A graphical password authentication system (ieee 2011) 1
7 likes9,124 views
The document proposes a graphical password authentication system that combines graphical and text-based passwords. It describes how the system works: users select points of interest (POIs) on an image and associate text with each during registration. For login, users must correctly select the POIs in the correct order and provide the associated text. The system was implemented using Visual Basic .NET and aims to achieve the memorability of graphical passwords with the security of text-based passwords through multiple authentication factors.
![A Graphical Password Authentication System
Ahmad Almulhem
Computer Engineering Department
King Fahd University of Petroleum and Minerals
Dhahran, Saudi Arabia
ahmadsm@kfupm.edu.sa
Abstract In this extended abstract, we propose a graphical pass-
word authentication system. The system combines graph-
Graphical passwords provide a promising alternative to ical and text-based passwords trying to achieve the best
traditional alphanumeric passwords. They are attractive of both worlds. In section 2, we provide a brief review
since people usually remember pictures better than words. of graphical passwords. Then, the proposed system is de-
In this extended abstract, we propose a simple graphical scribed in section 3. In section 4, we briefly discuss imple-
password authentication system. We describe its operation mentation and highlight some aspects about the proposed
with some examples, and highlight important aspects of the system.
system.
2 Graphical Passwords
Graphical passwords refer to using pictures (also draw-
1 Introduction ings) as passwords. In theory, graphical passwords are eas-
ier to remember, since humans remember pictures better
User authentication is a fundamental component in most than words [8]. Also, they should be more resistant to brute-
computer security contexts. It provides the basis for access force attacks, since the search space is practically infinite.
control and user accountability [1]. While there are var- In general, graphical passwords techniques are classi-
ious types of user authentication systems, alphanumerical fied into two main categories: recognition-based and recall-
username/passwords are the most common type of user au- based graphical techniques [7]. In recognition-based tech-
thentication. They are versatile and easy to implement and niques, a user is authenticated by challenging him/her to
use. identify one or more images he or she chooses during the
Alphanumerical passwords are required to satisfy two registration stage. In recall-based techniques, a user is asked
contradictory requirements. They have to be easily remem- to reproduce something that he or she created or selected
bered by a user, while they have to be hard to guess by earlier during the registration stage.
impostor [2]. Users are known to choose easily guessable Passfaces is a recognition-based technique, where a user
and/or short text passwords, which are an easy target of dic- is authenticated by challenging him/her into recognizing
tionary and brute-forced attacks [3, 4, 5]. Enforcing a strong human faces [9]. An early recall-based graphical password
password policy sometimes leads to an opposite effect, as approach was introduced by Greg Blonder in 1996 [10].
a user may resort to write his or her difficult-to-remember In this approach, a user create a password by clicking on
passwords on sticky notes exposing them to direct theft. several locations on an image. During authentication, the
In the literature, several techniques have been proposed user must click on those locations. PassPoints builds on
to reduce the limitations of alphanumerical password. One Blonders idea, and overcomes some of the limitations of his
proposed solution is to use an easy to remember long scheme [2]. Several other approaches have been surveyed
phrases (passphrase) rather than a single word [6]. Another in the following paper [7].
proposed solution is to use graphical passwords, in which
graphics (images) are used instead of alphanumerical pass- 3 Proposed System
words [7]. This can be achieved by asking the user to select
regions from an image rather than typing characters as in The proposed authentication system works as follows.
alphanumeric password approaches. At the time of registration, a user creates a graphical pass-
978-0-9564263-7/6/$25.00©2011 IEEE 223](https://image.slidesharecdn.com/agraphicalpasswordauthenticationsystemieee2011-1-120910064016-phpapp02/85/A-graphical-password-authentication-system-ieee-2011-1-1-320.jpg)
![word by first entering a picture he or she chooses. The user
then chooses several point-of-interest (POI) regions in the
picture. Each POI is described by a circle (center and ra-
dius). For every POI, the user types a word or phrase that
would be associated with that POI. If the user does not type
any text after selecting a POI, then that POI is associated
with an empty string. The user can choose either to enforce
the order of selecting POIs (stronger password), or to make
the order insignificant.
In Figure 1, we show an example of a user creating a
graphical password. In this example, the user chooses a
picture of his or her kids by pressing “Load Image button”.
Then the user clicks on the kids faces in the order of their
ages (order is enforced). For each selected region, the user
types the kid’s name or nickname.
Figure 2. Login Screen
In the proposed system, a user freely chooses a picture,
POIs and corresponding words. The order and number of
POIs can be enforced for stronger authentication. Together,
these parameters allow for a very large password space.
We believe that proposed approach is promising and
unique for at least two reasons:
• It combines graphical and text-based passwords trying
to achieve the best of both worlds.
Figure 1. An example of creating a graphical
password using the proposed system. • It provides multi-factor authentication (graphical, text,
POI-order, POI-number) in a friendly intuitive system.
