Graphical Passwords: A Survey

crumcasteAI and Robotics

Nov 17, 2013 (3 years and 4 months ago)

55 views

Graphical Passwords: A Survey

Concept
-
Based Graphical Password Authentication Method


İbrahim Bumin KARA

Department of Computer Science Engineering

Isik University

I
stanbul, TURKEY

ibrahim.kara@isik.edu.tr




Abstract

As known, the most common computer
a
uthentication method is to use alphanumerical
usernames and passwords, which requires a
significant amount of human involvement. It has
been shown that this method suffers from many
weaknesses. Users tend to choose either very short
passwords


which are e
asy to beak


or long
passwords that are hard to remember. In addition,
they commonly choose the passwords that can be
easily guessed or they choose the ones which are
hard to guess; but have problems remembering
them afterwards. Computer scientists have c
ome up
with different techniques in order to address this
problem. One of those techniques is to use images
as passwords and it’s called “Graphical
Passwords”. There are different kinds of Graphical
Password Techniques, classified in two categories:
recogn
ition
-
based and recall
-
based approaches. In
our survey, we conducted a research on this topic,
more specifically Recognition Based Authentication
Methods with Graphical Passwords. In this paper
we discussed advantages and drawbacks of those
Graphical Passw
ord Techniques. Moreover
different types of applications were assessed as well
as our own application “Concept
-
Based”.


1. Introduction


Most of the security architectures that are being
used in computational world suffer from human
based factors.
Accordin
g to Patrick, ET al. [1] there
are three areas in computational

systems that human
factors are involved
:

authentication, security
operations and developing secure systems.


The widely common authentication method is to use
usernames and textual passwords w
hich is a
alphanumerical based technique. Since the
vulnerabilities of alphanumeric based techniques
are well known such as security and remembering
issues

[2]
, they have been trying to overcome those
weakness problems by designing graphical
password techn
iques. Researchers have studied on
various graphical password techniques in order to
create an alternative authentication system to
alphanumeric based techniques. The reason of
seeing graphical password methods as an alternative
is based on an assumption;
humans can memorize
images easier than alphanumerical characters. Some
psychological studie
s agree with this assumption
[
3].


In this survey we focused on authentication
methods. We can classify the current authentication
methods in three categories: toke
n based

(something
the user has
), biometrics based

(something the user
is
) and knowledge based

(something the user
knows
) authentication. In the preceding parts of
this paper
,

we will first introduce the current
authentication techniques and define the dr
awbacks
of them individually
, the
n we will have a

more focused look at graphical passwords


with
their applications and security issues .

Finally we will introduce our recognition based
conceptual graphical password application called
“Concept
-
Based”.



2
. Categorizing Current Authentication
Methods


2.1. Biometrics Based Authentication


Biometrics based systems are

automated
authentication systems
,

recognizing human based
upon one or more physical or behavioral traits.
Biometrics allows

systems to validat
e users with
questions “who she is” instead of “what she
possesses?”

[4,
5]. According to the survey
conducted by Zhu, et al. biometrics provides the
highest level of security among all other techniques
[6]. One of the two characteristics of this method is
physiological
,

related to the shape of the body.
Common examples of physiological characteristics
are fingerprints, face recognition, iris recognition
and DNA. The other characteristic is behavioral
related to the behavior of a person with the common
examp
les; typing rhythm, gait and voice.


Although providing the highest level of security
,

biometrics still cannot be used widespread because
of its high costs. This bleeding edge technology
involves device cost, deployment cost and the
support cost. All of th
ese costs cut companies back
the usage of biometrics as well as some
environmental issues. For example
,

it is not reliable
to use a sound recognition based technique in a
noisy environment.[7]



2.2. Token Based Authentication


Token
-
based authentication i
s a two
-
step
authentication technique. It needs to be combined
with knowledge based methods in order to achieve a
greater level of security. Users should have an
external device like ATM cards or smartcards
which should be used together with a password or
a
PIN code. They are used to prove one’s identity
electronically. The token is used in place of a
passwo
rd or more generally with

a

password
in
order to prove that the custome
rs are

who they
claim to be.

