"Graphical Password Authentication": A Project Report Submitted To Rajiv Gandhi Proudyogiki Vishwavidyalaya
"Graphical Password Authentication": A Project Report Submitted To Rajiv Gandhi Proudyogiki Vishwavidyalaya
examined and is hereby approved towards partial fulfillment for the award of
for which it has been submitted. It understood that by this approval the
expressed or conclusion drawn therein, but approve the project only for the
Date: Date:
GUIDE RECOMMENDATION
Bhopal.
has been developed by us under the supervision of Pro. Krupi Saraf The whole
responsibility of work done in this project is ours. The sole intention of this
We further declare that to the best of our knowledge; this report does not
contain any part of any work which has been submitted for the award of any
without proper citation and if the same work is found then we are liable for
explanation to this.
We thank the almighty Lord for giving me the strength and courage to sail out
through the tough and reach on shore safely.
There are a number of people without whom this project's work would not
have been feasible. Their high academic standards and personal integrity
provided me with continuous guidance and support.
Executive Summary
The project is based on Deep Learning, which is a sub field of machine learning,
concerned with algorithms inspired by the structure and function of the brain
called artificial neural networks. In the project, TensorFlow is used, which is an
open-source software library created by Google for machine learning
applications. It is used for detecting, identifying and tracking objects through the
camera in real time. The project uses a pre-trained model on Microsoft Common
Objects in Context (COCO) data set , which contains approximately all common
objects. The purpose of this project is to implement 'Students and vehicles
counter' in the college in real-time.
TABLE OF CONTENTS
Title 1
Certification 4
Dedication 5
Acknowledgement 6
Abstract 7
1.6 Limitations 10
1.7 Glossary 10
3.4.1 Passpoints 17
3.5.3 Passfaces 20
3.6 Is a graphical password as secure as text based password? 21
3.6.3 Guessing 22
3.6.4 Spyware 22
3.7 Advantages 23
3.8 Disadvantages 23
4.2 Recommendation 24
4.3 Conclusion 24
References 2
ABSTRACT
Computer systems and the information they store and process are valuable
resources which need to be protected. Computer security systems must also
consider the human factors such as ease of a use and accessibility. Current
secure systems suffer because they mostly ignore the importance of human
factors in security (Rachna Dhamija and Adrian Perrig., 2000). A key area in
security research is authentication, the determination of whether a user should
be allowed access to a given system or resource. Traditionally, alphanumeric
passwords are used for authentication but they are known to have usability and
security problems. A password authentication system should encourage strong
and less predictable passwords while maintaining memorability and security. A
password is a secret that is shared by the verifier and the user, they are simply
secrets that are provided by the user upon request by a recipient and are often
stored on a server in an encrypted form so that a penetration of the file system
does not reveal password lists (www.objs.com/survey/authent.html, 2011).
Graphical passwords (GP) use pictures (Parkinson, 2005) instead of texts and
are partially motivated by the fact that humans can remember pictures more
easily than a string of characters. The idea of graphical passwords was
originally described by Greg Blonder in 1996 and since then several researchers
have proposed different graphical password authentication schemes, in
Blonder’s description of the concept an image would appear on the screen, and
the user would click on a few chosen regions of it. If the correct regions were
clicked in, the user would be authenticated. An important advantage of GP is
that they are easier to remember than textual passwords. Human beings have the
ability to remember faces of people, places they visit and things they have seen
for a longer duration. An important advantage of Graphical Passwords is that
they are easier to remember compared to textual passwords. Thus, graphical
passwords provide a means for making more user-friendly passwords while
increasing the level of security.
One of the major issues in this modern day is security. The process of
authentication tries to enhance security but the common means of authentication
(use of alphanumeric passwords) today are known to have significant
disadvantages. Attackers now have different means of accessing a particular
system or account and because of this, other means of authentication are now
becoming rampant. Biometric based authentication is regarded to be the most
secure means of authentication but unlike the text based forms of authentication
which are relatively inexpensive, biometric based are very expensive to use.
This is where the concept of graphical password authentication come in, they
are cheap, easy to use, offer more security (than text based passwords) and also
take into consideration, the user factor. The aim of this report is to create
awareness that there is an alternative to using text based passwords and this
alternative is secure, cheap and relatively easy to use.
I selected this research topic because I’m interested in finding a more secure
alternative to text based passwords. The topic opens my eye to a totally different
form of authentication that is easy to use and also more secure compared to text
based passwords.
The main limitation of using a graphical password is that they are more
vulnerable to shoulder surfing than the traditional text based passwords. An
attacker can capture a password by direct observation or by recording the
individual’s authentication session while inserting passwords in public. This is
referred to as shoulder-surfing. Another limitation is that the login process is
slow when graphical passwords are used and this can sometimes annoy the user.
