International Journal of Computer Science and Management Research

Vol 2 Issue 9 September 2013 ISSN 2278-733X

Enhancing Security in web application using Graphical Pass images with Random Selection
Suresh.D
Final year student, Computer Science and Engg, Dhanalakshmi Srinivasan Engineering College, Perambalur,Tamil Nadu,India dsecsuresh@gmail.com
Abstract Textual passwords are the most common method used for authentication. But textual passwords are vulnerable to dictionary attacks, social engineering and shoulder surfing. Graphical passwords are introduced as alternative techniques to textual passwords. According to human psychology, humans are able to remember pictures easily. In this paper we have proposed a randomly some of the images are selected for authentication to protect from attacks. This paper is a combination of recognition and recall based techniques that offers many advantages over the existing systems and may be more convenient for the user. Keywordsgraphical pass images; random selection; shoulder surfing

Barath.T
Final year student, Computer Science and Engg, Dhanalakshmi Srinivasan Engineering College, Perambalur,Tamil Nadu,India mailtobarath22@gmail.com

I.

INTRODUCTION

One of the major functions of any security system is the control of people in or out of protected areas, such as physical buildings, information systems, and our national borders. Computer systems and the information they store and process are valuable resources which need to be protected. Computer security systems must also consider the human factors such as ease of a use and accessibility. Current secure systems suffer because they mostly ignore the importance of human factors in security [3]. An ideal security system considers security, reliability, usability, and human factors. A password is a secret that is shared by the verifier and the customer. Passwords are simply secrets that are provided by the user upon request by a recipient. They are often stored on a server in an encrypted form so that a penetration of the file system does not reveal password lists [4]. Passwords are the most common means of authentication because they do not require any special hardware. Typically passwords are strings of letters and digits, i.e. they are alphanumeric. Such passwords have the disadvantage of being hard to remember [5]. Weak passwords are vulnerable to dictionary attacks and brute force attacks where as Strong passwords are harder to remember. To overcome the problems associated with password based authentication systems, the researchers have proposed the concept of graphical passwords and developed the alternative authentication mechanisms. Graphical passwords systems are the most promising alternative to conventional password based authentication systems. Graphical passwords (GP) use pictures instead of textual passwords and are partially motivated by the fact that humans can remember pictures more easily than a string of characters

[6]. The idea of graphical passwords was originally described by Greg Blonder in 1996 [8]. An important advantage of GP is that they are easier to remember than textual passwords. Human beings have the ability to remember faces of people, places they visit and things they have seen for a longer duration. Thus, graphical passwords provide a means for making more user-friendly passwords while increasing the level of security. Besides these advantages, the most common problem with graphical passwords is the shoulder surfing problem: an onlooker can steal users graphical password by watching in the users vicinity. Many researchers have attempted to solve this problem by providing different techniques [7]. Due to this problem, most graphical passwords schemes recommend small mobile devices (PDAs) as the ideal application environment. Another common problem with graphical passwords is that it takes longer to input graphical passwords than textual passwords [7]. The login process is slow and it may frustrate the impatient users. Graphical passwords serve the same purpose as textual passwords differing in consisting of handwritten designs (drawing), possibly in addition to text. The exploitation of smart phones like ipod and PDAs is increased due to their small size, compact deployment and low cost. In this paper, considering the problems of text based password systems, we have proposed a new graphical password scheme which has desirable usability for small mobile device and web applications. Our proposed system is new graphical passwords based hybrid system which is a combination of recognition and recall based techniques and consists of two phases. During the first phase called Registration phase, the user has to first select his username Then objects are shown to the user to select from them as his graphical password. During the second phase called Authentication phase, the user has to give his username and then give his graphical password by selecting or typing id same way as done during the registration phase. But, in the authentication phase some of the images only displayed. User has to select only their pass images by same order. This method is used for if the user affected by shoulder surfing means that time attacker not able to identify the full pass images of the user.

Suresh.D et.al.

3343

www.ijcsmr.org

International Journal of Computer Science and Management Research

II. RELATED WORK

Vol 2 Issue 9 September 2013 ISSN 2278-733X

Dhamija and Perrig[3] proposed a graphical authentication scheme where the user has to identify the pre-defined images to prove users authenticity. In this system, the user selects a certain number of images from a set of random pictures during registration. Later, during login the user has to identify the pre selected images for authentication from a set of images as shown in figure 1. This system is vulnerable to shouldersurfing.

