use of biometric means of authentication (very expensive). Text-based passwords should be
replaced with graphical passwords because they are more secure. My recommendation to future researchers is that other means of eliminating the shoulder surfing problem attached with the use of graphical passwords. 4.3 Conclusion: In conclusion, I would like to highlight two major drawbacks of graphical passwords; its vulnerability to shouldersurfing and its slow login process. Although several researchers have tried to fix these problems with graphical passwords. Despite those two major drawbacks, graphical passwords are considered to be more secure and easy to remember than text based passwords. REFERENCES Hong.D, Man.S, Hawes.B, and Mathews.M (2002)." A password scheme strongly resistant to spyware". International conference on security and management. Las Vegas. Hong.D, Man.S, Hawes.B and Mathews.M (2003)." A shoulder surfing resistant graphical password scheme". International conference on security and management. Las Vegas. Parkinson, M. (2005)." THE POWER OF VISUAL COMMUNICATION". 23-27. Pavio, A. (2006). Mind and Its Evolution: A Dual Coding Theeoritical Approach. Rachna Dhamija and Adrian Perrig. (2000). Deja vu: A User Study. Using images for authentication. Real User Corperation. (2006). Retrieved October 3, 2015, from Realuser: http://www.realuser.com Sobrado.L and Birget.J (2002). Graphical Passwords, "An Electronic Bulletin for Undergraduate Research", vol.4. Saranga.K and Hutchings .R, 2008, "Order and entropy in picture passwords", Proceedings of graphics interface, Canadian Information Processing Society. (www.objs.com, 2013) Xiaoyuan.S and Ying Zhu.G (2005) Graphical passwords: a survey, 21st Annual Computer Security Applications Conference.

Recommended

Ce36484489
Ce36484489Ce36484489
Ce36484489IJERA Editor
 
3D Password
3D Password3D Password
3D PasswordShubham Rungta
 
Graphical Password by Watermarking for security
Graphical Password by Watermarking for securityGraphical Password by Watermarking for security
Graphical Password by Watermarking for securityIJERA Editor
 
A presentation on graphical passwords
A presentation on graphical passwordsA presentation on graphical passwords
A presentation on graphical passwordsChikaDavidAma
 
Graphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image SegmentationGraphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image SegmentationIRJET Journal
 
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET Journal
 
Sudhanshu Raman
Sudhanshu RamanSudhanshu Raman
Sudhanshu RamanSudhanshu Raman
 
Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...IJNSA Journal
 

Recommended

Ce36484489
Ce36484489Ce36484489
Ce36484489IJERA Editor
 
3D Password
3D Password3D Password
3D PasswordShubham Rungta
 
Graphical Password by Watermarking for security
Graphical Password by Watermarking for securityGraphical Password by Watermarking for security
Graphical Password by Watermarking for securityIJERA Editor
 
A presentation on graphical passwords
A presentation on graphical passwordsA presentation on graphical passwords
A presentation on graphical passwordsChikaDavidAma
 
Graphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image SegmentationGraphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image SegmentationIRJET Journal
 
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET Journal
 
Sudhanshu Raman
Sudhanshu RamanSudhanshu Raman
Sudhanshu RamanSudhanshu Raman
 
Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...IJNSA Journal
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Kailas Patil
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...IOSR Journals
 
Count based hybrid graphical password to prevent brute force attack and shoul...
Count based hybrid graphical password to prevent brute force attack and shoul...Count based hybrid graphical password to prevent brute force attack and shoul...
Count based hybrid graphical password to prevent brute force attack and shoul...eSAT Publishing House
 
Graphical Password Authentication ppt.pptx
Graphical Password Authentication ppt.pptxGraphical Password Authentication ppt.pptx
Graphical Password Authentication ppt.pptxSarvaniShettigar
 
Class paper final
Class paper finalClass paper final
Class paper finalAnusha Manchala
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...Symbiosis Group
 
Fyp2
Fyp2Fyp2
Fyp2nuruladnan11
 
Color based android shuffling pattern lock
Color based android shuffling pattern lockColor based android shuffling pattern lock
Color based android shuffling pattern lockIRJET Journal
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityijsptm
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More UsableJim Fenton
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @heregadisagemechu1
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishnabanda5630
 
DMDI
DMDIDMDI
DMDIBilly Baker
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
IRJET- Autobiographical Fallback Authentication using Smartphones
IRJET- Autobiographical Fallback Authentication using SmartphonesIRJET- Autobiographical Fallback Authentication using Smartphones
IRJET- Autobiographical Fallback Authentication using SmartphonesIRJET Journal
 
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...ADEIJ Journal
 
IRJET- Fingerprint based Folder Lock
IRJET- Fingerprint based Folder LockIRJET- Fingerprint based Folder Lock
IRJET- Fingerprint based Folder LockIRJET Journal
 