Although token
-
based authentication is a strong
auth
entication technique, it has important
drawbacks
,

suggested in a Microsoft article.
Authentication software must be installed on a
centralized database and the software needs to be
deployed on each user’s external device. Moreover
users may lose the device

and replacing it can be
costly for the company. [8]


2.3. Knowledge Based Authentication


Users need to memorize a piece of information (e.g.
usernames, passwords) which they learned during
the registration and submit it in order to authenticate
with know
ledge based systems. This authentication
technique has been the most dominant one which
is

use
d for daily needs

in computer and network
security. The main reason
,

which makes it more
eligible then the other authentication technique
,

is
its less cost.


Know
ledge based systems can be classified in two
categories: text based and picture

based. Text based authentication requires the use of
alpha numerical methods and distinctly

have a wider use. However textual passwords have
important drawbacks due to the impo
rtant

amount of human involvement in them.


3. Background and Related Work


Graphical passwords are classified under two
categories: Recognition Based and Recall Based.


3.1. Recognition Based Techniques
.


In recognition based techniques, users are suppo
sed
to pick and memorize several images
among

a set of
pictures in order to create their password Figure1.
Since the password consists of images, during the
authentication session user has to identify the
correct images that they have picked earlier.


Fi
gure
1
. A graphical password scheme (
source:
http://graphpwd.com/ele395/login.php

)


There have been
several
developed methods for this
category.

3.1.1. Dhamija and Perrig algorithm


Dhmija and Perrig [9]
developed a graphical
authentication scheme, called “
Déjà vu”,
with non
-
describable abstract images
by exploiting hash
visualization technique [10]. The purpose of using
these kind
s

of images rather than photographs is that
they can be produced by a method

called

Random
Art
”,
using small initial seeds which
make

the
authentication require less memory.


Figure 2. Random images generated in the application of
Dhmija and Perrig


User selects certain number of images from a set of
random pictures
,

generated

by this method Figure2.
Afterwards they are asked to identify the images
,

selected during registration
,

to be authenticated. A
user study with 20 participants was conducted and it
showed that %90 of the participants attempt
ed


Déjà
vu”
and
succeeded while

the
rate of success was
%70 in which they

try textual passwords. A
weakness of this system is that the password space
is much smaller than that of textual passwords. And
the average log
-
in time is longer than the traditional
methods, which can be tedious
and time consuming
for the user. Also the seeds of portfolio images have
to be stored in the server for each user. Akula and
Devisetty introduced another technique similar to

Déjà vu”. The main difference is that they used
SHA
-
1 hash which helped the meth
od be more
secure and cost less memory [11].


3.1.2. Sobrado and Birget algorithms


Sobrado and Birget developed several numbers of
graphical passwords techniques focusing on solving
the sholder
-
surfing attacks which is one of the main
problems of most of
the graphical password
techniques. They have developed 3 different
schemes in order to overcome the shoulder
-
surfing
attacks [12]. In the first scheme called “triangle
scheme” user is shown a wide number of objects,
which were shown during the registration
, and
asked to identify the pass
-
objects pre
-
selected by
user. Then the user is required to click inside the
convex hull formed by all pass
-
objects which

also
contains decoys Figure3.



Figure 3. The first scheme of Sobrado and Birget
“Triangle Scheme”


I
n the “triangle scheme” they display 1000 objects in
order to make the password space large enough and
this distinctly crowded screen makes the user lose
more time to find the pass
-
objects while log
-
in
session. Also the probability of successful login by
clicking on randomly may occur because the size of
the convex
-
hull can be large and this obviously makes
the system less secure.


The second scheme called “movable frame scheme”
,

has al
so the same registration method

in which the
user chooses

the pass
-
obj
ects among all. But this time,
only three pass
-
objects are involved and one of them
is placed in a movable frame Figure 4. For
authentication; the user needs to move and rotate the
frame until all the pass
-
objects, which constitute their
password, are loca
ted in form of a straight line. In
order to achieve reasonable security, it is suggested
that this process should be repeated several times.
This method may seem confusing and time consuming
for many users because of too many non
-
pass objects.



Figure 4.