Wiedenback et al [11] describes a graphical password entry scheme using convex hull method towards Shoulder Surfing

Fig. 3. Haichangs shoulder-surfing technique

Fig. 1. Random images used by Dhamija and Perrig

Passface [20] is a technique where the user sees a grid of nine faces and selects one face previously chosen by the user as shown in figure 2. Here, the user chooses four images of human faces as their password and the users have to select their pass image from eight other decoy images. Since there are four user selected images it is done for four times.

attacks as shown in figure 3. A user needs to recognize pass-objects and click inside the convex hull formed by all the pass-objects. In order to make the password hard to guess large number of objects can be used but it will make the display very crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller password space, since the resulting convex hull can be large.

Fig. 4. Example of a convex hull

Fig. 2. Example of Passfaces

Blonder [8] designed a graphical password scheme where the user must click on the approximate areas of pre-defined locations. Passlogix [9] extended this scheme by allowing the user to click on various items in correct sequence to prove their authenticity. Haichang et al [10] proposed a new shoulder-surfing resistant scheme as shown in figure 5 where the user is required to draw a curve across their password images orderly rather than clicking on them directly. This graphical scheme combines DAS and Story schemes to provide authenticity to the user.

Jansen [12,13] proposed a graphical password scheme for mobile devices. During password creation, a user selects a theme consisting of photos in thumbnail size and set a sequence of pictures as a password. During authentication, user must recognize the images in the correct order. Each thumb nail image is assigned a numerical value, thus the sequence of the chosen images will create a numerical password. As the no. of images is limited to 30, the password space of this scheme is not large. Weinshall and Kirkpatrick [14] proposed several authentication schemes such as picture recognition, object recognition and pseudo word recognition and conducted user studies on these. The results declared that pictures are most effective than the other two proposed schemes. Goldberg [15] designed a technique known as passdoodle. This is a graphical password authentication

Suresh.D et.al.

3344

www.ijcsmr.org

International Journal of Computer Science and Management Research

scheme using handwritten design or text usually drawn with a stylus onto a touch sensitive screen. To overcome the shoulder-surfing problem, many techniques are proposed. Zhao and Li [16] proposed a shoulder-surfing resistant schemeS3PAS. The main idea of the scheme is as follows. In the login stage, they must find their original text passwords in the login image and click inside the invisible triangle region. The system integrates both graphical and textual password scheme and has high level security. Man,et al [17] proposed another shoulder-surfing resistant technique. In this scheme, a user chooses many images as the pass-objects. The pass-objects have variants and each of them is assigned to a unique code. In the authentication stage, the user must type the unique codes of the pass objects variants in the scenes provided by the system. Although the scheme shows perfect results in resisting hidden camera, it requires the user to remember code with the pass-object variants. More graphical password schemes have been summarized in a recent survey paper[18]. Zheng et al [19] designed a hybrid password scheme based on shape and text. The basic concept is mapping shape to text with strokes of the shape and a grid with text. III. PROPSOSED SYSTEM

Vol 2 Issue 9 September 2013 ISSN 2278-733X

required pattern. This order must maintain for authentication phase.

Considering the drawbacks of the existing graphical password systems, we have proposed a robust graphical password scheme, which is highly adaptable for traditional desktop systems, smart phones and other web applications. Our proposed system consists of 2 phases. The first phase is the user registration phase and the second phase is the authentication phase. In the registration phase user wants to select their pass images from the given variety of images. The order in which the pass images are selected will be followed for future authentication process. In the authentication phase the user needs to select the pass images from some of the randomly displayed images. But the condition is to choose the pass images in the same order as we selected during the registration phase. Our scheme uses a set of images gathered from http://images.google.com. The images covering objects, places and people are carefully selected to motivate users imagination and resized to have identical aspect ratios (Fig 5). A. Registration Phase In the registration phase the user want to create the unique user name based on their need. Then the user has to create their pass-images. Pass-images must contain minimum five and maximum limit is ten for our system. To create a password, a user orderly chooses several images from the set as his/her pass-images. The user can remember the connection between the pass-images by mentally constructing a story. In our system user should provide their id of the pass images orderly through your

Fig. 5. Registration Phase

After the selection of pass images there will be a direct confirmation by the user is processed. The unique ids of the selected images are stored into the database. Then the account will be created. Figure 5 shows a prototype of our scheme, which uses a template of 100 identically sized images, grouped into a 5 X20. The 100 images which are displayed having their unique id from 00 to 99. So we can able to remember the numbers or images. For identification, we can remember the id as our date of birth (21 08 19 92) or our mobile contact number (99 88 77 66 55).

Fig. 6. Confirmation in Registratiom

Suresh.D et.al.