An Ancient Indian Board Game as a Tool for Authentication
An Ancient Indian Board Game as a Tool for AuthenticationAn Ancient Indian Board Game as a Tool for Authentication
An Ancient Indian Board Game as a Tool for AuthenticationIJNSA Journal
 
2 round hybrid password scheme
2 round hybrid password scheme2 round hybrid password scheme
2 round hybrid password schemeIAEME Publication
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 

More Related Content

Similar to idoc.pub_a-seminar-report-on-graphical-password-authentication.pdf

Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Kailas Patil
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...IOSR Journals
 
Count based hybrid graphical password to prevent brute force attack and shoul...
Count based hybrid graphical password to prevent brute force attack and shoul...Count based hybrid graphical password to prevent brute force attack and shoul...
Count based hybrid graphical password to prevent brute force attack and shoul...eSAT Publishing House
 
Graphical Password Authentication ppt.pptx
Graphical Password Authentication ppt.pptxGraphical Password Authentication ppt.pptx
Graphical Password Authentication ppt.pptxSarvaniShettigar
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...Symbiosis Group
 
Color based android shuffling pattern lock
Color based android shuffling pattern lockColor based android shuffling pattern lock
Color based android shuffling pattern lockIRJET Journal
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityijsptm
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More UsableJim Fenton
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @heregadisagemechu1
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishnabanda5630
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
IRJET- Autobiographical Fallback Authentication using Smartphones
IRJET- Autobiographical Fallback Authentication using SmartphonesIRJET- Autobiographical Fallback Authentication using Smartphones
IRJET- Autobiographical Fallback Authentication using SmartphonesIRJET Journal
 
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...ADEIJ Journal
 
IRJET- Fingerprint based Folder Lock
IRJET- Fingerprint based Folder LockIRJET- Fingerprint based Folder Lock
IRJET- Fingerprint based Folder LockIRJET Journal
 
An Ancient Indian Board Game as a Tool for Authentication
An Ancient Indian Board Game as a Tool for AuthenticationAn Ancient Indian Board Game as a Tool for Authentication
An Ancient Indian Board Game as a Tool for AuthenticationIJNSA Journal
 
2 round hybrid password scheme
2 round hybrid password scheme2 round hybrid password scheme
2 round hybrid password schemeIAEME Publication
 

Similar to idoc.pub_a-seminar-report-on-graphical-password-authentication.pdf (20)

Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
 
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
Persuasive Cued Click Based Graphical Password with Scrambling For Knowledge ...
 
Count based hybrid graphical password to prevent brute force attack and shoul...
Count based hybrid graphical password to prevent brute force attack and shoul...Count based hybrid graphical password to prevent brute force attack and shoul...
Count based hybrid graphical password to prevent brute force attack and shoul...
 
Graphical Password Authentication ppt.pptx
Graphical Password Authentication ppt.pptxGraphical Password Authentication ppt.pptx
Graphical Password Authentication ppt.pptx
 
Class paper final
Class paper finalClass paper final
Class paper final
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
 
Fyp2
Fyp2Fyp2
Fyp2
 
Color based android shuffling pattern lock
Color based android shuffling pattern lockColor based android shuffling pattern lock
Color based android shuffling pattern lock
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More Usable
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @here
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
 
DMDI
DMDIDMDI
DMDI
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use case
 
IRJET- Autobiographical Fallback Authentication using Smartphones
IRJET- Autobiographical Fallback Authentication using SmartphonesIRJET- Autobiographical Fallback Authentication using Smartphones
IRJET- Autobiographical Fallback Authentication using Smartphones
 
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
 
IRJET- Fingerprint based Folder Lock
IRJET- Fingerprint based Folder LockIRJET- Fingerprint based Folder Lock
IRJET- Fingerprint based Folder Lock
 
An Ancient Indian Board Game as a Tool for Authentication
An Ancient Indian Board Game as a Tool for AuthenticationAn Ancient Indian Board Game as a Tool for Authentication
An Ancient Indian Board Game as a Tool for Authentication
 
2 round hybrid password scheme
2 round hybrid password scheme2 round hybrid password scheme
2 round hybrid password scheme
 

Recently uploaded

UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLManishPatel169454
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 

Recently uploaded (20)

UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 

idoc.pub_a-seminar-report-on-graphical-password-authentication.pdf

  • 1. A SEMINAR REPORT ON GRAPHICAL PASSWORD AUTHENTICATION 02:23:00 / Benjamin Ohepo / No comments GRAPHICAL PASSWORD AUTHENTICATION A SEMINAR REPORT BY ABALI LEYAZIBA VICTOR CS/12/055 SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE FACULTY OF SCIENCE, MADONNA UNIVERSITY, ELELE CAMPUS IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF BACHELOR OF SCIENCE (B.Sc.) DEGREE IN COMPUTER SCIENCE. Supervised by: Mrs. Adanma C.E. DECEMBER, 2015 TABLE OF CONTENTS Title-------------------------------------------------------------------------------------------------------------1 Certification---------------------------------------------------------------------------------------------------4 Dedication-----------------------------------------------------------------------------------------------------5 Acknowledgement-------------------------------------------------------------------------------------------6
  • 2. Abstract--------------------------------------------------------------------------------------------------------7 Chapter one: Introduction 1.1 Background of study------------------------------------------------------------------------------------8 1.2 Problem statement---------------------------------------------------------------------------------------8 1.3 Aims and Objectives------------------------------------------------------------------------------------9 1.4 Scope of study-------------------------------------------------------------------------------------------9 1.5 Justification of study-----------------------------------------------------------------------------------10 1.6 Limitations----------------------------------------------------------------------------------------------10 1.7 Glossary-------------------------------------------------------------------------------------------------10 1.8 Organization of chapters------------------------------------------------------------------------------11 Chapter two: Literature review---------------------------------------------------------------------------12 Chapter three: Findings 3.1 Why graphical passwords----------------------------------------------------------------------------14 3.2 Classification of current authentication methods-------------------------------------------------14 3.2.1 Token based authentication------------------------------------------------------------------------14 3.2.2 Biometric based authentication--------------------------------------------------------------------14 3.2.3 Knowledge based authentication------------------------------------------------------------------15 3.2.3.1 Recognition based---------------------------------------------------------------------------------15 3.2.3.2 Recall based----------------------------------------------------------------------------------------15 3.2.4 Hybrid systems---------------------------------------------------------------------------------------16 3.3 Traditional authentication methods------------------------------------------------------------------16 3.4 Locimetric passwords----------------------------------------------------------------------------------17 3.4.1 Passpoints----------------------------------------------------------------------------------------------17 3.4.2 Cued click points-------------------------------------------------------------------------------------18 3.5 Other graphical password authentication schemes-------------------------------------------------19 3.5.1 Hash visualization technique------------------------------------------------------------------------19 3.5.2 Draw A Secret-----------------------------------------------------------------------------------------19 3.5.3 Passfaces-----------------------------------------------------------------------------------------------20
  • 3. 3.6 Is a graphical password as secure as text based password? ---------------------------------------21 3.6.1 Brute force search-------------------------------------------------------------------------------------22 3.6.2 Dictionary attacks-------------------------------------------------------------------------------------22 3.6.3 Guessing-----------------------------------------------------------------------------------------------22 3.6.4 Spyware-----------------------------------------------------------------------------------------------22 3.6.5 Shoulder surfing--------------------------------------------------------------------------------------23 3.6.6 Social engineering-----------------------------------------------------------------------------------23 3.7 Advantages---------------------------------------------------------------------------------------------23 3.8 Disadvantages------------------------------------------------------------------------------------------23 Chapter four: Conclusion and recommendation 4.1 Summary-----------------------------------------------------------------------------------------------24 4.2 Recommendation-------------------------------------------------------------------------------------24 4.3 Conclusion---------------------------------------------------------------------------------------------24 References---------------------------------------------------------------------------------------------------25 DECLARATION I, ABALI LEYAZIBA VICTOR, hereby declare that this Seminar report on GRAPHICAL PASSWORD AUTHENTICATION was been documented and presented by me, and it is a record of my research work. This particular piece of work has never been presented in any previous application for a degree program. All sources of data in this research are duly acknowledged. (Student) Signature Date ABALI.L.VICTOR ………….….……….......... ......…………………… MRS EBERENDU-OGU ………….….……….... ......……………………
