“Graphical Password Authentication”

A Project Report Submitted to

Rajiv Gandhi Proudyogiki Vishwavidyalaya

Towards Partial Fulfillment for the Award of

Bachelor of Engineering in Computer Science Engineering

Submitted by: Guided by:

Ram Patidar (0827CS201196) Prof. Krupi Saraf
Pranit Ghate (0827CS201178)
Rajesh Patidar (0827CS201195) Professor, CSE
Rahul Shrivastava(0827CS201194)
AITR, Indore

Acropolis Institute of Technology & Research, Indore

Jan - June 2022
 EXAMINER APPROVAL

The Project entitled “Graphical Password Authentication” submitted by

Ram Patidar (0827CS201196), Pranit Ghate (0827CS201178), Rajesh

Patidar (0827CS201195), Rahul Shrivastava (0827CS201194), has been

examined and is hereby approved towards partial fulfillment for the award of

Bachelor of Technology degree in Computer Science Engineering discipline,

for which it has been submitted. It understood that by this approval the

undersigned do not necessarily endorse or approve any statement made, opinion

expressed or conclusion drawn therein, but approve the project only for the

purpose for which it has been submitted.

(Internal Examiner) (External Examiner)

Date: Date:
 GUIDE RECOMMENDATION

This is to certify that the work embodied in this project entitled“Graphical

Password Authentication” submitted by Ram Patidar (0827CS201196),

Pranit Ghate (0827CS201178), Rajesh Patidar (0827CS201195), Rahul

Shrivastava (0827CS201194), is a satisfactory account of the bonafide work

done under the supervision of Pro. Krupi Saraf , is recommended towards

partial fulfillment for the award of the Bachelor of Technology (Computer

Science Engineering) degree by Rajiv Gandhi Proudyogiki Vishwavidhyalaya,

Bhopal.

(Project Guide) (Project Coordinator)

 STUDENTS UNDERTAKING
This is to certify that a project entitled “Graphical Password Authentication”

has been developed by us under the supervision of Pro. Krupi Saraf The whole

responsibility of work done in this project is ours. The sole intention of this

work is only for practical learning and research.

We further declare that to the best of our knowledge; this report does not

contain any part of any work which has been submitted for the award of any

degree either in this University or in any other University / Deemed University

without proper citation and if the same work is found then we are liable for

explanation to this.

Ram Patidar (0827CS201196)

Pranit Ghate (0827CS201178)
Rajesh Patidar (0827CS201195)
Rahul Shrivastava(0827CS201194)
 ACKNOWLEDGEMENT

We thank the almighty Lord for giving me the strength and courage to sail out
through the tough and reach on shore safely.

There are a number of people without whom this project's work would not
have been feasible. Their high academic standards and personal integrity
provided me with continuous guidance and support.

We owe a debt of sincere gratitude, deep sense of reverence and respect to

our guide and mentor Prof. Krupi Saraf , Professor, AITR, Indore for his
motivation, sagacious guidance, constant encouragement, vigilant supervision
and valuable critical appreciation throughout this project work, which helped us
to successfully complete the project on time.

We express profound gratitude and heartfelt thanks to “Prof. Krupi Saraf

”, Professor & Head CSE, AITR Indore for his support, suggestion, and
inspiration for carrying out this project. I am very much thankful to other faculty
and staff members of IT Dept, AITR Indore for providing me all support, help
and advice during the project. We would be failing in our duty if we do not
acknowledge the support and guidance received from Dr S C Sharma, Director,
AITR, Indore whenever needed. We take the opportunity to convey my regards
to the management of Acropolis Institute, Indore for extending academic and
administrative support and providing me all necessary facilities for the project to
achieve our objectives.
 We are grateful to our parents and family members who have always
loved and supported us unconditionally. To all of them, we want to say “Thank
you”, for being the best family that one could ever have and without whom none
of this would have been possible.

Executive Summary

This project is submitted to Rajiv Gandhi Proudyogiki Vishwavidhyalaya,

Bhopal (MP), India for partial fulfillment of Bachelor of Engineering in
Information Technology branch under the sagacious guidance and vigilant
supervision of Dr. Kamal Kumar Sethi.

