A Technical Seminar Report on

GRAPHICAL PASSWORD AUTHENTICATION

In partial fulfilment of the requirement for the award of degree of

BACHELOR OF TECHNOLOGY
In
COMPUTER SCIENCE AND ENGINEERING
Submitted
By

AMMIREDDY SHASHANKA
HT.NO:20D41A0510

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

SRI INDU COLLEGE OF ENGINEERING TECHNOLOGY

(An Autonomous Institution under UGC, accredited by NBA, Affiliated to JNTUH)

Sheriguda, Ibrahimpatnam

(2023-2024)
 SRI INDU COLLEGE OF ENGINEERING AND TECHNOLOGY
(An Autonomous Institution under UGC, Accredited by NBA, Affiliated to JNTUH)

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

CERTIFICATE

Certified that the Technical Seminar Work entitled “GRAPHICAL PASSWORD AUTHENTICATION” is a
Bonafide work carried out by AMMIREDDY SHASHANKA (20D41A0510) in partial fulfilment for the
award of BACHELOR OF TECHNOLOGY in COMPUTER SCIENCE AND TECHNOLOGYof
SICET, Hyderabad for the academic year 2023-2024. The Technical seminar report has been approved as it
satisfies academic requirements in respect of the work prescribed for the IV YEAR, I-SEMESTER of B.
TECH course.

STAFF MEMBER IN-CHARGE HOD

Prof. CH. G. V. N. PRASAD

 ABSTRACT

Computer security depends largely on passwords to authenticate the human users from attackers.
The most common computer authentication method is to use alphanumerical usernames and passwords.
However, there are significant drawbacks in this method. For example, Passwords selected by users are
easily guessed by the attacker. On the other hand, passwords which are difficult to guess are difficult to
remember. To overcome this problem of low security, Authentication methods are developed by researchers
that use images as password. In this research paper, we conduct a comprehensive survey of the existing
graphical password techniques and provide a possible theory of our own.

In a current time, the greatest prominent user authentication system which is extensively uses the
outdated method. It comprises of "username" and "password”, which is usually through text. This system
has definitely revealed disadvantages which cannot be ignored. However, Strong text passwords are hard to
remember, thus the users incline to write them down or attempt to save them on as files on digital means.
Now, several computer systems, networks and internet-based condition are demanding the use of graphical
authentication method. Therefore, base of an authentication system is to stimulate users to pick healthier
password, which increases security, usability and also refining the password space. In this study paper, we
complete an inclusive survey of the current graphical password systems into recognition based, pure-recall
based, cued-recall based and multifactor methods. We also studied strength and drawback of graphical
password schemes.
 ACKNOWLEDGMENT

With great pleasure I want to take this opportunity to express our heartfeltgratitude to all the people who
helped in making this seminar a success. I thank the almighty for giving us the courage & perseverance
in completing the seminar.
Iam highly indebted to, Prof.CH.GVN.PRASAD, Head of the Department of Computer Science &
Engineering, for providing valuable guidance at every stage of this seminar.I would like to thank the
Teaching & Non-Teaching staff of Department of Computer Science & Engineering for sharing their
knowledge with me.
Last but not the least I express my sincere thanks to everyone who helped directly or indirectly for the
presentation of this seminar.

A.SHASHANKA
20D41A0510
 CONTENTS

1. INTRODUCTION 1

2. LITERATURE SURVEY 2

3. PROPOSED SYSTEM 3

4. RECALL BASED SCHEME 4-9

4.1 DRAW A SECRET SCHEME(DAS)

4.2 PASS POINT SCHEME

4.3 SIGNATURE DRAWING SCHEME

5. RECOGNITION BASED SCHEME 10-12

5.1 DAMIJA AND PERRIG SCHEME

5.2 SOBRDO AND BIRGET SCHEME

5.3 PASS FACE SCHEME

6. IMPLEMENTATION AND DISCUSSION 13-14

6.1 HARDWARE INTERFACES

6.2 SOFTWARE INTERFACES

7. SECURITY ANALYSIS FOR GRAPHICAL PASSWORD 15-16

8. CONCLUSION 17

9. REFERENCES 18
 LIST OF FIGURES

FIG NO. NAME OF THEDIAGRAM PAGE NO.