3345

www.ijcsmr.org

International Journal of Computer Science and Management Research

Another way is we can remember the pass images through a hidden story or through the needed image identification. B. Authendication Phase During the authentication, initially the user want to give the user name in the login window displayed.

Vol 2 Issue 9 September 2013 ISSN 2278-733X

Fig. 7. Login window

After the username is entered the verification will be made in the database whether the user is already registered or not. If the username is valid means 20 images out of 100 template images are displayed randomly by using the following algorithm. Algorithm for authentication: Consider X and Y are the two variables. X=Ceil (no. of pass images / 2) Y=20-X Number of images randomly taken from

X pass images.

Y Number of images randomly taken from except the pass images Finally X&Y are shuffled and displayed on the login screen.
Fig. 8. Authentication page

If the user found their pass images choose the images or enter the id of the pass images as given in the registration phase. If the user identifies the correct pass images in the same order then the authentication process is performed successfully. In figure 7 we give the username as user1 then the figure 8 will be displayed. Figure 8 consists of 20 images. These images are displayed using before mentioned algorithm. According to the algorithm these images consist of three random pass images. We want to choose the three images in the order we entered in the registration phase. The three images are ball (02), doll (78) and elephant (17). If we did not choose the images in same order means authentication process is not performed.

C. Advanced Security Mechanism For giving more security we are using the two advanced mechanisms in this system. 1. 2. Advanced Substring Algorithm Wrong Authentication Analysis

1) Advanced Substring Algorithm: Our proposed method also allows the user to select the extra images that are displayed in the login window. This method is used for confuse the attacker to protect from many types of attacks Example: Consider our original pass images ids are 01, 02, 03, 04, 05. If login window display the images of the id as 02, 03 and 05.The maximum number of extra images is limited as two. In the situation the following types of login also allowed. 02, 03, 04, 05, 06

Suresh.D et.al.

3346

www.ijcsmr.org

International Journal of Computer Science and Management Research

This process is performed using the common substring algorithm. Here the percentage of possible attacks is reduced by the intelligence of users. In the public places users are request to click the extra images to protect from the attacks. 2) Wrong Authentication Analysis: In our system user is allowed to show the full wrong authentication information like time, IP address and which pass images are selected by the attacker. So using this information our system automatically calculates the percentage of weakness. So the user can able to secure their account. Figure 9 shows that how this is processed.

Vol 2 Issue 9 September 2013 ISSN 2278-733X

displayed. Thus proposed system is resilient to shoulder surfing attacks. E. Social Engineering compared to ordinary alphanumeric passwords, it is inconvenient for a user to give his graphical password to another person. Hence graphical passwords are less susceptible to social engineering attacks[21] F. Phishing Attacks Phishing attacks are easily done in web applications. A phishing website can easily copy the login page from a legitimate site, including the area for entering the graphical password. In the proposed system when the users enters their username and pass images in the phishing site this entire information is sent to the attacker. Even if the attacker observes the pass images in which the pass images lies, he cannot identify the exact full pass images. Some of the images only possible to identify. So, it is not enough for login .Because every time pass images are randomly displayed. V. USER STUDY

Fig. 9. Wrong Authentication page

In this last column shows that id of which pass images is selected. Percentage of weakness is calculated using no of images identified and which order is used for accessing. So, using this type of information and calculation user can able to understand the weakness of their account. IV. SECURITY ANALYSIS

We conducted the user study of the proposed techniques with 10 participants for each technique. We are already implementing this project in java platform with oracle 11g. We are using the oracle weblogic server to execute the project. Using this project we are conducted the user study. Participants ranged in age from 19 to 23. Most were university students from various fields. All were regular computer users who were comfortable with passwords and using a mouse. As the techniques are new, first the participants were briefed about the techniques. They were given demonstrations for better understanding purpose. Then each user was requested to login. After that, the usability study was conducted with the students in two sessions. Every session having 10 minutes break.
TABLE I. Session no 1 2 3 Registration First login Second time login
Session name

A. Dictionary Attacks Graphical passwords are less vulnerable to dictionary attacks. In our proposed system, as the user enters only the id of the images, it will be impractical to carry out dictionary attacks against this graphical password method. B. Guessing Attacks Guessing attack is another eminent strategy used by the intruders. Even if the attacker tries to guess the password, the security code used in our proposed system makes our system resilient against guessing attacks since user has a chance to select an imaginary pattern of his own choice. Even if the attacker tries on guessing the images it would be of no use since the pass images get changed for every login attempt. Hence the probability of guessing attacks is very low. C. Spyware attack Except for a few exceptions, key logging or key listening spy ware cannot be used to break graphical passwords. It is not clear whether mouse tracking spy ware will be an effective tool against graphical passwords. However, mouse motion alone is not enough to break our proposed system. The images in the grid will be randomized for the next attempt he tries. Hence our proposed system is resistant to spyware attacks. D. Shoulder surfing Unlike recognition based graphical passwords, recall based graphical passwords are more resistant to shoulder surfing . In the proposed system, even if the attacker observes the pass images in which the pass images lies, he cannot identify the exact full pass images. Since some of the images only