The second scheme of Sobrado and Birget
“Movable Frame Scheme”


The last scheme called “intersection scheme” works
similar to the movable frame scheme. This time
four pass
-
objects are displayed each time, and the
user should click near the intersection of

two
invisible lines, which are formed by the four pass
-
objects which were pre
-
selected by user Figure 5.

.

Figure 5. The last scheme of Sobrado and Birget
“Intersection Scheme”



There are two common drawbacks in the schemes
,

developed by Sobrado and Bi
rget. They all require
at least 1000 objects to be displayed on the screen in
order to have reasonable security so users might
have trouble finding the pass
-
objects from that kind
of crowded screen with tiny objects on. Secondly
they all require the proces
s to be run several times
so the authentication process is significantly slow
and time consuming.


3.1.3. Man, et al. algorithm


They have developed a shoulder
-
surfing resistant
algorithm like Sobrado and Birget [13]. In this
algorithm
,

the user is suppose
d to pick a certain
number of images as their pass
-
objects. Each object
on the screen has several variants which have their
own individual unique codes. Authentication
consists of several scenes and each scene contains
several pass
-
objects and lots of deco
ys Figure 6.
A
ccording to the variant of the pass
-
objects

that are
displayed,


t
he user is supposed to input a string of textua
l
characters in the right order.



Figure 6. The Shoulder Surfing Resistant Method of Man,
et al. [13]

The main advantage of thi
s method is that it is
distinctly hard to crack this kind of passwords even
if the whole log
-
in process is recorded by camera,
because there is no mouse clicking to give away
your password information. However, this method
is not purely a picture based met
hod because it still
involves alphanumerical characters. Hong, et al.
[14] improved this approach. Their method allows
the user assign their own codes to pass
-
object
variants. Still, this method requires memorizing
many text strings and therefore the user
suffer
s

from
the drawbacks of text
-
based passwords.

3.1.4. Jansen at al. algorithm

Jansen et al. [15] developed an authentication
system based on “picture password”. This scheme is
specially designed for PDA’s. To create the
password, firstly the user sel
ects a theme (e.g.
seashore, cat, dog and so on) which consists of
thumbnail photos. Then user selects a sequence of
thumbnail photos to form their password Figure 7.
After all, in order to be authenticated the user needs
to recognize and identify the pre
-
selected thumbnail
photos in the same order as in the registration
session. In this method
,

the password space is quite
poor comparing the text based passwords because
the number of thumbnail images is limited only to
30.



Figure 7. The scheme of Jansen
“picture password”

3.1.5. Takada and Koike


Their technique is an image
-
based authentication
technique which allows user to use their own
favorite images for authentication [16]. The users
first register their favorite images as pass
-
objects
with the serv
er then they will be asked to recognize
and identify them among many decoy images in the
authentication session. The authentication consists
of several rounds of verification to ensure the
security Figure 8. In each round, users have to
select a pass
-
image

or choose nothing in the case
that there is not any pass
-
image displayed. The
system would authorize a user if they succeed all
the verifications. The main point of this method is
allowing users to choose their own images
and
help
them to remember their p
ass
-
images later on.


Figure 8. The image
-
based authentication scheme of
Takada and Koike


3.1.6. Passface algorithm

Passface
TM

is a commercial application, which is one
of the most popular ones that uses “face scheme”,
introduced by Real User Corporatio
n [17]. It was
built based on the assumption that human can
memorize human faces easier than other pictures.
The process starts with creating a graphical
password consisting of four human face images.
Then the user is required to recognize and identify
the

pre
-
selected human face images from a grid of
nine face pictures which one of the faces is the pre
-
selected and the rest is decoy faces Figure 9. This
step is repeated until all the four faces is identified
individually in each step. In the case that user

identify all the pre
-
selected faces successfully
authentication succeed.



Figure 9.

Passfaces
TM
grid of nine faces [17]


Valentine proposed that

Passfaces are very
memorable even after long time intervals [18, 19].

Another study conducted by Brostof
f and Sasse [20]
states that the failure rate in

authentication is three times less compared to the
textual password systems. Davis, et al. [21] studied
the Passface techniques and such kind of others then
found some common patterns among these
passwords.
The statistics show that most of the
users choose the faces of people from the same race
and this increases the predictability of the
passwords. Following statements are some of the
feedbacks Monrose and Reiter [21], received in
their

experiments;

“I chose

the images of the ladies which appealed the
most.”