  • 4. (Supervisor) Signature Date MRS EBERENDU-OGU …………......…………… …………………......…. (Head of Department) Signature Date DEDICATION This report is dedicated to all those who have helped me in one way or another to get to where I am in my educational career and also the almighty God who gives me strength in all my endeavors. ACKNOWLEDGEMENT This Seminar report was completed as a result of support from many people, although not all of them can be mentioned. I wish to express my sincere gratitude to God for his protection, providence, guidance and above all, for sustaining me. I am greatly indebted to my good supervisor Mrs. Adanma C.E. for her useful and necessary observation, suggestions, contribution and corrections. I would not have been able to achieve anything in this research without your supervision. May God enrich you greatly in every area of life. Finally i wish to express my appreciation to my parents for their love and support. ABSTRACT Graphical password authentication is a form of authentication that requires the recall and selection of an image or points in an image inputted during the registration stage in a graphical user interface. Passwords provide security mechanism for authentication and protection of services against unwanted access to resources. A graphical based password is one promising alternatives of textual passwords. The most common computer authentication method in use today is alphanumerical usernames and passwords. This method has been shown to have significant drawbacks. Users tend to choose memorable passwords that are easy for attackers to guess, but strong system assigned passwords are difficult for users to remember. Using a graphical password, users click on images rather than type alphanumeric characters. Today, the most secure form of authentication is biometric based but the problem with biometric is that they are
  • 5. very expensive to use but an alternative which is less expensive and more secure is the use of graphical passwords. CHAPTER ONE INTRODUCTION 1.1 Background Of The Study: Computer systems and the information they store and process are valuable resources which need to be protected. Computer security systems must also consider the human factors such as ease of a use and accessibility. Current secure systems suffer because they mostly ignore the importance of human factors in security (Rachna Dhamija and Adrian Perrig., 2000). A key area in security research is authentication, the determination of whether a user should be allowed access to a given system or resource. Traditionally, alphanumeric passwords are used for authentication but they are known to have usability and security problems. A password authentication system should encourage strong and less predictable passwords while maintaining memorability and security. A password is a secret that is shared by the verifier and the user, they are simply secrets that are provided by the user upon request by a recipient and are often stored on a server in an encrypted form so that a penetration of the file system does not reveal password lists (www.objs.com/survey/authent.html, 2011). Graphical passwords (GP) use pictures (Parkinson, 2005) instead of texts and are partially motivated by the fact that humans can remember pictures more easily than a string of characters. The idea of graphical passwords was originally described by Greg Blonder in 1996 and since then several researchers have proposed different graphical password authentication schemes, in Blonder’s description of the concept an image would appear on the screen, and the user would click on a few chosen regions of it. If the correct regions were clicked in, the user would be authenticated. An important advantage of GP is that they are easier to remember than textual passwords. Human beings have the ability to remember faces of people, places they visit and things they have seen for a longer duration. An important advantage of Graphical Passwords is that they are easier to remember compared to textual passwords. Thus, graphical passwords provide a means for making more user-friendly passwords while increasing the level of security. 1.2 Problem Statement: Graphical passwords introduce us to a whole new form of authentication. The most common form of authentication used today is the used of alphanumeric texts and this form of authentication has been proven to be prone to several forms of attacks such as guessing, social engineering, spywares, dictionary attacks, shoulder surfing and even hidden cameras. It can be frustrating to keep up with all the passwords since it is not a recommended that someone uses one password for more than one account or computer program or device. One of the main problems graphical passwords tend to solve is the problem of a user using a weak password so that he/she won’t forget it and at times when users are encouraged to use strong passwords, they tend to use it for all their accounts and also users keep their passwords where attackers can access because of the fact that they don’t want to memorize it. Since it is easier to remember pictures than text, graphical passwords tend to enhance security and at thesame time make it easier for the user to use.
  • 6. 1.3 Aims and objectives: One of the major issues in this modern day is security. The process of authentication tries to enhance security but the common means of authentication (use of alphanumeric passwords) today are known to have significant disadvantages. Attackers now have different means of accessing a particular system or account and because of this, other means of authentication are now becoming rampant. Biometric based authentication is regarded to be the most secure means of authentication but unlike the text based forms of authentication which are relatively inexpensive, biometric based are very expensive to use. This is where the concept of graphical password authentication come in, they are cheap, easy to use, offer more security (than text based passwords) and also take into consideration, the user factor. The aim of this report is to create awareness that there is an alternative to using text based passwords and this alternative is secure, cheap and relatively easy to use. 1.4 Scope of the study: This report focuses on graphical password authentication and the different forms commonly used today. It also highlights the advantages graphical passwords have over text based passwords and the forms of attack you can be prone to while using graphical passwords. This report does not delve deep into the traditional form of authentication (text based) and biometric form of authentication. 1.5 Justification Of Study: I selected this research topic because I’m interested in finding a more secure alternative to text based passwords. The topic opens my eye to a totally different form of authentication that is easy to use and also more secure compared to text based passwords. 1.6 Limitations Of Study: The main limitation of using a graphical password is that they are more vulnerable to shoulder surfing than the traditional text based passwords. An attacker can capture a password by direct observation or by recording the individual’s authentication session while inserting passwords in public. This is referred to as shoulder-surfing. Another limitation is that the login process is slow when graphical passwords are used and this can sometimes annoy the user. 1.7 Glossary: i. Password Hardening: Password hardening is any one of a variety of measures taken to make it more difficult for an intruder to circumvent the authentication process. Password hardening may take the form of multifactor authentication, by adding some component to the username/password combination, or may be policy-based. ii. PassPhrase: A passphrase is a string of characters longer than the usual password (which is typically from four to 16 characters long) that is used in creating a digital signature or in an encryption or a decryption of a message. Passphrases are often up to 100 characters in length. iii. ShoulderSurfing: This can be said to be the process of an attacker capturing a user’s password by direct observation (such as looking over one’s shoulder) or by recording the user’s authentication session. iv. Attacker: This can be anyone who tries to gain access to someone’s account without the knowledge of the user either with a good or a bad motive.