The project is based on Deep Learning, which is a sub field of machine learning,
concerned with algorithms inspired by the structure and function of the brain
called artificial neural networks. In the project, TensorFlow is used, which is an
open-source software library created by Google for machine learning
applications. It is used for detecting, identifying and tracking objects through the
camera in real time. The project uses a pre-trained model on Microsoft Common
Objects in Context (COCO) data set , which contains approximately all common
objects. The purpose of this project is to implement 'Students and vehicles
counter' in the college in real-time.
 TABLE OF CONTENTS

Title 1

Certification 4

Dedication 5

Acknowledgement 6
Abstract 7

Chapter one: Introduction

1.1 Background of study 8

1.2 Problem statement 8

1.3 Aims and Objectives 9

1.4 Scope of study 9

1.5 Justification of study 10

1.6 Limitations 10

1.7 Glossary 10

1.8 Organization of chapters 11

Chapter two: Literature review 12

Chapter three: Findings

3.1 Why graphical passwords 14

3.2 Classification of current authentication methods 14

3.2.1 Token based authentication 14

3.2.2 Biometric based authentication 14

3.2.3 Knowledge based authentication 15

3.2.3.1 Recognition based 15

3.2.3.2 Recall based 15

3.2.4 Hybrid systems 16

3.3 Traditional authentication methods 16

3.4 Locimetric passwords 17

3.4.1 Passpoints 17

3.4.2 Cued click points 18

3.5 Other graphical password authentication schemes 19

3.5.1 Hash visualization technique 19

3.5.2 Draw A Secret 19

3.5.3 Passfaces 20
3.6 Is a graphical password as secure as text based password? 21

3.6.1 Brute force search 22

3.6.2 Dictionary attacks 22

3.6.3 Guessing 22

3.6.4 Spyware 22

3.6.5 Shoulder surfing 23

3.6.6 Social engineering 23

3.7 Advantages 23

3.8 Disadvantages 23

Chapter four: Conclusion and recommendation

4.1 Summary 24

4.2 Recommendation 24

4.3 Conclusion 24

References 2
 ABSTRACT

Graphical password authentication is a form of authentication that requires the

recall and selection of an image or points in an image inputted during the
registration stage in a graphical user interface. Passwords provide a security
mechanism for authentication and protection of services against unwanted
access to resources. A graphical based password is one promising alternative to
textual passwords. The most common computer authentication method in use
today is alphanumeric usernames and passwords. This method has been shown
to have significant drawbacks. Users tend to choose memorable passwords that
are easy for attackers to guess, but strong system assigned passwords are
difficult for users to remember. Using a graphical password, users click on
images rather than type alphanumeric characters. Today, the most secure form
of authentication is biometric based but the problem with biometric is that they
are very expensive to use but an alternative which is less expensive and more
secure is the use of graphical passwords
 CHAPTER ONE
INTRODUCTION

1.1 Background Of The Study:

Computer systems and the information they store and process are valuable
resources which need to be protected. Computer security systems must also
consider the human factors such as ease of a use and accessibility. Current
secure systems suffer because they mostly ignore the importance of human
factors in security (Rachna Dhamija and Adrian Perrig., 2000). A key area in
security research is authentication, the determination of whether a user should
be allowed access to a given system or resource. Traditionally, alphanumeric
passwords are used for authentication but they are known to have usability and
security problems. A password authentication system should encourage strong
and less predictable passwords while maintaining memorability and security. A
password is a secret that is shared by the verifier and the user, they are simply
secrets that are provided by the user upon request by a recipient and are often
stored on a server in an encrypted form so that a penetration of the file system
does not reveal password lists (www.objs.com/survey/authent.html, 2011).