“I picked her because she was female and Asian and
being female and Asian, I thought I

could remember that.”

“I started by deciding to choose faces of people in
my own race ... specifically, people that

l
ooked at least a little like me. The hope was that
knowing this general piece of information

about all of the images in my password would make
the individual faces easier to remember.”

“... Plus he is African
-
American like me.”


Davis et al. [21] suggested

a similar scheme called
“story scheme”
. In the method user picks a
sequence of
k
images (any meaningful images as
well as human faces) to make a story
which

will
help them to remind the password images
later in
time
Figure 10.


Figure 10.

The scheme of
Davis et al. [21] “story scheme


In order to study and compare these two schemes,
Davis et al. made a survey on 154 computer
engineering and computer science students from
two universities. The result shows that in
Passface
TM

most of the user’s choice is
highly affected by race,
the gender of the user, and the attractiveness of the
faces on the pictures.

For the “story scheme”, they
found out that %75 of the incorrect entries includes
correct images with the wrong order. In order to
prevent this, they sugg
ested a more flexible scheme,
in which the order of identifying the image is not
important.


In our paper we propose another face scheme
technique namely “concept
-
based

scheme” similar to the “story scheme”. We
developed Concept
-
Based application and
exper
imented on a group of users. We will explain
and analyze Concept
-
Based in preceding chapters.


3.2. Recall Based Techniques
.


Although our main focus is on recognition based
techniques we find it convenient to take a

glimpse at recall based techniques too.

There are
mainly two types of recall
-
based techniques.


Reproduce a Drawing


In this technique user is asked to draw a painting he
or she produced in the registration phase.

A well known method is “draw


a
-
secret” (DAS),
introduced by Jermyn, et al [22].

In DAS

the user draws a figure on a 2D grid platform. Using
a grid as a background has several advantages. First,
it eliminates the need to store a graphical database
on the server side. Algorithm stores the coordinates
and the sequence of the drawing. Se
cond, as a grid
is a simple object, the quality requirement for
display is minimized with such schemes. In
addition, grid
-
based schemes do not limit the
password length unlike many other schemes.

In the authentication stage, the user can log
-
in if
they can

redraw the
picture, drawn in the
registration, by using the same sequence of strokes
in the same coordinates. According to the research
of Jermyn,

et al password space is larger than those
of the text
-
based password space; given

that the
password drawn (o
n a 5x5 grid) is long enough.


Thorpe and van Oorschot [23] analyzed the security
of DAS method and proposed that

DAS is more invulnerable to the brute force attacks
than the traditional text
-
based passwords.

They introduced the graphical dictionaries in o
rder
to measure the strength of DAS against

dictionary attacks and concluded that a graphical
password with length 8 or greater on a 5x5

grid is less susceptible to the dictionary attacks [23].
Nali and Thorpe [24] further studied the

impact of statistical

factors as a complexity property
of DAS. In their research users were

asked to reproduce the drawings on paper in order
to find out whether there are predictable

characteristics or not. Although predictable
characteristics were not discovered in the start

and
end strokes, another important point was discovered
which reduces the size of the password

space. Most of the users tend to produce more
“memorable” drawings which contain certain level
of symmetries. Another algorithm was introduced
by Syukri, et al.

[25]. This method requires users to
draw a signature with mouse. Signature is than
rescaled, normalized and stored in a database. User
is required to redraw the signature in the
authentication. Although it is hard to fake
signatures, users may not be comf
ortable using
mouse as drawing tool. So it is suggested that this
method should be used in mobile devices with pen
-
like tools.


Repeat a Sequence of Actions


In this method users required to click on the pre
-
defined locations on a picture. Based on

differe
nt approaches in the studies of Blonder [26]
and Passlogix [27] the image can assist the

user or not. Some other works of Passlogix, like v
-
Go, summons creative graphical password

ideas. In some of those methods user is required to
mix
-
up the ingredients o
f his or her own

cocktail or picking a hand at cards. However there
is no easy way to prevent people to pick

poor passwords or to prevent the password space to
shrink. It was found out that people tend

to pick the winning hands in such an application
like
full house, flush etc.