  • 7. v. Tolerance value: It is the value which indicates the degree of closeness to the actual click point. Vi. Tolerance region: The area around an original click point accepted as correct since it is unrealistic to expect user to accurately target an exact pixel. vii. Success rate: It is the rate which gives the number of successful trails for a certain number of trials. The success rates are calculated as the number of trails completed without errors or restarts. 1.8 Organization of chapters: Chapter one introduces the concept of graphical password authentication. It contains a brief history on the concept of graphical password authentication, a background study on the study (graphical password authentication), the areas of graphical password authentication this research covers, what this research is aimed at achieving and also some of the limitations of using graphical passwords. Chapter two highlights some of the researchers who have made a big impact in order to make graphical passwords reach the heights it has reached today. This chapter contains different expert views on the concept of graphical password authentication. Chapter three contains all my findings during the course of the research. This chapter tries to explain what graphical password is all about and also some of the different forms of authentication used today. It also highlights the advantages graphical passwords have over text based passwords and also the security problems one is likely to face with the use of graphical passwords. Chapter four contains a brief summary on the key points in this research and it also contains a recommendation for future researchers on the concept of graphical password authentication. CHAPTER TWO LITERATURE REVIEW For over a century, psychology studies have recognized the human brain’s apparently superior memory for recognizing and recalling visual information as opposed to verbal or textual information. The most widely accepted theory explaining this difference is the dual-coding theory (Pavio, 2006), suggesting that verbal and non-verbal memory (respectively, word-based and image-based) are processed and represented differently in the mind. Images are mentally represented in a way that retains the perceptual features being observed and are assigned perceived meaning based on what is being directly observed. Text is represented symbolically, where symbols are given a meaning cognitively associated with the text, as opposed to a perceived meaning based on the form of the text. A generally accepted fact in graphical password authentication is that graphical passwords are prone to shoulder surfing attacks. Because of this, several researchers have studied the graphical password scheme and come up with techniques that reduce the shoulder surfing problem. Another drawback graphical passwords have is that they can be guessed if the attacker is persistent to try all possible inputs. In order to make the password hard to guess; (Sobrado.L and Birget.J.C, 2002) suggested using 1000 objects, which makes the display very crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller password space, since the resulting convex hull can be large. In their second algorithm, a user
  • 8. moves a frame (and the objects within it) until the passobject on the frame lines up with the other two pass-objects. The authors also suggest repeating the process a few more times to minimize the likelihood of logging in by randomly clicking or rotating. The main drawback of this algorithm is that the log in process can be slow. Figure 2.1 A shoulder-surfing resistant graphical password scheme (Sobrado.L and Birget.J.C, 2002) (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) proposed another shoulder-surfing resistant algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass-object has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each scene contains several pass-objects (each in the form of a randomly chosen variant) and many decoy-objects. The user has to type in a string with the unique codes corresponding to the pass-object variants present in the scene as well as a code indicating the relative location of the passobjects in reference to a pair of eyes. The argument is that it is very hard to crack this kind of password even if the whole authentication process is recorded on video because where is no mouse click to give away the pass-object information. However, this method still requires users to memorize the alphanumeric code for each pass-object variant. (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) later extended this approach to allow the user to assign their own codes to pass-object variants. Figure 2.2 shows the log-in screen of this graphical password scheme. However, this method still forces the user to memorize many text strings and therefore suffer from the many drawbacks of text-based passwords. Figure 2.2 Another shoulder surfing resistant scheme developed by (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002). A challenge for designers is to identify memory aids for legitimate users, that cannot be leveraged by attackers to guess passwords. Furthermore, systems allowing some degree of user choice should encourage randomization of user-chosen sequences as well as individual items, to avoid divide and conquer guessing attacks. It remains an open question whether systems can be designed such that user choice does not significantly weaken security, or whether a successful combination of system suggestion and user choice can be devised.