1 DRAW A SECRET 6
SCHEME

2 DAS SCHEME WITHCOORDINATES 6

3 PASS POINT SCHEME 8

4 SIGNATURE DRAWING SCHEME 9

5 RANDOM IMAGES USED BY DHAMIJA AND 10

PERRIG

6 PASS OBJECT SCHEME 11

7 PASS FACE SHEME 12

 1.INTRODUCTION

A graphical password is an authentication system that works by having the user select from images, in
a specific order, presented in a graphical user interface (GUI). Graphical Passwords may be a solution to the
password problem. The idea of graphical passwords, first described by Greg Blonder [G. Blonder, Graphical
Passwords, United States Patent 5559961 (1996)], is to let the user click (with a mouse or a stylus) on a few
chosen regions in an image that appears on the screen. To log in, the user has to click in the same regions
again. In Blonder-style graphical passwords, only pre-processed images can be used. The click regions can
only be chosen from certain pre-designed regions in the image. This implies that the users cannot provide
images of their own for making passwords, and users cannot choose click places that are not among the
preselected ones. Our design allows the use of any images (including the users own images, digital photos of
landscapes, paintings, etc.). Moreover, we let users choose any places that attract them as click regions; such
places are easier to remember.

However, allowing arbitrary click locations lead to a stability problem, which we had to overcome. The
problem is that we cannot expect users to click always on exactly the same location (when they intend to).
So, we discretize the image, by using a square grid. But that leads to border problems: If the chosen click
location is near the edge of a grid-square, the user will sometimes click in one square, sometimes in a
neighbouring square. We devised a multigrid method, which we call robust discretization, and which leads to
a stable output for the user's clicking actions. An approximation parameter r is used; as long as the user
clicks within distance r of the originally chosen click location, the output of the clicking will be the same
(e.g., r=2 mm). It is important to have stable output, because the output of the discretized clicking will
undergo a secure hash (“password encryption”) for security reasons, we do not store the actual graphical
password in the computer, just the hash value. So, the system does not know the graphical password
explicitly and hence cannot check whether user's clicks are “approximately correct”.

1
 2.LITERATURE SURVEY

In the literature, several techniques have been proposed to reduce the limitations of the traditional
alphanumerical password. One of the proposed solutions is to use an easy to remember long phrases
(passphrase) rather than a single word [6]. Another proposed solution is to use graphical passwords, in which
graphics (images) are used instead of alphanumerical passwords. This can be achieved by asking the user to
select regions from an image rather than typing characters as in alphanumeric password approaches. In Dec
2009 author H. Gao proposed graphical password scheme using colour login. In this colour login uses
background colour which decrease login time. Possibility of accidental login is high and password is too
short. The system developed by Sobrado is improved by combining text with images or colours to generate
session passwords for authentication. Session passwords can be used only once and every time a new
password is generated. The advantages of this system is that it reduces the login time, session passwords are
also generated to improve security. The disadvantage of this system is that it the possibility of accidental
login is high and password is too short.

2
 3.PROPOSED SYSTEM

Graphical passwords refer to using images (also drawings) as passwords. In theory, graphical passwords can
be easily remembered, as users remember images better than words. Human factors are often considered the
weakest point in a computer security system. Patrick, et [1] point out there are three major areas where
human-computer interaction is important: security operations, developing Tauseef Akram et al, International
Journal of Computer Science and Mobile Computing, Vol.6 Issue.6, June- 2017, pg. 394-400 © 2017,
IJCSMC All Rights Reserved 395 secure systems, authentication. Here we focus on authentication problem.
User authentication is one of the important and fundamental components in most computer security systems.
Biometrics is one of the important authentication methods used to tackle the problems associated with
traditional username-passwords. But here we will deal with another alternative: using image as passwords.

