NOVATEUR PUBLICATIONS

International Journal of Research Publications in Engineering and Technology [IJRPET]

ISSN: 2454-7875
VOLUME 3, ISSUE 3, March-2017
SECURE GRAPHICAL PASSWORD SCHEME
TUSHAR R. MAHORE
Computer Science and Engineering, Government College of Engineering, Amravati, India, [email protected]

PROF. A.V.DEORANKAR
Computer Science and Engineering, Government College of Engineering, Amravati, India, [email protected]

ABSTRACT: password, which is difficult for cracking by the attackers.

In the world of computer applications But the main issue associated with such kind of password
authentication is the main process of granting access is on the user point of view. Users of the computer
for an individual to get control over the services applications are not familiar with the security issues, user
provided by different service providers. It is the creates passwords for their ease of use. How badly the user
process of identification of particular individual, treats the password security is an interesting fact. In many
unique username and password are used. Username situations, according to the study by Ofcom, the UK
and text-based password are the most commonly used communications watchdog, has putted in front some
technique in authentication, use of this technique is statistics which reveal just how badly the general public
very popular in web applications. Lots of work has treat password security. According to Ofcom’s “Adults
been done in the field of authentication. Conventional Media Use and Attitudes Report 2013” report, a poll of
technique includes the text-based password, which is 1805 adults aged 16 and over discovered that 55% of them
the combination of alphanumeric letters. On the other used the same password for most websites [1]. One
side of the authentication Graphical Password another interesting thing found is that most of the users
techniques are popular among handheld devices, the uses same passwords for their multiple accounts, which
main motivation behind developing such kind of gives attackers an advantage. According to an article in
authentication technique is to provide strong but easy Computer world, a security team at a large company ran a
to remember password. Graphical authentication network password cracker and surprisingly cracked
schemes are in use from decades, they have some approximately 80% of the employees’ passwords within
limitations in early days, but comparatively the 30 seconds [2]. Again remembering such kind of
schemes which are in use today are secure and trust passwords is the difficult task for those who are not
worthy. In this paper a technique for graphical related to the computer field [3]. The text based password
authentication has been proposed based on the are only useful when the password is created by
previous work, which can be implemented on the web considering all the instructions, i.e. only strong passwords
application. The proposed authentication scheme is are the most secured passwords to use, and strong
made secure using the homomorphic encryption passwords are not of the users choice.
technique to avoid the security issue in database. Different human authentication techniques includes
KEYWORDS: DAS (Draw-a-Secrete), Homomorphic following types:
encryption, PassMatrix, Passfaces. 1. Knowledge based authentication
2. Token based authentication
I. INTRODUCTION: 3. Biometrics based authentication
Conventional technique, in which the combination Every above mentioned type of human authentication
of username and alphanumeric password is used for is different in their own way, some of them uses hardware
authentication is the basic way for granting access to the which are expensive for implementation point of view.
application. The problem associated with the conventional Some uses tokens for authentication, and some of them are
technique is the selection of alphanumeric password. knowledge based, in which the user possessed knowledge
Alphanumeric password is the combination of uppercase is used for authentication. Graphical authentication is
letters, lowercase letters, special symbols and numbers, for knowledge based authentication technique.
example “FJH6900@kert7” is considered as strong In graphical authentication system the issue related to
password. For generating such kind of passwords the users are considered and the schemes are created, such
instructions are associated with the particular application, that easy remembering passwords can be generated and
they help you to generate strong passwords, which are which will provide security similar to the alphanumeric
secured against various types of attacks. It has been made passwords. Graphical authentication schemes uses the
clear that, one cannot use their name or birth date or any capacity of a human being of remembering images rather
kind of personal information, while creating the password. than the text, this can be taken as an advantage for creating
By considering all these aspects one can generate a strong the authentication scheme based on the images. Lots of
144 | P a g e
 NOVATEUR PUBLICATIONS
International Journal of Research Publications in Engineering and Technology [IJRPET]
ISSN: 2454-7875
VOLUME 3, ISSUE 3, March-2017
graphical authentication schemes are present in the sequence. Following Figures are directly extracted from
computer world, such as shown in [4],[5],[6]. Using the [6]. The main disadvantage associated with this scheme is,
human ability of remembering images, a scheme can be it is vulnerable to the attacks like, Multiple Accepted
developed which generates strong password but which can Passwords, Graphical Dictionary Attacks, Shoulder Surfing
be easy to remember. The security issue related to the Attacks.
graphical authentication schemes is that, they are
vulnerable to shoulder surfing attacks. The proposed
scheme is developed in such a way that, to resist the
shoulder surfing attack. For shoulder surfing attack the
attacker can use recording devices for capturing images on
the screen or direct observation.
Graphical authentication scheme which is proposed in
this paper is resistant to shoulder surfing attack, and is
able to generate strong password. The authentication Fig. 1 (a) User inputs desired Secrete. (b) Internal
security is not only about the username and the password, representation, (c) Raw bit string
the security also includes various aspects, such as network B. PASSSFACES:
security, database security and much more. In this paper Passfaces [14] is one of the most studied scheme,
database security is taken in consideration and an due to its simplicity and easy to implementation way. User
homomorphic scheme, which is a one way encryption pre-selects a set of human faces. At the time of login set of
technique is given in proposed system. Below mentioned various faces has to be put in front of user among which
secure graphical authentication scheme is based on the user has to select only those faces which belongs to
PassMatrix technique [7], which is originally implemented particular his image set. User has to go through several
as mobile application. such rounds, and for successful login, each round must be
The paper is arranged in the following way, section 2 executed successfully. A study Tari et al. [15] shows that
describes the work done in last few decades for graphical password entry for passfaces using keypad rather than
authentication scheme, section 3 describes the proposed mouse is less vulnerable to the shoulder surfing attack. The
scheme, and finally section 4 concludes the paper. following figure shows the example of pass faces.