  • 9. CHAPTER THREE FINDINGS 3.1 Why Graphical Passwords? Graphical password authentication is a means of authentication that requires the recall and selection of images or sections of an image inputted during the registration phase in a graphical user interface. Today, access to computer systems is most often based on the use of alphanumeric passwords. Though, users have difficulty remembering a password that is long and random- appearing. Instead, they create short, simple, and insecure passwords. Graphical passwords have been designed to try to make passwords more memorable and easier for people to use and, therefore, more secure. Using a graphical password, users click on images rather than type alphanumeric characters. 3.2 Classification of Current Authentication Methods Due to recent events of thefts and terrorism, authentication has become more important for an organization to provide an accurate and reliable means of authentication. Currently the authentication methods can be broadly divided into three main areas. Token based, Biometric based, and Knowledge based authentication. 3.2.1 Token Based Authentication: It is based on “What You Possess”. For example Smart Cards, a driver’s license, credit card, a university ID card etc. It allows users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token (which offers access to a specific resource for a time period) to the remote site. Many token based authentication systems also use knowledge based techniques to enhance security. Token based techniques, such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance security. For example, ATM cards are generally used together with a PIN number. 3.2.2 Biometric Based Authentication: Biometrics (ancient Greek: bios ="life", Merton ="measure") is the study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. It is based on “What You Are”. It uses physiological or behavioral characteristics like fingerprint or facial scans and iris or voice recognition to identify users. A biometric scanning device takes a user's biometric data, such as an iris pattern or fingerprint scan, and converts it into digital information a computer can interpret and verify. Biometric based authentication techniques, such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable. However, this type of technique provides the highest level of security. A biometric-based authentication system may deploy one or more of the biometric technologies: voice recognition, fingerprints, face recognition, iris scan, infrared facial and hand vein thermo grams, retinal scan, hand and finger geometry, signature, gait, and keystroke dynamics. Biometric
  • 10. identification depends on computer algorithms to make a yes/no decision. It enhances user service by providing quick and easy identification. 3.2.3 Knowledge Based Authentication: Knowledge Based Authentication (KBA) is based on using “What You Know” to identify you. For example; a Personal Identification Number (PIN), password or pass phrase. It is an authentication scheme in which the user is asked to answer at least one "secret" question. Knowledge Based Authentication is often used as a component in multifactor authentication and for self-service password retrieval. Knowledge based techniques are the most widely used authentication techniques and include both text-based and picture-based passwords. The picture-based techniques can be further divided into two categories: 3.2.3.1 Recognition Based Graphical Techniques: With recognition-based techniques, a user is presented with a set of images and the user passes the authentication stage by recognizing and identifying the Images he or she selected during the registration stage. Recognition-based systems, also known as cognometric systems or locimetric systems, generally require that users memorize a portfolio of images during password creation, and then to log in, must recognize their images from among decoys. Humans have exceptional ability to recognize images previously seen, even those viewed very briefly. 3.2.3.2 Recall Based Graphical Techniques: With recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage.Recall- based graphical password systems are occasionally referred to as drawmetric system because users recall and reproduce a secret drawing. In these systems, users typically draw their password either on a blank canvas or on a grid (which may arguably act as a mild memory cue). Recall is a difficult memory task because retrieval is done without memory prompts or cues. 3.2.4 Hybrid systems: These can be described as the combination of two or more schemes, i.e the combination of recognition and recall based techniques or the combination of textual passwords with graphical password schemes. The process of withdrawing money from a bank with the use of an ATM is an example of a hybrid system. It combines knowledge based authentication methods with token based authentication, the ATM card is the token (something you have) and the PIN required is knowledge based (what you know). 3.3 TRADITIONAL AUTHENTICATION TECHNIQUES Authentication has traditionally centered on ‘what you know’. This concept has, in the past, been embodied in Personal Identification Numbers (PINs) and passwords. The fallibility of passwords and PINs is exemplified in several well-known shortcomings implicit in their use. For example, people share passwords; they have an inherent difficulty in remembering strong passwords (i.e. those consisting of upper-and-lowercase letters, numbers, and non-alphanumeric characters) and, as a consequence, often stick passwords to the desktop for everyone to see. The password problem arises largely from limitations of humans’ long-term memory (LTM). Once a password has been chosen and learned the user must be able to recall it to log in. But, people regularly forget their passwords. Decay and interference explain why people forget their passwords. Items in memory may compete with a password and prevent its accurate recall. A password that is not used frequently will be even more susceptible to forgetting. A further complication is that users have many passwords for computers, networks, and web sites. The large number of passwords increases interference and is likely to lead to forgetting or confusing passwords. Users typically cope with the password problem by decreasing their memory load at the expense of security. First, users write down their passwords. Second, when they have multiple