Graphical passwords (GP) use pictures (Parkinson, 2005) instead of texts and
are partially motivated by the fact that humans can remember pictures more
easily than a string of characters. The idea of graphical passwords was
originally described by Greg Blonder in 1996 and since then several researchers
have proposed different graphical password authentication schemes, in
Blonder’s description of the concept an image would appear on the screen, and
the user would click on a few chosen regions of it. If the correct regions were
clicked in, the user would be authenticated. An important advantage of GP is
that they are easier to remember than textual passwords. Human beings have the
ability to remember faces of people, places they visit and things they have seen
for a longer duration. An important advantage of Graphical Passwords is that
they are easier to remember compared to textual passwords. Thus, graphical
passwords provide a means for making more user-friendly passwords while
increasing the level of security.

1.2 Problem Statement:

Graphical passwords introduce us to a whole new form of authentication. The

most common form of authentication used today is the used of alphanumeric
texts and this form of authentication has been proven to be prone to several
forms of attacks such as guessing, social engineering, spywares, dictionary
attacks, shoulder surfing and even hidden cameras. It can be frustrating to keep
up with all the passwords since it is not a recommended that someone uses one
password for more than one account or computer program or device. One of the
main problems graphical passwords tend to solve is the problem of a user using
a weak password so that he/she won’t forget it and at times when users are
encouraged to use strong passwords, they tend to use it for all their accounts and
also users keep their passwords where attackers can access because of the fact
that they don’t want to memorize it. Since it is easier to remember pictures than
text, graphical passwords tend to enhance security and at the same time make it
easier for the user to use.
1.3 Aims and objectives:

One of the major issues in this modern day is security. The process of
authentication tries to enhance security but the common means of authentication
(use of alphanumeric passwords) today are known to have significant
disadvantages. Attackers now have different means of accessing a particular
system or account and because of this, other means of authentication are now
becoming rampant. Biometric based authentication is regarded to be the most
secure means of authentication but unlike the text based forms of authentication
which are relatively inexpensive, biometric based are very expensive to use.
This is where the concept of graphical password authentication come in, they
are cheap, easy to use, offer more security (than text based passwords) and also
take into consideration, the user factor. The aim of this report is to create
awareness that there is an alternative to using text based passwords and this
alternative is secure, cheap and relatively easy to use.

1.4 Scope of the study:

This report focuses on graphical password authentication and the different

forms commonly used today. It also highlights the advantages graphical
passwords have over text based passwords and the forms of attack you can be
prone to while using graphical passwords. This report does not delve deep into
the traditional form of authentication (text based) and biometric form of
authentication.

1.5 Justification Of Study:

I selected this research topic because I’m interested in finding a more secure
alternative to text based passwords. The topic opens my eye to a totally different
form of authentication that is easy to use and also more secure compared to text
based passwords.

1.6 Limitations Of Study:

The main limitation of using a graphical password is that they are more
vulnerable to shoulder surfing than the traditional text based passwords. An
attacker can capture a password by direct observation or by recording the
individual’s authentication session while inserting passwords in public. This is
referred to as shoulder-surfing. Another limitation is that the login process is
slow when graphical passwords are used and this can sometimes annoy the user.

1.7 Glossary:

i. Password Hardening: Password hardening is any one of a variety of

measures taken to make it more difficult for an intruder to circumvent the
authentication process. Password hardening may take the form of multifactor
authentication, by adding some component to the username/password
combination, or may be policy-based.

ii. PassPhrase: A passphrase is a string of characters longer than the usual

password (which is typically from four to 16 characters long) that is used in
creating a digital signature or in an encryption or a decryption of a message.
Passphrases are often up to 100 characters in length.

iii. ShoulderSurfing: This can be said to be the process of an attacker capturing

a user’s password by direct observation (such as looking over one’s shoulder) or
by recording the user’s authentication session.

iv. Attacker: This can be anyone who tries to gain access to someone’s account
without the knowledge of the user either with a good or a bad motive.
v. Tolerance value: It is the value which indicates the degree of closeness to the
actual click point.

Vi. Tolerance region: The area around an original click point accepted as
correct since it is unrealistic to expect user to accurately target an exact pixel.

vii. Success rate: It is the rate which gives the number of successful trails for a
certain number of trials. The success rates are calculated as the number of trails
completed without errors or restarts.