According to a recent computer world news article, the security team at a large company ran a network
password cracker and within 30 seconds, they identified about 80% of the passwords. On the other hand,
passwords that are difficult to guess or break are often difficult to remember. Studies showed that since user
can only remember a limited number of passwords, they tend to write them down or will use the same
passwords for different accounts. To address the problems with traditional username password
authentication, alternative authentication methods, such as biometrics [2,7] have been used. In this paper,
however, we will focus on another alternative: using pictures as passwords. In addition, if the number of
possible pictures is sufficiently large, the possible password space of a graphical password scheme may
exceed that of text-based schemes and thus presumably offer better resistance to dictionary attacks.

Because of these (presumed) advantages, there is a growing interest in graphical password. Also, they should
be more resistant to bruteforce attacks, because there is practically an infinite search space. Graphical
passwords techniques are categorized into two main techniques:

1.Recall-based techniques

2.Recognition-based graphical techniques

3
 4.RECALL BASED SCHEME

In recall-based techniques, a user is asked to reproduce something that he or she selected

earlier during the registration stage. Recall-based graphical password systems are occasionally referred to as
draw metric systems. since a secret drawing is recalled and reproduced by the user. In these systems, users
typically draw their password either on a blank canvas or on a grid (which may arguably act as a mild
memory cue). Recall is a difficult memory task [6] because retrieval is done without memory prompts or
cues. Users sometimes devise ways from which the interface could be used as a cue even though it is not
intended as such, the task is transformed into one of cued recall, although one where the same cue is
available to all users and to attackers. Text passwords can also be categorized as using recall memory. With
text passwords, there is evidence that users often include the name of the system as part of their passwords.

Although there is currently no evidence of this happening with graphical password

seemingly valid coping strategy if users can devise a way of relating a recall based graphical password to a
corresponding account name. To a great extent these systems are generally susceptible to shoulder surfing
attack, the entire drawing is visible on the screen as it is being entered, and thus an attacker needs accurately
observe or record only one login for the entire password to be revealed. You can secure your password using
various techniques in graphical authentication. Here we are proposing a new algorithm of authentication
using images. To authenticate, we use a grid-based approach by using image as a reference. User will upload
the image/set of images along with all his/her details during the time of the registration. Then the image
selected by the user will appear on the page with transparent grid layer on it. Then certain grids are selected
by the user to set his/her password as shown in the figure below.

In recall-based techniques, a user is asked to reproduce something that he or she created or selected
earlier during the registration stage. Recall-based graphical password systems are occasionally referred to as
draw metric systems [3] since a secret drawing is recalled and reproduced by the user. In these systems, users
typically draw their password either on a blank canvas or on a grid (which may arguably act as a mild
memory cue).Recall is a difficult memory task [6] because retrieval is done without memory prompts or
cues.Users sometimes devise ways from which the interface could be used as a cue even though it is not
intended as such, the task is transformed into one of cued recall, although one where the same cue is
available to all users and to attackers.

Text passwords can also be categorized as using recall memory. With text passwords, there is evidence
that users often include the name of the system as part of their passwords. Although there is currently no

4
evidence of this happening with graphical passwords, it remains a seemingly valid coping strategy if users
can devise a way of relating a recall based graphical password to a corresponding account name.

To a great extent these systems are generally susceptible to shoulder surfing attack, the entire drawing is
visible on the screen as it is being entered, and thus an attacker needs accurately observe or record only one
login for the entire password to be revealed. You can secure your password using various techniques in
graphical authentication. Here we are proposing a new algorithm of authentication using images. To
authenticate, we use a grid- based approach by using image as a reference. User will upload the image/set of
images along with all his/her details during the time of the registration. Then the image selected by the user
will appear on the page with transparent grid layer on it. Then certain grids are selected by the user to set
his/her password as shown in the figure below.