  • 11. passwords, they use one password for all systems or trivial variations of a single password. In terms of security, a password should consist of a string of 8 or more random characters, including upper and lower case alphabetic characters, digits, and special characters. A random password does not have meaningful content and must be memorized by rote, but rote learning is a weak way of remembering. As a result, users are known to ignore the recommendations on password choice. A survey carried out in the Madonna University Miami boys hostel shows that users choose short, simple passwords that are easily guessable. For example, “password,” personal names of family members, names of pets, and dictionary words. To users the most important issue is having a password that can be remembered reliably so they can get on with their real work. 3.4 Locimetric Passwords: In locimetric systems, users identify and select specific locations within one or more images. The images act as memory cues to aid recall. Examples of such systems include passpoints and cued click points. 3.4.1 PassPoints: In PassPoints, a password consists of a sequence of five click-points on a given image (see Figure3.2 ). Users may select any pixel(s) in the image as click-points for their password. To log in, they repeat the sequence of clicks in the correct order, within a system-defined tolerance square of the original click-points. The primary security problem is hotspots: different users tend to select similar click-points as part of their passwords. Attackers who gain knowledge of these hotspots through harvesting sample passwords or through automated image processing techniques can build attack dictionaries and more successfully guess PassPoints passwords. A dictionary attack consists of using a list of potential passwords (ideally in decreasing order of likelihood) and trying each on the system in turn to see if it leads to a correct login for a given account. Attacks can target a single account, or can try guessing passwords on a large number of accounts in hopes of breaking into any of them. fig 3.2 password consists of five(5) ordered clicks of an image. 3.4.2 Cued-Click Points: They were designed to reduce patterns and to reduce the usefulness of hotspots for attackers. Rather than five click-points on one image, CCP uses one click-point on five different images shown in sequence. The next image displayed is based on the location of the previously entered click-point (see Figure 3.3), creating a path through an image set. Users select their images only to the extent that their click-point determines the next image. Creating a new password with different click-points results in a different image sequence. The claimed advantages are that password entry becomes a true cued-recall scenario, where each image triggers the memory of a corresponding click-point. Remembering the order of the click-
  • 12. points is no longer a requirement on users, as the system presents the images one at a time. Cued Click Points also provides implicit feedback claimed to be useful only to legitimate users. When logging on, seeing an image they do not recognize alerts users that their previous click-point was incorrect and users may restart password entry. Explicit indication of authentication failure is only provided after the final click-point, to protect against incremental guessing attacks. In cued click points, pattern based attacks seem ineffective. Although attackers must perform proportionally more work to exploit hotspots, results showed that hotspots remained a problem. Fig 3.3 users select one click-point per image. The next image displayed is determined by the current click-point. 3.5 Other Graphical Password Authentication Schemes : 3.5.1 Hash Visualization Technique: This graphical password authentication scheme was based on the Hash Visualization. In this system, the user is asked to select a certain number of images from a set of random pictures generated by a program during the registration stage. Later, the user will be required to identify the preselected images in order to be authenticated. The average log-in time, however, is longer than the traditional approach of using alphanumeric passwords. A weakness of this system is that the server needs to store the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures from the picture database can be tedious and time consuming for the user. 3.5.2 Draw A Secret (DAS): This is the first recall based graphical password authentication to be produced. It allows the user to draw their unique password (figure 3.4). A user is asked to draw a simple picture on a 2D grid. The coordinates of the grids occupied by the picture are stored in the order of the drawing. During authentication, the user is asked to re-draw the picture. If the drawing touches the same grids in the same sequence, then the user is authenticated. Jermyn, et al. suggested that given reasonable-length passwords in a 5 X 5 grid, the full password space of DAS is larger than that of the full text password space.
  • 13. Fig 3.4 Draw-A-Secret technique. 3.5.3 Passface : “Passface” is a technique developed by Real User Corporation (Real User Corperation, 2006). The basic idea is as follows; the user will be asked to choose four images of human faces from a face database as their future password during registration. In the authentication stage, the user sees a grid of nine faces, consisting of one face previously chosen by the user and eight decoy faces (figure 3.5). The user recognizes and clicks anywhere on the known face. This procedure is repeated for several rounds. The user is authenticated if he/she correctly identifies the four faces. The technique is based on the assumption that people can recall human faces easier than other pictures. Studies have shown that Passfaces are very memorable over long intervals. With the use of passfaces, there are four(4) different rounds of authentication. During registration, the user selects four(4) faces as his/her password. At the authentication stage the user is presented with nine(9) different faces in each round of authentication. The user is only authenticated after the final round of selection. One significant drawback of using passface is the problem of shoulder surfing. Fig 3.5 Examples of passfaces-Realuser.com 3.6 Is a graphical password as secure as text based password? Very little research has been done to study the difficulty of cracking graphical passwords. Because graphical passwords are not widely used, in practice there is no report on real cases of breaking graphical passwords. Here, some of the possible techniques for breaking graphical passwords are examined and are compared with text-based passwords. These techniques include: 3.6.1. Brute force search The main defense against brute force search is to have a sufficiently large password space. Text- based passwords have a password space of 94^N, where N is the length of the password, 94 is the number of printable characters excluding SPACE. Some graphical password techniques have been shown to provide a password space similar to or larger than that of text-based passwords. Recognition based graphical passwords tend to have smaller password spaces than the recall based methods. It is more difficult to carry out a brute force attack against graphical passwords than text-based passwords. The attack programs need to automatically generate accurate mouse motion to imitate human input, which is particularly difficult for recall based graphical passwords. Overall, we believe a graphical password is less vulnerable to brute force attacks compared to text-based password. 3.6.2 Dictionary attacks