For authentication, the user first enters his or her user- 5 Conclusion
name. The system, then, displays the registered picture.
The user, then, has to correctly pick the POIs and type User authentication is a fundamental component in most
the associated words. At any time, typed words are either computer security contexts. In this extended abstract, we
shown as asterisks (*) or hidden. In Figure 2, we show an proposed a simple graphical password authentication sys-
example of the login screen. tem. The system combines graphical and text-based pass-
words trying to achieve the best of both worlds. It also
4 Implementation and Discussion provides multi-factor authentication in a friendly intuitive
system. We described the system operation with some ex-
The proposed system was implemented using Visual Ba- amples, and highlighted important aspects of the system.
sic .net 2005 (VB.net). The implementation has three main
classes:
• LoginInfo: Contains username, graphical password,
and related methods. 6 References
• GraphicalPassword: Contains graphical password in-
formation and related methods. [1] William Stallings and Lawrie Brown. Computer Se-
curity: Principle and Practices. Pearson Education,
• SelReg: Contains fields about selected regions (POIs). 2008.
978-0-9564263-7/6/$25.00©2011 IEEE 224](https://image.slidesharecdn.com/agraphicalpasswordauthenticationsystemieee2011-1-120910064016-phpapp02/85/A-graphical-password-authentication-system-ieee-2011-1-2-320.jpg)
![[2] Susan Wiedenbeck, Jim Waters, Jean-Camille Birget,
Alex Brodskiy, and Nasir Memon. Passpoints: design
and longitudinal evaluation of a graphical password
system. International Journal of Human-Computer
Studies, 63:102–127, July 2005.
[3] Robert Morris and Ken Thompson. Password security:
a case history. Communications of the ACM, 22:594–
597, November 1979.
[4] Daniel V. Klein. Foiling the Cracker: A Survey of, and
Improvements to, Password Security. In Proceedings
of the 2nd USENIX UNIX Security Workshop, 1990.
[5] Eugene H. Spafford. Observing reusable password
choices. In Proceedings of the 3rd Security Sympo-
sium. Usenix, pages 299–312, 1992.
[6] Sigmund N. Porter. A password extension for im-
proved human factors. Computers & Security, 1(1):54
– 56, 1982.
[7] Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. Graph-
ical passwords: A survey. In Proceedings of Annual
Computer Security Applications Conference, pages
463–472, 2005.
[8] Antonella De Angeli, Lynne Coventry, Graham John-
son, and Karen Renaud. Is a picture really worth a
thousand words? exploring the feasibility of graphi-
cal authentication systems. International Journal of
Human-Computer Studies, 63:128–152, July 2005.
[9] Real User Corporation. The science behind passfaces,
June 2004.
[10] G. E. Blonder. Graphical password. U.S. Patent
5559961, Lucent Technologies, Inc. (Murray Hill,
NJ), August 1995.
978-0-9564263-7/6/$25.00©2011 IEEE 225](https://image.slidesharecdn.com/agraphicalpasswordauthenticationsystemieee2011-1-120910064016-phpapp02/85/A-graphical-password-authentication-system-ieee-2011-1-3-320.jpg)
A graphical password authentication system (ieee 2011) 1
- 1. A Graphical Password Authentication System Ahmad Almulhem Computer Engineering Department King Fahd University of Petroleum and Minerals Dhahran, Saudi Arabia [email protected] Abstract In this extended abstract, we propose a graphical pass- word authentication system. The system combines graph- Graphical passwords provide a promising alternative to ical and text-based passwords trying to achieve the best traditional alphanumeric passwords. They are attractive of both worlds. In section 2, we provide a brief review since people usually remember pictures better than words. of graphical passwords. Then, the proposed system is de- In this extended abstract, we propose a simple graphical scribed in section 3. In section 4, we briefly discuss imple- password authentication system. We describe its operation mentation and highlight some aspects about the proposed with some examples, and highlight important aspects of the system. system. 2 Graphical Passwords Graphical passwords refer to using pictures (also draw- 1 Introduction ings) as passwords. In theory, graphical passwords are eas- ier to remember, since humans remember pictures better User authentication is a fundamental component in most than words [8]. Also, they should be more resistant to brute- computer security contexts. It provides the basis for access force attacks, since the search space is practically infinite. control and user accountability [1]. While there are var- In general, graphical passwords techniques are classi- ious types of user authentication systems, alphanumerical fied into two main categories: recognition-based and recall- username/passwords are the most common type of user au- based graphical techniques [7]. In recognition-based tech- thentication. They are versatile and easy to implement and niques, a user is authenticated by challenging him/her to use. identify one or more images he or she chooses during the Alphanumerical passwords are required to satisfy two registration stage. In recall-based techniques, a user is asked contradictory requirements. They have to be easily remem- to reproduce something that he or she created or selected bered by a user, while they have to be hard to guess by earlier during the registration stage. impostor [2]. Users are known to choose easily guessable Passfaces is a recognition-based technique, where a user and/or short text