4.1 Draw A Secret Scheme (DAS):

In this section we present a purely graphical password selection and input scheme, which we call ``draw a
secret'' (DAS). In this scheme, the password is a simple picture drawn on a grid. This approach is alphabet
independent, thus making it equally accessible for speakers of any language. Users are freed from having to
remember any kind of alphanumeric string. The most compelling reason for exploring the use of a
picturebased password scheme is that humans seem to possess a remarkable ability for recalling pictures
(i.e., line drawings and real objects). The ``picture effect'', that is, the effect of pictorial and object
representations on a variety of measures of learning and memory has been studied for decades
[7,27,25,30,5]. Cognitive scientists have shown that there is a substantial improvement of performance in
recall and recognition with pictorial representations of to-be-remembered material than for verbal
representations.

5
Fig 1: Draw a scheme

6
 Fig 2: DAS scheme with coordinates

4.2 Pass Point Scheme:

We are further discussing new and more secure graphical password system called pass points. In pass points
system users can create many points click sequence on a background image. The graphical password is new
technique which is more secure than text-based passwords. In graphical passwords, sequence of clicks is
generated to derive the password. The click events are performed on same image or different image. Or users
can also select sequence of images. In this system there are four main modules namely, Image submission,
Image Password Point Mark, Pixel Tolerance Calculation and Authentication. Users can submit image then
he/she can click on the image to create a password then the system pixel tolerance calculates each pixel
around. And then while authenticating user needs to click within the tolerances in the correct sequences. Text
passwords are the most popular user authentication method in today, but have security and user-friendly
problems. Graphical passwords offer another alternative, and are the focus of this paper. Graphical password
systems are a type of Image-based authentication that attempt to understand the human memory for visual
information. A comprehensive review In Pass Points, passwords consist of sequence pixel click-points on a
given image. Users may choose one pixel in that image as click-points for their password. To log in process,
they repeat the sequence of clicks in the same order

Persuasive Cued Click Points (PCCP):

7
 In persuasive cued click point algorithm, image divided in small grid or small parts of view, after that
user choose any one grid of that image, then choosing one pixel on that selected grid and those chooses pixel
set as password. During user name creation, the most of the image is fragmented in a small view grid area
that is randomly positioned on the image as shown in Figure. Users must choose it “sown a click-point
within the view grid.

If they are choosing wrong pixel or to choose a wrong point in the current view grid, they may click
on move button to randomly reposition the view grid. This procedure repeated in three times that is three
different images user is choose. After one pixel chooses then next image is come and choose second pixel
and similarly choose third pixel on next image. If user chooses wrong pixel, then system manipulate to user
i.e., wrong image is come and user doesn’t authenticate in system.

The view grids size is intended to offer a variety of distinct points but still cover only an acceptably
small fraction of all possible points. Users must choose a click point within this highlighted view grid area
and cannot click outside of the view grid area, unless they click on move button to randomly reposition the
view grid area. While users may move as often as desired, this significantly slows password creation.

The view grid and move button appear only during password creation. During later password entry, the
images are displayed normally, without shading or the view grid, and users may click anywhere on the
images.

Syukri developed a technique where authentication is done by drawing user signature using a mouse as
shown in figure 4. This technique included two stages, registration and verification. At the time of
registration stage, the user draws his signature with a mouse, after that the system extracts the signature area.
In the verification stage it takes the user signature as input and does the normalization and then extracts the
parameters of the signature. The disadvantage of this technique is the forgery of signatures. Drawing with
mouse is not familiar to many people, it is difficult to draw the signature in the same perimeters at the time
of registration.

8
 Fig 3: Pass Point Scheme

4.3 SIGNATURE DRAWING SCHEME:

Jermyn, et al. proposed a technique, called "Draw - a -secret (DAS)", which allows the
user to draw their unique password. A user is asked to draw a simple picture on a 2D grid.
The coordinates of the grids occupied by the picture are stored in the order of the drawing.
During authentication, the user is asked to redraw the picture. If the drawing touches the
same grids in the same sequence, then the user is authenticated. Jermyn, et al. suggested that
given reasonable length passwords in a 5 X 5 grid, the full password space of DAS is larger
than that of the text-based password.