II. RELATED WORK:

Since 1996 when Blonder first introduced the
world to the graphical authentication, various advances
has been made. In Blonder’s scheme, in front of user an
image is displayed which is predetermined image on any
visual display device which user is using then user has to
select one or more positions on image which are already
known positions to user in a particular order to access the
particular resource [8]. The problem associated with this
technique is that users cannot click other positions than
known positions. The researches done on the graphical Fig. 2 Passfaces system. Left: sample panel from the
authentication schemes leads to some of the most original system [16]. Right: panel with decoys similar to
promising. There are some other schemes are present such the image from the user’s portfolio [17].
as shown in [9][10][11][12][13], which are not that much
popular, and they need some additional equipment’s or we Similar to the Passfaces technique a Story system
can say that the hardware. Following are some popular is proposed by Devis, Monrose, and Reiter [18]. In this
graphical authentication schemes. scheme a user have to select some images for his/her
A. DAS (DRAW-A-SECRETE): portfolio. Then for log in, users are presented with one
Draw-a-Secrete (DAS) [6] in 1999 was proposed panel of images and they must identify their portfolio
by Jermyn et al. This is an example of recall based images from among decoys. Story introduced a sequential
graphical password technique. The picture is drawn on the component: users must select images in the correct order.
grid according to this scheme. Then it allows users to draw To aid memorability, users were instructed to mentally
set of gestures for authentication. The drawing of the user construct a story to connect the everyday images in their
is mapped to the grid on which the order of co-ordinate set. This scheme is pretty much helpful in the way of
pair used to draw the password are recorded in a memorizing the passwords.