Another method that falls into this category is pass
-
points. In the PassPoint application

the user needs to click on the same points with the
ones they clicked in the registration. User finds it
easy to use according to [28]. Howev
er Memon, et
al. in his [29], suggested a prediction algorithm for
PassPoint, and claimed that their model
4.3
can
predict %70 to 80 user clicked points.


4. Concept
-
Based: Graphical Password
scheme


We developed a graphical password scheme, called
Concept
-
Based that is similar to the “story scheme”
of
Davis et al. [21]
. Concept
-
Based is a recognition
-
based method where user recognizes the images for
authentication.
During

registration, user is shown x
category names and asked to pick n of them in order
to
create their password. Each category has y
images stored in the database which are related to
them. For example; for the category “Basketball”
there
are

pictures of famous basketball players,
basketball, basket court etc. Once they choose their
password ch
oosing n categories they are trained by
seeing possible combinations of their password.
User has a dynamic password which will consist of
pictures randomly chosen from the database
according to pre
-
selected categories. In the training
session, randomly sel
ected pictures which belong to
pre
-
selected categories are shown to the user in
order to give them an idea about the possible
combinations of

their

passwords. After the training
process is completed they are able to log
-
in to the
system with specific login

name and a dynamic
password which is composed by the categories
selected in the registration phase. Since user picks n
categories there are total n rounds in the logging
session and in each round user is required to click
on the correct image ,among p pic
tures, which is
related to the categories they picked while
registration. User i
s authenticated if they identify

the correct image in each round.



4.1. Concept
-
Based scheme vs Story scheme


The main difference between our method and “story
scheme” is that

our method is based on concept
-
based recognition and provides dynamic passwords.
In story scheme they use random pictures that are
not related with any concepts mentioned. The user
chooses the pictures and makes a story about them
,

aiming it to remind the
m the pictures they have
picked. Afterward
s

they are required to identify the
pre
-
selected images in order to authenticate
successfully. However, our method is just based on
the concepts and it doesn’t require the user to
memorize any specific images. The
user is just
required to memorize the concept names
(categories). User can choose specific concepts that
is based on their hobbies like football, basketball,
formula1 and etc. or interests such as animals,
flowers, space and so on. For instance; if the use
r
selects “basketball” as one of their concepts then
during authentication he is just required to click on
a picture, which is related to the concept
“basketball”, such as famous players, a basketball, a
basketball court and so on. User also can choose the

concepts to make a story like in “story scheme”. As
long as they remember the story they have made,
the authentication will be done easily. In the “story
scheme” remembering the story may not be enough
in order to authenticate because the user is also
req
uired to remember the specific images picked to
make the story. This could be confusing because
there might be some similar pictures in the database
which match with their story but there is only one
combination of those pictures which can
authenticate the
m successfully. Unlike “story
scheme”, in the Concept
-
Based scheme if the user
chooses their categories (concepts) making a story
with them they just have to remember the story later
on in order to authenticate. There is no need to
remember any specific pi
ctures. During the
authentication, the user will be showed only one
correct picture, from the categories they have
picked before, in each round and the rest of the
pictures showed in the grids are randomly chosen
from different other categories.


Moreover
, “story scheme” uses nine pictures for
each round and k rounds in total. If

it uses more than nine faces and increase the
number of rounds, then user may not easily identify
its password among many pictures in many rounds
because user sees those pictures
first time in their
life and more rounds may make the recognition
complex. However, in our method many pictures
and rounds could be integrated into the system
because there is no requirement to remember a
specific picture, user is just supposed to recogniz
e
the pictures based on the concepts chosen by them.
That means the pictures, which they are supposed to
identify, are meaningful for the user and can easily
be recognized among others. Increasing the number
of random pictures and rounds reduces the chance

of attacker guessing of the password and so
increases the security.

There are also some drawbacks of this method. One
of the drawbacks is that guessing

could be easy because people tend to choose
concepts that they are very related. For

instance; if a u
ser is highly interested in football
,they would choose the category “football” more
likely than others so the people, who knows the user
in person, might predict the password easily
because people tend to choose concepts that are
very related with their l
ife style. This problem also
shows up in the “story scheme” based on the same
assumptions.