9
 Fig 4: Signature Drawing Scheme

5.RECOGNITION BASED SCHEME

5.1 Dhamija and Perrig Scheme:

Dhamija and Perrig proposed a graphical authentication scheme based on thee Hash Visualization technique.
In their system, the user is asked to select a certain number of images from a set of random pictures
generated by a program. Later, the user will be required to identify the pre-selected images in order to be
authenticated. The results showed that 90% of all participants succeeded in the authentication using this
technique, while only 70% succeeded using text-based passwords and PINS. The average log-in time,
however, is longer than the traditional approach. A weakness of this system is that the server needs to store

10
the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures
from the picture database can be tedious and time consuming for the user.

Fig 5: Random images used by Dhamija and Perrig

5.2 Sobrado and Birget Scheme:

Sobrado and Birget developed graphical password technique that deals with the shoulder surfing problem. In
the first scheme, the system will display a number of pass-objects (pre- selected by user) among many other
objects. To be authenticated, a user needs to recognize pass objects and click inside the convex hull formed
by all the pass-objects. In order to make the password hard to guess, Sobrado and Birget suggested using
1000 objects, which makes the display very crowded and the objects almost indistinguishable, but using
fewer objects may lead to a smaller password space, since the resulting convex hull can be large. In their

11
second algorithm, a user moves a frame (and the objects within it) until the pass object on the frame lines up
with the other two pass-objects. The authors also suggest repeating the process a few more times to minimize
the likelihood of logging in by randomly clicking or rotating. The main drawback of these algorithms is that
the log in process can be slow.

Fig 6: Pass object scheme

Man, has proposed another shoulder-surfing resistant algorithm. In this algorithm, a user selects a number of
pictures as pass-objects. Each pass-object has several variants and each variant is assigned a unique code.
During authentication, the user is challenged with several scenes. Each scene contains several passobjects
(each in the form of a randomly chosen variant) and many decoy-objects.

The user has to type in a string with the unique codes corresponding to the pass object variants present in the
scene as well as a code indicating the relative location of the pass objects in reference to a pair of eyes. The
argument is that it is very hard to crack this kind of password even if the whole authentication process is
recorded on video because where is no mouse click to give away the pass-object information. However, this
method still requires users to memorize the alphanumeric code for each pass- object variant. Hong, et al.
later extended this approach to allow the user to assign their own codes to pass-object variants. However, this
method still forces the user to memorize many text strings and therefore suffer from the many drawbacks of
text-based password.

12
5.3 Pass Face Scheme:

In this technique human faces are treated as passwords. In using Pass faces to authenticate an
application, the user is presented with a grid of nine faces. Only one face on the grid is from the user's unique
set of faces; the rest are decoys. He must select his specific face on the grid to get passed the digital gate.
This process continues for the other four faces of his set. If he fails to recognize or select all of his faces, he
is taken back a step to try again. If too many failures occur, he is locked out of the application.

Jansen et al proposed a graphical password mechanism for mobile device. during the enrolment stage, a user
selects a theme (e.g., sea, cat, etc.) which consists of thumbnail photos and then registers a sequence of
images as a password. During the authentication, the user must enter the registered images in the correct
sequence. One drawback of this technique is that since the number of thumb nail images is limited to 30, the
password space is small. Each thumbnail image is assigned a numerical value, and the sequence of selection
will generate a numerical password. The result showed that the image sequence length was generally shorter
than the textural password length. To address this problem, two pictures can be combined to compose a new
alphabet element, thus expanding the image alphabet size.