145 | P a g e
 NOVATEUR PUBLICATIONS
International Journal of Research Publications in Engineering and Technology [IJRPET]
ISSN: 2454-7875
VOLUME 3, ISSUE 3, March-2017
C. PASSPOINTS: B. Login indicator generator module:
Pass Points [19] scheme is introduced in 2005 by It generates a login indicator consisting of several
Susan Wiedenbeck et al. at that time the hand held devices distinguishable characters (such as alphabets and
have high graphical resolutions and color pictures. In this numbers) or visual materials (such as colors and icons) for
scheme the user has to click on the set of predefined pixels user during the authentication phase. One principle is to
on the predestined photo, as shown in Figure 3, with the keep the indicators secrete from the people other than the
correct sequence and within their tolerant squares during user.
the login stage. As in this scheme user has to select the C. Horizontal and vertical axis control module:
pixels by using the mouse click, the scheme is vulnerable to There are two scroll bars: a horizontal bar with a
the shoulder surfing attack. One of the advantages of the sequence of letters and a vertical bar with a sequence of
PassPoints scheme is that user can select any random numbers. This control module provides drag and scroll
image, as compared to the work done previously in this functions for users to control both bars. Users can scroll
kind of techniques. either bar using the arrows provided to shift one
alphanumeric at a time. They can also shift several checks
at a time by dragging the bar for a distance. Both the bars
are circulative.
D. Communication module:
This module is in charge of all the information
transmitted between the client devices and the
authentication server. Any communication is protected by
SSL (Secure Socket Layer) protocol and thus, is safe from
being eavesdropped and intercepted.
Fig. 3 Pixel squares selected by users in PassPoints [19]. E. Password verification module:
This module verifies the user password during the
III. PROPOSED SYSTEM: authentication phase. Pass square acts similar to a
The proposed system is based on the PassMatrix password digit in the text-based password system. The
scheme which has been recently developed by Hung-Min user is authenticated only if each pass-square in each pass-
Sun, Shiuan-Tung Chen, Jyh-Haw Yeh and Chia-Yun Cheng image is correctly aligned with the login indicator.
in 2016. In this authentication scheme to make it shoulder F. Upload/Download module:
surfing resistant scroll bars are used and one time As the authentication system is implemented as an
password is generated. The following figure shows the authentication for the web application which provides the
components of the System. The system is proposed to be storage space to the user as the cloud service. The user is
implemented on the web. The difference in this method going to have his/her personal space over the cloud in
and the earlier proposed method is that, the login indicator which one can upload or download his/her files.
is generated once, and all the images for authentication is G. Database
displayed on a single web page. The database server contains several tables that
stores user accounts, passwords (ID numbers of pass
images and the positions of pass squares), and the time
duration each user spent on both registration phase and
login phase. Using FHE the contents in the database is
encrypted, and to efficiently check the equality the FHE
scheme done the equality check without decryption. This
module plays an important role in improving the security
in the database.
The system includes two phases, registration
phase and authentication phase. In registration phase the
Fig. 4 System Components user is allowed to select the grid layout as per his/her
choice, then the user is supposed to be selecting the pass
A. Image discretization module: image, which is used as the password in the authentication
This module divides the image into squares, from phase. Here the more complex the grid selection is, the
which user would choose one as the pass square. The more complex is the password. At the authentication
smaller the image is discretized the more the password phase, a login indicator has been generated, and given to
space is. the user through various ways, such as audio, visual or