1.8 Organization of chapters:

Chapter one introduces the concept of graphical password authentication. It

contains a brief history on the concept of graphical password authentication, a
background study on the study (graphical password authentication), the areas of
graphical password authentication this research covers, what this research is
aimed at achieving and also some of the limitations of using graphical
passwords.

Chapter two highlights some of the researchers who have made a big impact in
order to make graphical passwords reach the heights it has reached today. This
chapter contains different expert views on the concept of graphical password
authentication.

Chapter three contains all my findings during the course of the research. This
chapter tries to explain what graphical password is all about and also some of
the different forms of authentication used today. It also highlights the
advantages graphical passwords have over text based passwords and also the
security problems one is likely to face with the use of graphical passwords.
Chapter four contains a brief summary on the key points in this research and it
also contains a recommendation for future researchers on the concept of
graphical password authentication.

CHAPTER TWO
LITERATURE
REVIEW
For over a century, psychology studies have recognized the human brain’s
apparently superior memory for recognizing and recalling visual information as
opposed to verbal or textual information. The most widely accepted theory
explaining this difference is the dual-coding theory (Pavio, 2006), suggesting
that verbal and non-verbal memory (respectively, word-based and image-based)
are processed and represented differently in the mind. Images are mentally
represented in a way that retains the perceptual features being observed and are
assigned perceived meaning based on what is being directly observed. Text is
represented symbolically, where symbols are given a meaning cognitively
associated with the text, as opposed to a perceived meaning based on the form
of the text.

A generally accepted fact in graphical password authentication is that graphical

passwords are prone to shoulder surfing attacks. Because of this, several
researchers have studied the graphical password scheme and come up with
techniques that reduce the shoulder surfing problem. Another drawback
graphical passwords have is that they can be guessed if the attacker is persistent
to try all possible inputs. In order to make the password hard to guess;

(Sobrado.L and Birget.J.C, 2002) suggested using 1000 objects, which makes
the display very crowded and the objects almost indistinguishable, but using
fewer objects may lead to a smaller password space, since the resulting convex
the hull can be large. In their second algorithm, a user moves a frame (and the
objects within it) until the pass object on the frame lines up with the other two
pass-objects.

The authors also suggest repeating the process a few more times to minimize
the likelihood of logging in by randomly clicking or rotating. The main
drawback of this algorithm is that the login process can be slow.

Figure 2.1 A shoulder-surfing resistant graphical password scheme (Sobrado.L

and Birget.J.C, 2002)

(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) proposed another shoulder-

surfing resistant algorithm. In this algorithm, a user selects a number of pictures
as pass-objects. Each pass-object has several variants and each variant is
assigned a unique code. During authentication, the user is challenged with
several scenes. Each scene contains several pass-objects (each in the form of a
randomly chosen variant) and many decoy-objects. The user has to type in a
string with the unique codes corresponding to the pass-object variants present in
the scene as well as a code indicating the relative location of the passobjects in
reference to a pair of eyes. The argument is

that it is very hard to crack this kind of password even if the whole
authentication process is recorded on video because where is no mouse click to
give away the pass-object information. However, this method still requires users
to memorize the alphanumeric code for each pass-object variant.
(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) later extended this approach
to allow the user to assign their own codes to pass-object variants. Figure 2.2
shows the log-in screen of this graphical password scheme. However, this
method still forces the user to memorize many text strings and therefore suffer
from the many drawbacks of text-based passwords.

Figure 2.2 Another shoulder surfing resistant scheme developed by (Hong.D,

Man.S, Hawes.B, and Mathews.M, 2002).

A challenge for designers is to identify memory aids for legitimate users, that
cannot be leveraged by attackers to guess passwords. Furthermore, systems
allowing some degree of user choice should encourage randomization of user-
chosen sequences as well as individual items, to avoid divide and conquer
guessing attacks. It remains an open question whether systems can be designed
such that user choice does not significantly weaken security, or whether a
successful combination of system suggestion and user choice can be devised.
 CHAPTER THREE
FINDINGS

3.1 Why Graphical Passwords?

Graphical password authentication is a means of authentication that requires the

recall and selection of images or sections of an image inputted during the
registration phase in a graphical user interface. Today, access to computer
systems is most often based on the use of alphanumeric passwords. Though,
users have difficulty remembering a password that is long and random-
appearing. Instead, they create short, simple, and insecure passwords. Graphical
passwords have been designed to try to make passwords more memorable and
easier for people to use and, therefore, more secure. Using a graphical
password, users click on images rather than type alphanumeric characters.