Fig 7: Pass face scheme

6.IMPLEMENTATION AND DISCUSSION

The proposed system was implemented using PHP, CSS, JavaScript and Macromedia flash 2008(Action
Script 2). This Graphical Password can be implemented in authenticating several systems and websites. The
implementation has few focuses:

13
As shown in the figure below researchers are trying to stabilize the goal in text based system. However, the
text based approach is not able to achieve the goal because as the password strength increases usability
decreases. Our main aim is to achieve this goal. In which the usability as well as the security of the system is
maintained in such a way that we don’t need to compromise on either of these constraints.

• Password: Contain image as reference & encryption algorithm.

• Grids: Contains unique grid values and grid clicking related methods.

• Login: Contains username, images, Graphical password and related methods.

• SSR shield: Contains shield for Shoulder surfing.

Design Constraints:

The system need to design base on the HTML code and database using J2EE1.4 , oracle 8i or above and and
Struts 1.2.x.. All components follow Model-View-Controller pattern.

Purchased Components:

• Application server software and version (Tomcat 5 or above)

• Database software and version (ORACLE 8i or above)
• J2EE (typically because of app server requirements /supportability) .Servlet specification (typically
because of app server requirements /supportability)

Interfaces

User Interfaces:

All pages of the system are following a consistent theme and clear structure. The occurrence of errors should
be minimized through the use of checkboxes, radio buttons and scroll down in order to reduce the amount of
text input from user. JavaScript implement in HTML in order to provide a Data Check before submission.
HTML Tables to display information to give a clear structure that easy to understand by user.

6.1 Hardware Interfaces

a.Server Side

The web application will be hosted on one of the Linux or Windows servers and connecting to one of the

Hostel Oracle Database server. The web server is listening on the web standard port, port 80.

14
b.Client side

The system is a web based application; clients are requiring using a modern web browser such as Mozilla
Firebox 1.5, Internet Explorer 6 and Enable Cookies. The computer must have an Internet connection or
LAN in order to be able to access the system on any other system with enough credentials.

6.2 Software Interfaces

a.Server Side

The ORSCM already has the required software to host a Java web application. An Apache Web server

will accept all requests from the client and forward ORSCM specific requests to Tomcat 5.5 Servlet

Container with J2EE 5.0 and strut 1.2.8 hosting ORSCM.A development will be hosted locally (using

MySQL or ORACLE.

b.Client Side

The HTTP protocol will be used to facilitate communication between the client and server.

7. SECURITY ANALYSIS FOR GRAPHICAL PASSWORD

Enough research is yet to be undertaken to study the difficulty of cracking graphical passwords. As graphical
passwords are still not widely used in real world applications, there is no report on real cases of breaking
graphical passwords. Here we briefly examine some of the possible techniques for breaking graphical
15
passwords and try to do a comparison with text-based passwords. A. Brute force search: Brute-force attacks
are simple to understand. An attacker has an encrypted file say, yourLastPass or KeePasspassworddatabase.
They know that this file contains data they want to see, and they know that there’s an encryption key thatit.
To decrypt it, they can begin to try every single possible password and see if that results in a decrypted
file.They do this automatically with a computer program, so the speed at which someone can brute-force
encryption increases as available computer hardware becomes faster and faster, capable of doing more
calculations per second. The brute force attack would likely start at one-digit passwords before moving to
two-digit passwords and so on, trying all possible combinations until one works.

The main defence measure against brute force search is to have a sufficiently large password space. Text-
based passwords have a password space of 94N, where N is the length of the password, 94 is the number of
printable characters (shift and non-shift keys excluding SPACE) on a standard keyboard. Some graphical
password techniques have been shown to provide a password space similar to or larger than that of text-
based passwords [9]. Recognition based graphical passwords tend to have smaller password spaces than the
recall based methods. It is more difficult to carry out a brute force attack against graphical passwords than
text-based passwords.

The attack programs need to automatically generate accurate mouse motion to imitate human input, which is
particularly difficult for recall based graphical passwords. Overall, in terms of brute force attacks, it is
believed that a graphical password has less vulnerability than a text-based password.