passwords, which are an easy target of dic- is authenticated by challenging him/her into recognizing tionary and brute-forced attacks [3, 4, 5]. Enforcing a strong human faces [9]. An early recall-based graphical password password policy sometimes leads to an opposite effect, as approach was introduced by Greg Blonder in 1996 [10]. a user may resort to write his or her difficult-to-remember In this approach, a user create a password by clicking on passwords on sticky notes exposing them to direct theft. several locations on an image. During authentication, the In the literature, several techniques have been proposed user must click on those locations. PassPoints builds on to reduce the limitations of alphanumerical password. One Blonders idea, and overcomes some of the limitations of his proposed solution is to use an easy to remember long scheme [2]. Several other approaches have been surveyed phrases (passphrase) rather than a single word [6]. Another in the following paper [7]. proposed solution is to use graphical passwords, in which graphics (images) are used instead of alphanumerical pass- 3 Proposed System words [7]. This can be achieved by asking the user to select regions from an image rather than typing characters as in The proposed authentication system works as follows. alphanumeric password approaches. At the time of registration, a user creates a graphical pass- 978-0-9564263-7/6/$25.00©2011 IEEE 223
- 2. word by first entering a picture he or she chooses. The user then chooses several point-of-interest (POI) regions in the picture. Each POI is described by a circle (center and ra- dius). For every POI, the user types a word or phrase that would be associated with that POI. If the user does not type any text after selecting a POI, then that POI is associated with an empty string. The user can choose either to enforce the order of selecting POIs (stronger password), or to make the order insignificant. In Figure 1, we show an example of a user creating a graphical password. In this example, the user chooses a picture of his or her kids by pressing “Load Image button”. Then the user clicks on the kids faces in the order of their ages (order is enforced). For each selected region, the user types the kid’s name or nickname. Figure 2. Login Screen In the proposed system, a user freely chooses a picture, POIs and corresponding words. The order and number of POIs can be enforced for stronger authentication. Together, these parameters allow for a very large password space. We believe that proposed approach is promising and unique for at least two reasons: • It combines graphical and text-based passwords trying to achieve the best of both worlds. Figure 1. An example of creating a graphical password using the proposed system. • It provides multi-factor authentication (graphical, text, POI-order, POI-number) in a friendly intuitive system. For authentication, the user first enters his or her user- 5 Conclusion name. The system, then, displays the registered picture. The user, then, has to correctly pick the POIs and type User authentication is a fundamental component in most the associated words. At any time, typed words are either computer security contexts. In this extended abstract, we shown as asterisks (*) or hidden. In Figure 2, we show an proposed a simple graphical password authentication sys- example of the login screen. tem. The system combines graphical and text-based pass- words trying to achieve the best of both worlds. It also 4 Implementation and Discussion provides multi-factor authentication in a friendly intuitive system. We described the system operation with some ex- The proposed system was implemented using Visual Ba- amples, and highlighted important aspects of the system. sic .net 2005 (VB.net). The implementation has three main classes: • LoginInfo: Contains username, graphical password, and related methods. 6 References • GraphicalPassword: Contains graphical password in- formation and related methods. [1] William Stallings and Lawrie Brown. Computer Se- curity: Principle and Practices. Pearson Education, • SelReg: Contains fields about selected regions (POIs). 2008. 978-0-9564263-7/6/$25.00©2011 IEEE 224
- 3. [2] Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. Passpoints: design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63:102–127, July 2005. [3] Robert Morris and Ken Thompson. Password security: a case history. Communications of the ACM, 22:594– 597, November 1979. [4] Daniel V. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. In Proceedings of the 2nd USENIX UNIX Security Workshop, 1990. [5] Eugene H. Spafford. Observing reusable password choices. In Proceedings of the 3rd Security Sympo- sium. Usenix, pages 299–312, 1992. [6] Sigmund N. Porter. A password extension for im- proved human factors. Computers & Security, 1(1):54 – 56, 1982. [7] Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. Graph- ical passwords: A survey. In Proceedings of Annual Computer Security Applications Conference, pages 463–472, 2005. [8] Antonella De Angeli, Lynne Coventry, Graham John- son, and Karen Renaud. Is a picture really worth a thousand words? exploring the feasibility of graphi- cal authentication systems. International Journal of Human-Computer Studies, 63:128–152, July 2005. [9] Real User Corporation. The science behind passfaces, June 2004. [10] G. E. Blonder. Graphical password. U.S. Patent 5559961, Lucent Technologies, Inc. (Murray Hill, NJ), August 1995. 978-0-9564263-7/6/$25.00©2011 IEEE 225