3.2 Classification of Current Authentication Methods

Due to recent events of thefts and terrorism, authentication has become more
important for an organization to provide an accurate and reliable means of
authentication. Currently the authentication methods can be broadly divided into
three main areas. Token based, Biometric based, and Knowledge based
authentication.

3.2.1 Token Based Authentication:

It is based on “What You Possess”. For example Smart Cards, a driver’s license,
credit card, a university ID card etc. It allows users to enter their username and
password in order to obtain a token which allows them to fetch a specific
resource - without using their username and password. Once their token has
been obtained, the user can offer the token (which offers access to a specific
resource for a time period) to the remote site. Many token based authentication
systems also use knowledge based techniques to enhance security. Token based
techniques, such as key cards, bank cards and smart cards are widely used.
Many token-based authentication systems also use knowledge based techniques
to enhance security. For example, ATM cards are generally used together with a
PIN number.

3.2.2 Biometric Based Authentication:

Biometrics (ancient Greek: bios ="life", Merton ="measure") is the study of

automated methods for uniquely recognizing humans based upon one or more
intrinsic physical or behavioral traits. It is based on “What You Are”. It uses
physiological or behavioral characteristics like fingerprint or facial scans and
iris or voice recognition to identify users. A biometric scanning device takes a
user's biometric data, such as an iris pattern or fingerprint scan, and converts it
into digital information a computer can interpret and verify. Biometric based
authentication techniques, such as fingerprints, iris scan, or facial recognition,
are not yet widely adopted. The major drawback of this approach is that such
systems can be expensive, and the identification process can be slow and often
unreliable. However, this type of technique provides the highest level of
security.

A biometric-based authentication system may deploy one or more of the

biometric technologies: voice recognition, fingerprints, face recognition, iris
scan, infrared facial and hand vein thermo grams, retinal scan, hand and finger
geometry, signature, gait, and keystroke dynamics. Biometric
identification depends on computer algorithms to make a yes/no decision. It
enhances user service by providing quick and easy identification.

3.2.3 Knowledge Based Authentication:

Knowledge Based Authentication (KBA) is based on using “What You Know”

to identify you. For example; a Personal Identification Number (PIN), password
or pass phrase. It is an authentication scheme in which the user is asked to
answer at least one "secret" question. Knowledge Based Authentication is often
used as a component in multifactor authentication and for self-service password
retrieval. Knowledge based techniques are the most widely used authentication
techniques and include both text-based and picture-based passwords. The
picture-based techniques can be further divided into two categories:

3.2.3.1 Recognition Based Graphical Techniques: With recognition-based

techniques, a user is presented with a set of images and the user passes the
authentication stage by recognizing and identifying the Images he or she
selected during the registration stage. Recognition-based systems, also known as
cognometric systems or locimetric systems, generally require that users
memorize a portfolio of images during password creation, and then to log in,
must recognize their images from among decoys. Humans have exceptional
ability to recognize images previously seen, even those viewed very briefly.

3.2.3.2 Recall Based Graphical Techniques: With recall-based techniques, a

user is asked to reproduce something that he or she created or selected earlier
during the registration stage.Recall-based graphical password systems are
occasionally referred to as draw metric system because users recall and
reproduce a secret drawing. In these systems, users typically draw their
password either on a blank canvas or on a grid (which may arguably act as a
mild memory cue). Recall is a difficult memory task because retrieval is done
without memory prompts or cues.
3.2.4 Hybrid systems: These can be described as the combination of two or
more schemes, i.e the combination of recognition and recall based techniques or
the combination of textual passwords with graphical password schemes. The
process of withdrawing money from a bank with the use of an ATM is an
example of a hybrid system. It combines knowledge based authentication
methods with token based authentication, the ATM card is the token (something
you have) and the PIN required is knowledge based (what you know).