Dictionary Attacks:

A “dictionary attack” is similar and tries words in a dictionary or a list of common passwordsinstead of all
possible passwords. This can be very effective, as many people use such weak and common passwords.It is
impractical to carry out dictionary attacksagainst graphical asswords as recognition based graphical
passwords involve mouse input instead of keyboard input.

For some recall based graphical passwords [10], it is possible to use a dictionary attack but an automated
dictionary attack will be much more complex than a text based dictionary attack. More researchis needed in
this area. However, it is evident that graphical password has less vulnerability to dictionary attacks than text-
based passwords.

16
Spyware:

Spyware is infiltration software that secretly monitors unsuspecting users. It can enable a hacker to obtain
sensitive information, such as passwords, from the user's computer. Spyware exploits user and application
vulnerabilities and is often attached to free online software downloads or to links that are clicked by users.
Except for few cases, key listening or key logging spyware cannot be used to break graphical passwords. It is
not clear whether “mouse tracking” spyware will be an effective tool against graphical passwords. However,
motion of the mouse alone is not enough to break graphical passwords. Such information has to be correlated
with application information, such as window location, its position and size, as well as desktop resolution
and size also matters.

Shoulder Surfing:

Shoulder surfing refers to a direct observation, such as looking over a person's shoulder, to obtain
information. In some cases ShoulderSurfing is done for no reason other than to get an answer, but in other
instances it may constitute a security breach as the person behind may be gleaning private information such
as your PIN at a bank machine, or Credit card information as you enter it into a webbased shopping cart
checkout. Like text based passwords, most of the graphical authentication methods are vulnerable to
shoulder surfing. Until now, only a few recognition-based methods claim to resist shoulder-surfing. None of
the recallbased based methods are considered shoulder-surfing resistant.

8. CONCLUSION

17
We have proposed Graphical passwords a new security primitive relying on unsolved hard Al problems. The
notion of this scheme introduces a new family of graphical passwords, which adopts a new approach to
counter online guessing attacks: a new image, which is also a password challenge, is used for every login
attempt to make trials of an online guessing attack computationally independent of each other. A password
can be found only probabilistically by automatic online guessing attacks including brute-force attacks, a
desired security property that other text password schemes lack. Hotspots in images can no longer be
exploited to mount automatic online guessing attacks, an inherent vulnerability in many graphical password
systems. Graphical password forces adversaries to resort to significantly less efficient and much more costly
humanbased attacks. In addition to offering protection from online guessing attacks, . Graphical password is
also resistant to Captcha relay attacks, and, if combined with dual-view technologies, shoulder-surfing
attacks. Graphical password can also help reduce spam emails sent from a Web email service.

Our usability study of two.Graphical password schemes we have implemented is encouraging. For example,
more participants considered AnimalGrid and ClickText easier to use than PassPoints and a combination of
text password and Captcha. Both AnimalGrid and ClickText had better password memorability than the
conventional text passwords. On the other hand, the usability of CaRP can be further improved by using
images of different levels of difficulty based on the login history of the user and the machine used to log in.
The optimal tradeoff between security and usability remains an open question for. Graphical password and
further studies are needed to refine CaRP for actual deployments.Like Captcha, . Graphical password utilizes
unsolved Al problems.

9.REFERENCES

18
[1] Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. Pass points:
design and longitudinal evaluation of a graphical password system. International Journal of Human-
Computer Studies, 63:102-127, July 2005.

[2] Robert Morris and Ken Thompson. Password security: a case history. Communications of the ACM,
22:594:597, November 1979.

[3] Daniel V. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. In
Proceedings of the 2nd USENIX UNIX Security Workshop, 1990.

[4] Eugene H. Spafford. Observing reusable password choices. In Proceedings of the 3rd Security
Symposium. Use nix, pages 299-312, 1992.

[5] Sigmund N. Porter. A password extension for im-proved human factors. Computers & Security,
1(1):5456, 1982.

19