4.2. Methodology


4.2.1. Experimental Design

This experiment is designed for authentication with
graphical passwords in the concept
-
based method.
A Concept
-
Based de
mo is implemented for the
graphical password condition
. The technologies
used are php coding, Dreamweaver, phpMySql.
There are

four rounds and nine images for each
round. Sixteen categories are generated for user to
pick their password among. The table of
the
categories is showed in the figure 11.




Figure 11.
Concept
-
Based Performance Demo


Table Of
Categories


There are total four steps for Concept
-
Based
experiment; creating the password, training,
entering the password and entering the password
one m
ore time in order to see the impact of dynamic
passwords. First
ly

user creates their password by
picking four categories among sixteen of them from
the table. Second
ly
, they go to training session and
see some examples of possible combinations for
their pa
ssword Figure 12.




Figure 12.
Concept
-
Based Performance Demo


Training
Session



Then they are asked to enter their password. Since
their length of the password is four, they enter their
password in total four rounds. In each round they
are supposed to

click on the correct picture, among
nine random images, which belongs to the
categories of their password in order to login
successfully Figure 13. After the first trial
,

user is
asked to login one more time in order to measure
the effect of the dynamic p
asswords on success rate.


The overall test is designated to evaluate the user's
recognition performance with

dynamic graphical password .




Figure 13.
Concept
-
Based Performance Demo


Logging
Session Rounds


4.2.2. Participants


In order to test our Con
cept
-
Based method and text
-
based password method we have targeted an
experiment group who are using computers
regularly. We designated the experiment members
to be from different environments (universities,
business and so on) to get a general idea about t
he
users. The number of participants was 146.


4.2.3. Procedure

We put our experiment methods on the Web that
users connect to the site with given URL.

After they have connected, first they are asked to
create a password. Then they are routed to the
train
ing section. After training
,

they are asked to
enter their passwords two times one after the other
;

thus
,

we aimed to check the usability of dynamic
passwords.



4.2.4. Experiment Results


146 participants have attended to the experiment. In
the first try
,

total 66% of the participants succeeded.
In the second try
,

the success rate increased and
became 75%. The success and failure rates of first
and second tries are shown in the chart below
Figure 14.


Figure 14.
Ratio of success and failure for both trie
s.


The rate of people who have succeeded in their both
tries is 60%. The ones who failed in the first try and
succeeded in the second try have 15% rate. %6 of
the participants succeeded in the first try
,

but failed
in the second one. And total 19% of them

failed in
their both tries Figure 15.



Figure 15.
Ratio for participants according to their first and
second try’s success.



We have collected comments from the
participants. Most of them have found the system
easy and useful.
Some
, who have failed in
their first
time

and succeeded in the second one
,

mentioned
that they were confused about

the steps. Some of
them mentioned that they were confused about the
categories. Some computer science engineers
commented that the application could have a wide
usage

area with some improvements and it might be
also used as a pre
-
password which allows user to
connect to the page which they enter their additional
constant password for the systems which requires
high level of security.

5. Discussion

5.1. Evaluating the p
assword space


Password space of the recognition based techniques
heavily depend
s

on the size of the content.

In most
of the techniques the order of imaging is not taken
into consideration. They usually

involve many
rounds of
authentication scenes [30, 31,

32
].



Data Definition variable

Variable

Number of pictures in each page

p

Number of scenes/rounds for
authentication

n

Number of categories

x


Figure 5


variables to define the password space [evaluating]


The password space of the recognition ba
sed
algorithms is a function of number of

scenes and number of pictures on each of these
pages.

Password Space =f( p * n)


In Concept
-
Based scheme; since the
password
pictures are meaningful for the user
, they

can ea
sily
be recognized among others; thus,

the password
space would be much larger than most of the
graphical password schemes by increasing the
number of pictures in each page and number of
rounds.

Also increasing the number of categories,
which the user picks their password from, will
distinctly
increase the password space.