146 | P a g e
 NOVATEUR PUBLICATIONS
International Journal of Research Publications in Engineering and Technology [IJRPET]
ISSN: 2454-7875
VOLUME 3, ISSUE 3, March-2017
text. Then the user is supposed to be setting the scroll bars Protecting smartphone authentication from shoulder
to the particular known position of the password, by using surfers,” in Proceedings of the 32Nd Annual ACM
the horizontal and vertical axis control module. Conference on Human Factors in Computing Systems,
ser. CHI ’14. New York, NY, USA: ACM, 2014, pp. 2937–
IV. CONCLUSION: 2946.
We have done a survey on various authentication 11) E. von Zezschwitz, A. De Luca, and H. Hussmann,
techniques, which in result leads us to develop such “Honey, i shrunk the keys: Influences of mobile devices
graphical authentication scheme, which is very simple in on password composition and authentication
user point of view, but difficult in attacker point of view. performance,” in Proceedings of the 8th Nordic
This work is all about the proposed system which in future Conference on Human-Computer Interaction: Fun,
can be implemented as a web application. The work we Fast, Foundational, ser. NordiCHI ’14. New York, NY,
have done has been totally done by taking the ease of use USA: ACM, 2014, pp. 461–470.
priority in consideration. Graphical passwords are more 12) A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, “The
popular among non-technical users, so more research can phone lock: Audio and haptic shoulder-surfing resistant
be done in the field of graphical authentication. Graphical pin entry methods for mobile devices,” in Proceedings
authentication is best for handheld devices, but in this of the Fifth International Conference on Tangible,
work it has been shown that a simple but effective Embedded, and Embodied Interaction, ser. TEI ’11.
graphical authentication scheme can be developed for New York, NY, USA: ACM, 2011, pp. 197–200.
other platforms also, such as web applications. 13) A. Bianchi, I. Oakley, and D. S. Kwon, “The secure
haptic keypad: A tactile password system,” in
REFERENCES: Proceedings of the SIGCHI Conference on Human
1) “55% of net users use the same password for most, if Factors in Computing Systems, ser. CHI ’10. New
not all, websites. When will they learn?” York, NY, USA: ACM, 2010, pp. 1089–1092.
https://nakedsecurity.sophos.com/2013/04/23/use 14) I. Oakley and A. Bianchi, “Multi-touch passwords for
rs-same-password most-websites/ mobile device access,” in Proceedings of the 2012 ACM
2) K. Gilhooly, “Biometrics: Getting back to business,” Conference on Ubiquitous Computing, ser. UbiComp
Computerworld, May, vol. 9, 2005. ’12. New York, NY, USA: ACM, 2012, pp. 611–612.
3) S. Sood, A. Sarje, and K. Singh, “Cryptanalysis of 15) Passfaces Corporation. The science behind Passfaces.
password authentication schemes: Current status and White paper, http://www.passfaces.com/ enterprise/
key issues,” in Methods and Models in Computer resources/white_papers.htm, accessed July 2009.
Science, 2009. ICM2CS 2009. Proceeding of 16) F. Tari, A. Ozok, and S. Holden. A comparison of
International Conference on, Dec 2009, pp. 1–7. perceived and real shoulder-surfing risks between
4) R. Dhamija and A. Perrig, “Deja vu: A user study using alphanumeric and graphical passwords.
images for authentication,” in Proceedings of the 9th 17) In 2nd ACM Symposium on Usable Privacy and
conference on USENIX Security Symposium-Volume Security (SOUPS), 2006.
9. USENIX Association, 2000, pp. 4–4. 18) D. Davis, F. Monrose, and M. Reiter. On user choice in
5) “Realuser,” http://www.realuser.com/. graphical password schemes. In 13th USENIX
6) I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Security Symposium, 2004.
Rubin, “The design and analysis of graphical 19) P. Dunphy, J. Nicholson, and P. Olivier. Securing
passwords,” in Proceedings of the 8th Passfaces for description. In 4th ACM Symposium on
7) conference on USENIX Security Symposium-Volume Usable Privacy and Security (SOUPS), July 2008.
8. USENIX Association, 1999, pp. 1–1. 20) D. Davis, F. Monrose, and M. Reiter. On user choice in
8) Hung-Min Sun, Shiuan-Tung Chen, Jyh-Haw Yeh and graphical password schemes. In 13th USENIX
Chia-Yun Cheng “A Shoulder Surfing Resistant Security Symposium, 2004.
Graphical Authentication System” IEEE Transactions 21) S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N.
on Dependable and Secure Computing 2015. Memon, “Passpoints: Design and longitudinal
9) G. E. Blonder, “Graphical passwords”, in Lucent evaluation of a graphical password system,”
Technologies, Inc.,Murray Hill, NJ, U. S. Patent- International Journal of Human-Computer Studies,
5559961, Ed. United States, 1996. vol. 63, no. 1-2, pp. 102–127, 2005.
10) A. De Luca, M. Harbach, E. von Zezschwitz, M.-E.
Maurer, B. E. Slawik, H. Hussmann, and M. Smith,
“Now you see me, now you don’t:

147 | P a g e