  • 14. Since recognition based graphical passwords involve mouse input instead of keyboard input, it will be impractical to carry out dictionary attacks against this type of graphical passwords. For some recall based graphical passwords, it is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text based dictionary attack. More research is needed in this area. Overall, it is believed that graphical passwords are less vulnerable to dictionary attacks compared to text-based passwords. 3.6.3 Guessing Unfortunately, it seems that graphical passwords are often predictable, a serious problem typically associated with text-based passwords. For example, studies on the Passface technique have shown that people often choose weak and predictable graphical passwords. Studies revealed similar predictability among the graphical passwords created with the DAS technique. More research efforts are needed to understand the nature of graphical passwords created by real world users. 3.6.4 Spyware Except for a few exceptions, key logging or key listening spyware cannot be used to break graphical passwords. It is not clear whether “mouse tracking” spyware will be an effective tool against graphical passwords. However, mouse motion alone is not enough to break graphical passwords. Such information has to be correlated with application information, such as window position and size, as well as timing information. 3.6.5 Shoulder surfing Like text based passwords, most of the graphical passwords are vulnerable to shoulder surfing. At this point, only a few recognition-based techniques are designed to resist shoulder-surfing. None of the recall-based based techniques are considered should-surfing resistant. 3.6.6 Social engineering Comparing to text based password, it is less convenient for a user to give away graphical passwords to another person. For example, it is very difficult to give away graphical passwords over the phone. Setting up a phishing web site to obtain graphical passwords would be more time consuming. Overall, it is believed graphical passwords are more difficult to break down using the traditional attack methods like brute force search, dictionary attack, and spyware. There is a need for more in-depth research that investigates possible attack methods against graphical passwords. 3.7 Advantages
  • 15. i. A graphical password authentication system is relatively inexpensive to implement. ii. Graphical passwords provide a way of making user friendly passwords. iii. Graphical passwords are not vulnerable to dictionary attacks. iv. It is less convenient for a user to give away graphical passwords to another person. 3.8 Disadvantages i. Password registration and login process takes too long login process is slow ii. Most users are not familiar with the graphical passwords, they often find graphical passwords less convenient and time consuming. iii. Graphical passwords are prone to shoulder surfing. This is because of their graphic nature, nearly all graphical password scheme are prone to shoulder surfing. CHAPTER 4 CONCLUSION 4.1 Summary: The past decade has seen a growing interest in using graphical passwords as an alternative to the traditional text-based passwords. In this report is a comprehensive research on existing graphical password techniques. The current graphical password techniques can be classified into two categories: recognition-based and recall-based techniques. Although the main argument for graphical passwords is that people are better at memorizing graphical passwords than text-based passwords, the existing user studies are very limited and there is not yet convincing evidence to support this argument. My research suggests that it is more difficult to break graphical passwords using the traditional attack methods such as brute force search, dictionary attack, or spyware. However, since there is not yet wide deployment of graphical password systems, the vulnerabilities of graphical passwords are still not fully understood. 4.2 Recommendation: Although the use of graphical passwords is not as secure as other forms of authentication like the use of biometric means of authentication (very expensive). Text-based passwords should be
  • 16. replaced with graphical passwords because they are more secure. My recommendation to future researchers is that other means of eliminating the shoulder surfing problem attached with the use of graphical passwords. 4.3 Conclusion: In conclusion, I would like to highlight two major drawbacks of graphical passwords; its vulnerability to shouldersurfing and its slow login process. Although several researchers have tried to fix these problems with graphical passwords. Despite those two major drawbacks, graphical passwords are considered to be more secure and easy to remember than text based passwords. REFERENCES Hong.D, Man.S, Hawes.B, and Mathews.M (2002)." A password scheme strongly resistant to spyware". International conference on security and management. Las Vegas. Hong.D, Man.S, Hawes.B and Mathews.M (2003)." A shoulder surfing resistant graphical password scheme". International conference on security and management. Las Vegas. Parkinson, M. (2005)." THE POWER OF VISUAL COMMUNICATION". 23-27. Pavio, A. (2006). Mind and Its Evolution: A Dual Coding Theeoritical Approach. Rachna Dhamija and Adrian Perrig. (2000). Deja vu: A User Study. Using images for authentication. Real User Corperation. (2006). Retrieved October 3, 2015, from Realuser: http://www.realuser.com Sobrado.L and Birget.J (2002). Graphical Passwords, "An Electronic Bulletin for Undergraduate Research", vol.4. Saranga.K and Hutchings .R, 2008, "Order and entropy in picture passwords", Proceedings of graphics interface, Canadian Information Processing Society. (www.objs.com, 2013) Xiaoyuan.S and Ying Zhu.G (2005) Graphical passwords: a survey, 21st Annual Computer Security Applications Conference.