5.2. Vulnerability against the attacks


Since graphical passwords are not widely used there
is not enough research on its security issues.
However; Suo, Zhu and Owen [6] examined some
of the major security problems on both tex
t
-
based
and graphic based techniques and proposed a
performance result for each problem. For brute
force attack, graphic
-
based technique performs
more resistance than the text
-
based. Because the
password space of the graphical passwords is larger
than the
text based one. Moreover in order to make
a brute force attack, hacker needs to generate mouse
motion in o
rder to imitate the user input, w
hich is
particularly difficult. More specifically recall based
techniques are more resistant to this kind of attacks.



Text based systems are more vulnerable to the
dictionary attacks than the graphical

passwords.

Graphical password schemes use

mouse
input
,

which makes dictionary attacks

infeasible.


Graphic
-
based method is relatively secure against
the spyware. Most of

the spyware

applications use keyboard listeners. Even if they use
mouse action listeners, it may still not be

possible to break graphi
cal password scheme
because fea
tures like window size, image

places are applicatio
n specific, besides all these,
timing s
hould be taken into consideration.


One of the most important faults of the textual
system was that the users tend to write

their passwords down or share it in a social
environment. Since they are recognition or recall

based it is hard to share it over a s
ocial
environment. In conclusion, based on those major
security problems evaluation the graphic methods
seem to more secure and stronger than the text
-
based methods [6]. However more research should
be done in this field in order to draw an exact
conclusio
n.



6. Conclusion

As known, text
-
based passwords are still
dominating the security systems. However this
traditional

system has its own drawbacks, like
retaining the password. Because people cannot
easily

remember the random generated long textual
passwor
d, they tend to choose short and easy textual
passwords which are open to attacks.

The main motivation behind the graphical
passwords is that the people can recall or

recognize graphical objects easier. It is observed
that with traditional attacks it is ha
rd to

crack

the graphical security systems.

Concept
-
Based method which is based on the user’s
concept preference allow
s

users to correlate
themselves with the passwords by which they can
easily remember their passwords later in time. Also
making a story wi
th the categories they pick during
registration would help the users to remember the
password later on. In addition the probability of the
guessing attacks could be lowered by increasing the
number of rando
m pictures shown in each round,
number of rounds a
nd
number of
categories.


References

[1] A. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security
Systems," presented at CHI, Extended Abstracts (Workshops).

Ft. Lauderdale, Florida, USA., 2003

[2]
M. Kotadia, "Microsoft: Write down your passwords,"

in
Z
DNet Australia, May 23
, 2005.

[3] R. N. Shepard, "Recognition memory for words,

sentences, and pictures,"
Journal of Verbal Learning

and Verbal Behavior
, vol. 6, pp. 156
-
163, (1967).

[4] Jain, A.K.; Ross, A.; Prabhakar, “An introduction to biometric
recogn
ition”,S. Circuits and Systems for Video

Technology, IEEE Transactions on Volume 14, Issue 1, Jan. 2004
Page(s): 4


20 Digital Object Identifier

10.1109/TCSVT.2003.818349

[5] Jain, A.K.; Ross, A.; Pankanti, S.; “Biometrics: a tool for
information security
”, Information Forensics and Security,

IEEE Transactions on Volume 1, Issue 2, June 2006 Page(s):125


143

[6] X. Suo, Y. Zhu, G. Scott. Owen, “Graphical Passwords: A
Survey”

[7] Biometrics for network security Author: Paul Reid Edition:
illustrated Publis
her: Prentice Hall PTR, 2004

ISBN 0131015494, 9780131015494

[8] Microsoft : Using Certificates for Mobile Device Authentication

http://technet.microsoft.com/en
-
us/library/cc296561.aspx

accessed
on july 15, 2009

[9] R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images
for Authentication," in
Proceedings of 9th USENIX

Security Symposium
, 2000.

[10] A. Perrig and D. Song, "Hash Visualization: A New Technique
to Improve Real
-
World

Security," in

Proceedings of the 1999 International Workshop on

Cryptographic Techniques and E
-
Commerce
, 1999.

[11]
S. Akula and V. Devisetty, "Image Based Registration

and Authentication System," in
Proceedings of Midwest

Instruction and Computing Sympos
ium
, 2004.

[12] Sobrado, L and Birget, J.
“Graphical Passwords,”

The Rutgers Scholar , An Electronic Bulletin of

Undergraduate Research, Rutgers University, Camden

New Jersey , Vol. 4, (2002).