3.3 TRADITIONAL AUTHENTICATION TECHNIQUES

Authentication has traditionally centered on ‘what you know’. This concept has,
in the past, been embodied in Personal Identification Numbers (PINs) and
passwords. The fallibility of passwords and PINs is exemplified in several well-
known shortcomings implicit in their use. For example, people share passwords;
they have an inherent difficulty in remembering strong passwords (i.e. those
consisting of upper-and-lowercase letters, numbers, and non-alphanumeric
characters) and, as a consequence, often stick passwords to the desktop for
everyone to see.

The password problem arises largely from limitations of humans’ long-term

memory (LTM). Once a password has been chosen and learned the user must be
able to recall it to log in. But, people regularly forget their passwords. Decay
and interference explain why people forget their passwords. Items in memory
may compete with a password and prevent its accurate recall. A password that is
not used frequently will be even more susceptible to forgetting. A further
complication is that users have many passwords for computers, networks, and
web sites. The large number of passwords increases interference and is likely to
lead to forgetting or confusing passwords. Users typically cope with the
password problem by decreasing their memory load at the expense of security.
First, users write down their passwords. Second, when they have multiple
passwords, they use one password for all systems or trivial variations of a single
password. In terms of security, a password should consist of a string of 8 or
more random characters, including upper and lower case alphabetic characters,
digits, and special characters. A random password does not have meaningful
content and must be memorized by rote, but rote learning is a weak way of
remembering. As a result, users are known to ignore the recommendations on
password choice. A survey carried out in the Madonna University Miami boys
hostel shows that users choose short, simple passwords that are easily guessable.
For example, “password,” personal names of family members, names of pets,
and dictionary words. To users the most important issue is having a password
that can be remembered reliably so they can get on with their real work.

3.4 Locimetric Passwords: In locimetric systems, users identify and select

specific locations within one or more images. The images act as memory cues to
aid recall. Examples of such systems include passpoints and cued click points.

3.4.1 PassPoints:

In PassPoints, a password consists of a sequence of five click-points on a given

image (see Figure 3.2 ). Users may select any pixel(s) in the image as click-
points for their password. To log in, they repeat the sequence of clicks in the
correct order, within a system-defined tolerance square of the original click-
points. The primary security problem is hotspots: different users tend to select
similar click-points as part of their passwords. Attackers who gain knowledge of
these hotspots through harvesting sample passwords or through automated
image processing techniques can build attack dictionaries and more successfully
guess PassPoints passwords. A dictionary attack consists of using a list of
potential passwords (ideally in decreasing order of likelihood) and trying each
on the system in turn to see if it leads to a correct login for a given account.
Attacks can target a single account, or can try guessing passwords on a large
number of accounts in hopes of breaking into any of them.

fig 3.2 password consists of five(5) ordered clicks of an image.

3.4.2 Cued-Click Points:

They were designed to reduce patterns and to reduce the usefulness of hotspots
for attackers. Rather than five click-points on one image, CCP uses one click-
point on five different images shown in sequence. The next image displayed is
based on the location of the previously entered click-point (see Figure 3.3),
creating a path through an image set. Users select their images only to the extent
that their click-point determines the next image. Creating a new password with
different click-points results in a different image sequence.

The claimed advantages are that password entry becomes a true cued-recall
scenario, where each image triggers the memory of a corresponding click-point.
Remembering the order of the click-
points is no longer a requirement on users, as the system presents the images
one at a time. Cued Click Points also provides implicit feedback claimed to be
useful only to legitimate users. When logging on, seeing an image they do not
recognize alerts users that their previous click-point was incorrect and users
may restart password entry. Explicit indication of authentication failure is only
provided after the final click-point, to protect against incremental guessing
attacks. In cued click points, pattern based attacks seem ineffective. Although
attackers must perform proportionally more work to exploit hotspots, results
showed that hotspots remained a problem.

Fig 3.3 users select one click-point per image. The next image displayed is
determined by the current click-point.