USER STUDY REPORT Analysis

Avg Time(sec ) approximately

65 29 23

In registration phase all require more time to choose their pass images. According to the report every new login require less seconds compare to the previous login time. VI. CONCLUSION

This paper has proposed a new authentication scheme for web application. It is not require a any extra hardware. So, it is suitable for all web applications. These technique is resistant to dictionary attack, brute force attack and shoulder-surfing. However these schemes are completely new to the users and

Suresh.D et.al.

3347

www.ijcsmr.org

International Journal of Computer Science and Management Research

the proposed authentication techniques should be verified extensively for usability and effectiveness. ACKNOWLEDGMENT We would like to express our appreciation to our parents, all the friends and lecturers who help us to understand the importance of knowledge and show us the best way to gain it. REFERENCES
Preethi.D , Priya.J , Saranraj.G Enhancing Security Using Graphical Patterns Selection (ENSUGPS)in International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE) Volume 2, Issue 3, March 2013. [2] S. Brostoff and M. A. Sasse, "Are Passfaces more usable than passwords: a field trial investigation," in People and ComputersUsability or Else: Proceedings of HCI. Sunderland, UK: Springer- Verlag,2000. [3] Rachna Dhamija and Adrian Perrig, Deja Vu: A User Study. Using Images for Authentication In Proceedings of the 9th USENIX Security Symposium, August 2000. [4] Authentication:http://www.objs.com/survey/authent.htm [Last Visited on 15/05/2011]. [5] L.Sobrado and J.C. Birget, Graphical Passwords, The Rutgers Schloar, An Electronic Bulletin for Undergraduate Research, vol 4, 2002,. [6] Patric Elftmann, Diploma Thesis, Secure Alternatives to Password-Base [7] Xiayuan Suo, YingZhu, G. Scott.Owen, Graphical Passwords: A Survey, In Proceedings of Annual Computer Security Applications Conference, 2005. [8] G. E. Blonder. Graphical password, U.S. Patent 5559961, Lucent Technologies, Inc. (Murray Hill, NJ), August 1995. [9] Passlogix, site http://www.passlogix.com. [10] Haichang Gao, Zhongjie Ren, Xiuling Chang, Xiyang Liu Uwe Aickelin, A New Graphical Password Scheme Resistant to Shoulder-Surfing [1]

Vol 2 Issue 9 September 2013 ISSN 2278-733X

[11] S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, Design and longitudinal evaluation of a graphical password system. International J. of Human-Computer Studies 63 (2005) 102-127. [12] W. Jansen, "Authenticating Mobile Device User through Image Selection," in Data Security, 2004. [13] W. Jansen, "Authenticating Users on Handheld Devices in Proceedings of Canadian InformationTechnology Security Symposium, 2003. [14] D. Weinshall and S. Kirkpatrick, "Passwords Youll Never Forget, but Cant Recall," in Proceedings of Conference on Human Factors in Computing Systems (CHI). Vienna, Austria: ACM, 2004, pp. 13991402. [15] J. Goldberg, J. Hagman, V. Sazawal, "Doodling Our Way To Better Authentication", CHI '02 extended abstracts on Human Factors in Computer Systems, 2002. [16] H. Zhao and X. Li, "S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical PasswordAuthentication Scheme," in 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW 07), vol. 2. Canada, 2007, pp. 467472. [17] S. Man, D. Hong, and M. Mathews, "A shoulder surfing resistant graphical password scheme," in Proceedings of International conference on security and management. Las Vegas, NV, 2003. [18] X. Suo, Y. Zhu and G. Owen, Graphical Passwords: A Survey. In Proc. ACSAC'05. [19] Z. Zheng, X. Liu, L. Yin, Z. Liu A Hybrid password authentication scheme based on shape and text Journal of Computers, vol.5, no.5 May 2010. [20] Real User Corporation: Passfaces. www.passfaces.com . [21] A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise computer security mechanisms and how to take remedialmeasures," Communications of the ACM, vol. 42, pp. 41-46, 1999.

Suresh.D et.al.

3348

www.ijcsmr.org