[13] S. Man, D. Hong, and M. Mathews, "A shouldersurfing resis
tant
graphical password scheme," in
Proceedings of

International conference on security and management
. Las Vegas,
NV, 2003.

[14] D. Hong, S. Man, B. Hawes, and M. Mathews, "A

password scheme strongly resistant to spyware," in

Proceedings of International
conference on security

and management
. Las Vergas, NV, 2004.

[15] Jansen, W., Gavrila, S., Korolev, V., Ayers, R., and Swanstrom,
R. Picture Password: A Visual Login Technique for Mobile Devices.
NIST Report NISTIR

7030
, (2003).

[16] T. Takada and H. Koike
, "Awase
-
E: Image
-
based

Authentication for Mobile

Phones using User’s Favorite Images," in
Human
-

Computer Interaction with Mobile

Devices and Services
, vol. 2795 / 2003: Springer
-
Verlag

GmbH, 2003, pp. pp. 347
-

351.

[17] Real User Corporation, Passfaces
TM

http://www.realuser.com/

site accessed on August 01, 2009.

[18] T. Valentine, "An evaluation of the Passface personal
authentication system," Technical Report, Goldsmiths College,

University of London 1998.

[19]
T. Valentine, "Memory for Passfaces after a Long Delay,"
Technical Report, Goldsmiths College, University of London

1999.

[20] S. Brostoff and M. A. Sasse, "Are Passfaces more usable than
passwords: a field trial investigation," in
People and

Computers XIV

-

Usability or Else: Proceedings of HCI
. Sunderland,
UK: Springer
-
Verlag, 2000.

[21] D. Davis, F. Monrose, and M. K. Reiter, "On user choice in
graphical password schemes," in
Proceedings of the 13th

Usenix Security Symposium
. San Diego, CA, 2004.

[22] I.

Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D.
Rubin, "The Design and Analysis of Graphical Passwords," in

Proceedings of the 8th USENIX Security Symposium
, 1999

[23] J. Thorpe and P. C. v. Oorschot, "Graphical Dictionaries and the
Memorable Space
of Graphical Passwords," in

Proceedings of the 13th USENIX Security Symposium
. San Deigo,
USA: USENIX, 2004.

[24] D. Nali and J. Thorpe, "Analyzing User Choice in Graphical
Passwords," Technical Report, School of Information

Technology and Engineering, Uni
versity of Ottawa, Canada May 27
2004.

[25] A. F. Syukri, E. Okamoto, and M. Mambo, "A User
Identification System Using Signature Written with Mouse," in

Third Australasian Conference on Information Security and Privacy
(ACISP)
: Springer
-

Verlag Lecture No
tes in Computer

Science (1438), 1998, pp. 403
-
441

[26] G. E. Blonder, "Graphical passwords," in
Lucent Technologies,
Inc., Murray Hill, NJ
, U. S. Patent, Ed. United States,

1996.

[27] Passlogix,
www.passlogix.com
/
sit
e accessed on August 07,
2009.

[28] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N.
Memon, "PassPoints: Design and longitudinal evaluation of

a graphical password system,"
International Journal of Human
Computer Studies

[29] M. Kotadia, "Micr
osoft: Write down your passwords," in
ZDNet
Australia, May 23
, 2005.

[30
] R. N. Shepard, "Recognition memory for words, sentences, and
pictures,"
Journal of Verbal Learning and Verbal

Behavior
, vol. 6, pp. 156
-
163, 1967.

[31
] XIAOYUAN SUO ; YING ZHU ; OWEN

G. Scott ; “Lecture
notes in computer science”, International Symposium on

Visual Computing N
o
2, Lake Tahoe NV , ETATS
-
UNIS (2006) 2006
, vol. 4292, pp. 741
-
749[Note(s) : 916, 906

p., ] [Document : 9 p.] (12 ref.)
ISBN
3
-
540
-
48628
-
3 ; 978
-
3
-
540
-
48628
-
2 ; 978
-
3
-
540
-
48626
-
8 ;

[32
]
Dirik, A. E., Memon, N., & Birget, J
-
C. 2007. Modeling user
choice in the PassPoints graphical password scheme.

ACM SOUPS