3.5 Other Graphical Password Authentication Schemes :

3.5.1 Hash Visualization Technique:

This graphical password authentication scheme was based on the Hash

Visualization. In this system, the user is asked to select a certain number of
images from a set of random pictures generated by a program during the
registration stage. Later, the user will be required to identify the preselected
images in order to be authenticated. The average log-in time, however, is longer
than the traditional approach of using alphanumeric passwords. A weakness of
this system is that the server needs to store the seeds of the portfolio images of
each user in plain text. Also, the process of selecting a set of pictures from the
picture database can be tedious and time consuming for the user.

3.5.2 Draw A Secret (DAS):

This is the first recall based graphical password authentication to be produced. It

allows the user to draw their unique password (figure 3.4). A user is asked to
draw a simple picture on a 2D grid. The coordinates of the grids occupied by the

Fig 3.4 Draw-A-Secret technique.

picture are stored in the order of the drawing. During authentication, the user is
asked to re-draw the picture. If the drawing touches the same grids in the same
sequence, then the user is authenticated. Jermyn, et al. suggested that given
reasonable-length passwords in a 5 X 5 grid, the full password space of DAS is
larger than that of the full text password space.
3.5.3 Passface :

“ Passface '' is a technique developed by Real User Corporation (Real User

Cooperation, 2006). The basic idea is as follows; the user will be asked to
choose four images of human faces from a face database as their future
password during registration. In the authentication stage, the user sees a grid of
nine faces, consisting of one face previously chosen by the user and eight decoy
faces (figure 3.5). The user recognizes and clicks anywhere on the known face.
This procedure is repeated for several rounds. The user is authenticated if he/she
correctly identifies the four faces. The technique is based on the assumption that
people can recall human faces easier than other pictures. Studies have shown
that Passfaces are very memorable over long intervals. With the use of
passfaces, there are four(4) different rounds of authentication. During
registration, the user selects four(4) faces as his/her password. At the
authentication stage the user is presented with nine(9) different faces in each
round of authentication. The user is only authenticated after the final round of
selection. One significant drawback of using passface is the problem of shoulder
surfing.

Fig 3.5 Examples of passfaces-Realuser.com

3.6 Is a graphical password as secure as a text based password?

Very little research has been done to study the difficulty of cracking graphical
passwords. Because graphical passwords are not widely used, in practice there
is no report on real cases of breaking graphical passwords. Here, some of the
possible techniques for breaking graphical passwords are examined and are
compared with text-based passwords. These techniques include:

3.6.1. Brute force search

The main defense against brute force search is to have a sufficiently large
password space. Text-based passwords have a password space of 94^N, where
N is the length of the password, 94 is the number of printable characters
excluding SPACE. Some graphical password techniques have been shown to
provide a password space similar to or larger than that of text-based passwords.
Recognition based graphical passwords tend to have smaller password spaces
than the recall based methods. It is more difficult to carry out a brute force
attack against graphical passwords than text-based passwords. The attack
programs need to automatically generate accurate mouse motion to imitate
human input, which is particularly difficult for recall based graphical
passwords. Overall, we believe a graphical password is less vulnerable to brute
force attacks compared to text-based password.

3.6.2 Dictionary attacks

Since recognition based graphical passwords involve mouse input instead of
keyboard input, it will be impractical to carry out dictionary attacks against this
type of graphical passwords. For some recall based graphical passwords, it is
possible to use a dictionary attack but an automated dictionary attack will be
much more complex than a text based dictionary attack. More research is needed
in this area. Overall, it is believed that graphical passwords are less vulnerable to
dictionary attacks compared to text-based passwords.

3.6.3 Guessing

Unfortunately, it seems that graphical passwords are often predictable, a serious

problem typically associated with text-based passwords. For example, studies
on the Passface technique have shown that people often choose weak and
predictable graphical passwords. Studies revealed similar predictability among
the graphical passwords created with the DAS technique. More research efforts
are needed to understand the nature of graphical passwords created by real
world users.