1.7 Glossary:
iv. Attacker: This can be anyone who tries to gain access to someone’s account
without the knowledge of the user either with a good or a bad motive.
v. Tolerance value: It is the value which indicates the degree of closeness to the
actual click point.
Vi. Tolerance region: The area around an original click point accepted as
correct since it is unrealistic to expect user to accurately target an exact pixel.
vii. Success rate: It is the rate which gives the number of successful trails for a
certain number of trials. The success rates are calculated as the number of trails
completed without errors or restarts.
Chapter two highlights some of the researchers who have made a big impact in
order to make graphical passwords reach the heights it has reached today. This
chapter contains different expert views on the concept of graphical password
authentication.
Chapter three contains all my findings during the course of the research. This
chapter tries to explain what graphical password is all about and also some of
the different forms of authentication used today. It also highlights the
advantages graphical passwords have over text based passwords and also the
security problems one is likely to face with the use of graphical passwords.
Chapter four contains a brief summary on the key points in this research and it
also contains a recommendation for future researchers on the concept of
graphical password authentication.
CHAPTER TWO
LITERATURE
REVIEW
For over a century, psychology studies have recognized the human brain’s
apparently superior memory for recognizing and recalling visual information as
opposed to verbal or textual information. The most widely accepted theory
explaining this difference is the dual-coding theory (Pavio, 2006), suggesting
that verbal and non-verbal memory (respectively, word-based and image-based)
are processed and represented differently in the mind. Images are mentally
represented in a way that retains the perceptual features being observed and are
assigned perceived meaning based on what is being directly observed. Text is
represented symbolically, where symbols are given a meaning cognitively
associated with the text, as opposed to a perceived meaning based on the form
of the text.
(Sobrado.L and Birget.J.C, 2002) suggested using 1000 objects, which makes
the display very crowded and the objects almost indistinguishable, but using
fewer objects may lead to a smaller password space, since the resulting convex
the hull can be large. In their second algorithm, a user moves a frame (and the
objects within it) until the pass object on the frame lines up with the other two
pass-objects.
The authors also suggest repeating the process a few more times to minimize
the likelihood of logging in by randomly clicking or rotating. The main
drawback of this algorithm is that the login process can be slow.
that it is very hard to crack this kind of password even if the whole
authentication process is recorded on video because where is no mouse click to
give away the pass-object information. However, this method still requires users
to memorize the alphanumeric code for each pass-object variant.
(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) later extended this approach
to allow the user to assign their own codes to pass-object variants. Figure 2.2
shows the log-in screen of this graphical password scheme. However, this
method still forces the user to memorize many text strings and therefore suffer
from the many drawbacks of text-based passwords.
A challenge for designers is to identify memory aids for legitimate users, that
cannot be leveraged by attackers to guess passwords. Furthermore, systems
allowing some degree of user choice should encourage randomization of user-
chosen sequences as well as individual items, to avoid divide and conquer
guessing attacks. It remains an open question whether systems can be designed
such that user choice does not significantly weaken security, or whether a
successful combination of system suggestion and user choice can be devised.
CHAPTER THREE
FINDINGS
Due to recent events of thefts and terrorism, authentication has become more
important for an organization to provide an accurate and reliable means of
authentication. Currently the authentication methods can be broadly divided into
three main areas. Token based, Biometric based, and Knowledge based
authentication.
It is based on “What You Possess”. For example Smart Cards, a driver’s license,
credit card, a university ID card etc. It allows users to enter their username and
password in order to obtain a token which allows them to fetch a specific
resource - without using their username and password. Once their token has
been obtained, the user can offer the token (which offers access to a specific
resource for a time period) to the remote site. Many token based authentication
systems also use knowledge based techniques to enhance security. Token based
techniques, such as key cards, bank cards and smart cards are widely used.
Many token-based authentication systems also use knowledge based techniques
to enhance security. For example, ATM cards are generally used together with a
PIN number.
Authentication has traditionally centered on ‘what you know’. This concept has,
in the past, been embodied in Personal Identification Numbers (PINs) and
passwords. The fallibility of passwords and PINs is exemplified in several well-
known shortcomings implicit in their use. For example, people share passwords;
they have an inherent difficulty in remembering strong passwords (i.e. those
consisting of upper-and-lowercase letters, numbers, and non-alphanumeric
characters) and, as a consequence, often stick passwords to the desktop for
everyone to see.