3.6.4 Spyware

Except for a few exceptions, key logging or key listening spyware cannot be
used to break graphical passwords. It is not clear whether “mouse tracking”
spyware will be an effective tool against graphical passwords. However, mouse
motion alone is not enough to break graphical passwords. Such information has
to be correlated with application information, such as window position and size,
as well as timing information.
3.6.5 Shoulder surfing

Like text based passwords, most of the graphical passwords are vulnerable to
shoulder surfing. At this point, only a few recognition-based techniques are
designed to resist shoulder-surfing. None of the recall- based techniques are
considered shoulder-surfing resistant.

3.6.6 Social engineering

Compared to text based passwords, it is less convenient for a user to give away
graphical passwords to another person. For example, it is very difficult to give
away graphical passwords over the phone. Setting up a phishing web site to
obtain graphical passwords would be more time consuming.

Overall, it is believed graphical passwords are more difficult to break down

using the traditional attack methods like brute force search, dictionary attack,
and spyware. There is a need for more in-depth research that investigates
possible attack methods against graphical passwords.
3.7 Advantages

i. A graphical password authentication system is relatively inexpensive to

implement.

ii. Graphical passwords provide a way of making user friendly passwords.

iii. Graphical passwords are not vulnerable to dictionary attacks.

iv. It is less convenient for a user to give away graphical passwords to another
person.

3.8 Disadvantages

i. Password registration and login process takes too long login process is slow

ii. Most users are not familiar with the graphical passwords, they often find
graphical passwords less convenient and time consuming.

iii. Graphical passwords are prone to shoulder surfing. This is because of their
graphic nature, nearly all graphical password schemes are prone to shoulder
surfing.
 CHAPTER 4
CONCLUSION

4.1 Summary:

The past decade has seen a growing interest in using graphical passwords as an
alternative to the traditional text-based passwords. In this report is a
comprehensive research on existing graphical password techniques. The current
graphical password techniques can be classified into two categories:
recognition-based and recall-based techniques. Although the main argument for
graphical passwords is that people are better at memorizing graphical passwords
than text-based passwords, the existing user studies are very limited and there is
not yet convincing evidence to support this argument. My research suggests that
it is more difficult to break graphical passwords using the traditional attack
methods such as brute force search, dictionary attack, or spyware. However,
since there is not yet wide deployment of graphical password systems, the
vulnerabilities of graphical passwords are still not fully understood.

4.2 Recommendation:

Although the use of graphical passwords is not as secure as other forms of

authentication like the use of biometric means of authentication (very
expensive). Text-based passwords should be
replaced with graphical passwords because they are more secure. My
recommendation to future researchers is that other means of eliminating the
shoulder surfing problem attached with the use of graphical passwords.

4.3 Conclusion:

In conclusion, I would like to highlight two major drawbacks of graphical

passwords; its vulnerability to shoulder surfing and its slow login process.
Although several researchers have tried to fix these problems with graphical
passwords. Despite those two major drawbacks, graphical passwords are
considered to be more secure and easy to remember than text based passwords.

REFERENCES

Hong.D, Man.S, Hawes.B, and Mathews.M (2002)." A password scheme

strongly resistant to spyware". International conference on security and
management. Las Vegas.

Hong.D, Man.S, Hawes.B and Mathews.M (2003)." A shoulder surfing resistant

graphical password scheme". International conference on security and
management. Las Vegas.

Parkinson, M. (2005)." THE POWER OF VISUAL COMMUNICATION". 23-

27.

Pavio, A. (2006). Mind and Its Evolution: A Dual Coding Theoretical Approach.
Rachna Dhamija and Adrian Perrig. (2000). Deja vu: A User Study. Using
images for authentication.

Real User Cooperation. (2006). Retrieved October 3, 2015, from Realuser:

http://www.realuser.com

Sobrado.L and Birget.J (2002). Graphical Passwords, "An Electronic Bulletin

for Undergraduate Research", vol.4.

Saranga.K and Hutchings .R, 2008, "Order and entropy in picture passwords",
Proceedings of graphics interface, Canadian Information Processing Society.

(www.objs.com, 2013)

Xiaoyuan.S and Ying Zhu.G (2005) Graphical passwords: a survey, 21st

Annual Computer Security Applications Conference.