3.4.1 PassPoints:
They were designed to reduce patterns and to reduce the usefulness of hotspots
for attackers. Rather than five click-points on one image, CCP uses one click-
point on five different images shown in sequence. The next image displayed is
based on the location of the previously entered click-point (see Figure 3.3),
creating a path through an image set. Users select their images only to the extent
that their click-point determines the next image. Creating a new password with
different click-points results in a different image sequence.
The claimed advantages are that password entry becomes a true cued-recall
scenario, where each image triggers the memory of a corresponding click-point.
Remembering the order of the click-
points is no longer a requirement on users, as the system presents the images
one at a time. Cued Click Points also provides implicit feedback claimed to be
useful only to legitimate users. When logging on, seeing an image they do not
recognize alerts users that their previous click-point was incorrect and users
may restart password entry. Explicit indication of authentication failure is only
provided after the final click-point, to protect against incremental guessing
attacks. In cued click points, pattern based attacks seem ineffective. Although
attackers must perform proportionally more work to exploit hotspots, results
showed that hotspots remained a problem.
Fig 3.3 users select one click-point per image. The next image displayed is
determined by the current click-point.
picture are stored in the order of the drawing. During authentication, the user is
asked to re-draw the picture. If the drawing touches the same grids in the same
sequence, then the user is authenticated. Jermyn, et al. suggested that given
reasonable-length passwords in a 5 X 5 grid, the full password space of DAS is
larger than that of the full text password space.
3.5.3 Passface :
Very little research has been done to study the difficulty of cracking graphical
passwords. Because graphical passwords are not widely used, in practice there
is no report on real cases of breaking graphical passwords. Here, some of the
possible techniques for breaking graphical passwords are examined and are
compared with text-based passwords. These techniques include:
The main defense against brute force search is to have a sufficiently large
password space. Text-based passwords have a password space of 94^N, where
N is the length of the password, 94 is the number of printable characters
excluding SPACE. Some graphical password techniques have been shown to
provide a password space similar to or larger than that of text-based passwords.
Recognition based graphical passwords tend to have smaller password spaces
than the recall based methods. It is more difficult to carry out a brute force
attack against graphical passwords than text-based passwords. The attack
programs need to automatically generate accurate mouse motion to imitate
human input, which is particularly difficult for recall based graphical
passwords. Overall, we believe a graphical password is less vulnerable to brute
force attacks compared to text-based password.
3.6.3 Guessing
3.6.4 Spyware
Except for a few exceptions, key logging or key listening spyware cannot be
used to break graphical passwords. It is not clear whether “mouse tracking”
spyware will be an effective tool against graphical passwords. However, mouse
motion alone is not enough to break graphical passwords. Such information has
to be correlated with application information, such as window position and size,
as well as timing information.
3.6.5 Shoulder surfing
Like text based passwords, most of the graphical passwords are vulnerable to
shoulder surfing. At this point, only a few recognition-based techniques are
designed to resist shoulder-surfing. None of the recall- based techniques are
considered shoulder-surfing resistant.
Compared to text based passwords, it is less convenient for a user to give away
graphical passwords to another person. For example, it is very difficult to give
away graphical passwords over the phone. Setting up a phishing web site to
obtain graphical passwords would be more time consuming.
iv. It is less convenient for a user to give away graphical passwords to another
person.
3.8 Disadvantages
i. Password registration and login process takes too long login process is slow
ii. Most users are not familiar with the graphical passwords, they often find
graphical passwords less convenient and time consuming.
iii. Graphical passwords are prone to shoulder surfing. This is because of their
graphic nature, nearly all graphical password schemes are prone to shoulder
surfing.
CHAPTER 4
CONCLUSION
4.1 Summary:
The past decade has seen a growing interest in using graphical passwords as an
alternative to the traditional text-based passwords. In this report is a
comprehensive research on existing graphical password techniques. The current
graphical password techniques can be classified into two categories:
recognition-based and recall-based techniques. Although the main argument for
graphical passwords is that people are better at memorizing graphical passwords
than text-based passwords, the existing user studies are very limited and there is
not yet convincing evidence to support this argument. My research suggests that
it is more difficult to break graphical passwords using the traditional attack
methods such as brute force search, dictionary attack, or spyware. However,
since there is not yet wide deployment of graphical password systems, the
vulnerabilities of graphical passwords are still not fully understood.
4.2 Recommendation:
4.3 Conclusion:
REFERENCES
Pavio, A. (2006). Mind and Its Evolution: A Dual Coding Theoretical Approach.
Rachna Dhamija and Adrian Perrig. (2000). Deja vu: A User Study. Using
images for authentication.
Saranga.K and Hutchings .R, 2008, "Order and entropy in picture passwords",
Proceedings of graphics interface, Canadian Information Processing Society.
(www.objs.com, 2013)