1.

INTRODUCTION
A graphical password is an authentication system that works by having the user select from images, in a
specific order, presented in a graphical user interface (GUI). For this reason, the graphical-password
approach is sometimes called graphical user authentication (GUA).
A graphical password is easier than a text-based password for most people to remember. Suppose an 8character password is necessary to gain entry into a particular computer network. Instead of w8KiJ72c, for
example, a user might select images of the earth (from among a screen full of real and fictitious planets), the
country of France (from a map of the world), the city of Nice (from a map of France), a white stucco house
with arched doorways and red tiles on the roof, a green plastic cooler with a white lid, a package of Gouda
cheese, a bottle of grape juice, and a pink paper cup with little green stars around its upper edge and three
red bands around the middle.
Graphical passwords may offer better security than text-based passwords because many people, in an
attempt to memorize text-based passwords, use plain words (rather than the recommended jumble of
characters). A dictionary search can often hit on a password and allow a hacker to gain entry into a system in
seconds. But if a series of selectable images is used on successive screen pages, and if there are many
images on each page, a hacker must try every possible combination at random. If there are 100 images on
each of the 8 pages in an 8-image password, there are 1008, or 10 quadrillion (10,000,000,000,000,000),
possible combinations that could form the graphical password! If the system has a built-in delay of only 0.1
second following the selection of each image until the presentation of the next page, it would take (on
average) millions of years to break into the system by hitting it with random image sequences.

2.HACKING TECHNIQUES
2.1 Dictionary Attacks
A dictionary attack is a method of breaking into a password-protected computer or server by systematically
entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find
the key necessary to decrypt an encrypted message or document.
Dictionary attacks work because many computer users and businesses insist on using ordinary words as
passwords. Dictionary attacks are rarely successful against systems that employ multiple-word phrases, and
unsuccessful against systems that employ random combinations of uppercase and lowercase letters mixed
up with numerals. In those systems, the brute-force method of attack (in which every possible combination
of characters and spaces is tried up to a certain maximum length) can sometimes be effective, although this
approach can take a long time to produce results.
Vulnerability to password or decryption-key assaults can be reduced to near zero by limiting the number of
attempts allowed within a given period of time, and by wisely choosing the password or key. For example, if
only three attempts are allowed and then a period of 15 minutes must elapse before the next three attempts
are allowed, and if the password or key is a long, meaningless jumble of letters and numerals, a system can
be rendered immune to dictionary attacks and practically immune to brute-force attacks.
A form of dictionary attack is often used by spammers. A message is sent to e-mail addresses consisting of
words or names, followed by the at symbol (@), followed by the name of a particular domain. Long lists of
given names (such as frank, george, judith, or donna) and/or individual letters of the alphabet followed by
surnames (such as csmith, jwilson, or pthomas) in combination with a domain name are usually effective.
2.1.1 Disadvantages

Rarely successful.
Time consuming.
Can be easily defeated using delay settings.

2.2 Brute force attacks

In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory,
be used against any encrypted data (except for data encrypted in an information-theoretically
secure manner). Such an attack might be utilized when it is not possible to take advantage of other
2

weaknesses in an encryption system (if any exist) that would make the task easier. It consists of
systematically checking all possible keys or passwords until the correct one is found. In the worst case, this
would involve traversing the entire search space.
When password guessing, this method is very fast when used to check all short passwords, but for longer
passwords other methods such as the dictionary attack are used because of the time a brute-force search
takes.When key guessing, the key length used in the cipher determines the practical feasibility of
performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. A
cipher with a key length of N bits can be broken in a worst-case time proportional to 2Nand an average time
of half that.
Brute-force attacks can be made less effective by obfuscating the data to be encoded, something that makes
it more difficult for an attacker to recognize when he/she has cracked the code. One of the measures of the
strength of an encryption system is how long it would theoretically take an attacker to mount a successful
brute-force attack against it.
Brute-force attacks are an application of brute-force search, the general problem-solving technique of
enumerating all candidates and checking each one.

Fig.1: Brute-force attack kit[4]

The EFF's US$250,000 DES cracking machine contained over 1,800 custom chips and could brute-force a
DES key in a matter of days. The photograph shows a DES Cracker circuit board fitted on both sides with
64 Deep Crack chips.

2.3 Shoulder surfing

Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone
as they:
fill out a form enter their PIN at an automated teller machine or a POS terminal use a telephone card at a
public payphone enter a password at a cybercafe, public and university libraries, or airport kiosks enter a
3

code for a rented locker in a public place such as a swimming pool or airport public transport is a particular
area of concern.
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices.
Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to
observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view
by using one's body or cupping one's hand.
Secure, the European Association for Visual Data Security, recommends that when you are in a situation
with heightened risk, take steps to protect yourself by angling your screen away from the gazes of other
people or using a screen shield to reduce the visibility of your screen. Secure also recommends that
corporate IT security guidance includes directions on how to mitigate these threats. This could include the
adoption of ISO/IEC 27001. You should also ensure that staff are properly educated to the risks involved
with accessing information.
A survey of IT professionals in a white paper for Secure found that:
85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to
see 82% admitted that it was possible information on their screens could have been viewed by unauthorised
personnel 82% had little or no confidence that users in their organisation would protect their screen from
being viewed by unauthorised people.

2.4 Overview of Authentication Methods

Current authentication methods can be divided into
Three main areas:
Token based authentication
Biometric based authentication
Knowledge based authentication
Token based techniques, such as key cards, bank cards and smart cards are widely used. Many token based
authentication systems also use knowledge based techniques to enhance security. For example, ATM cards
are generally used together with a PIN number.
Many different aspects of human physiology, chemistry or behavior can be used for biometric
authentication. The selection of a particular biometric for use in a specific application involves a weighting
of several factors. Jain et al. (1999)[6] identified seven such factors to be used when assessing the suitability
4

of any trait for use in biometric authentication. Universality means that every person using a system should
possess the trait. Uniqueness means the trait should be sufficiently different for individuals in the relevant
population such that they can be distinguished from one another. Permanence relates to the manner in which
a trait varies over time. More specifically, a trait with 'good' permanence will be reasonably invariant over
time with respect to the specific matching algorithm. Measurability (collectability) relates to the ease of
acquisition or measurement of the trait. In addition, acquired data should be in a form that permits
subsequent processing and extraction of the relevant feature sets. Performance relates to the accuracy, speed,
and robustness of technology used (see performance section for more details). Acceptability relates to how
well individuals in the relevant population accept the technology such that they are willing to have their
biometric trait captured and assessed. Circumvention relates to the ease with which a trait might be imitated
using an artifact or substitute.

Fig.2: Block Diagram for Biometric Systems[4]

The block diagram illustrates the two basic modes of a biometric system. First, in verification (or
authentication) mode the system performs a one-to-one comparison of a captured biometric with a specific
template stored in a biometric database in order to verify the individual is the person they claim to be. Three
steps are involved in the verification of a person.In the first step, reference models for all the users are
generated and stored in the model database. In the second step, some samples are matched with reference
models to generate the genuine and impostor scores and calculate the threshold. Third step is the testing
step. This process may use a smart card, username or ID number (e.g. PIN) to indicate which template
should be used for comparison. 'Positive recognition' is a common use of the verification mode, "where the
aim is to prevent multiple people from using same identity".
Second, in identification mode the system performs a one-to-many comparison against a biometric database
in attempt to establish the identity of an unknown individual. The system will succeed in identifying the
individual if the comparison of the biometric sample to a template in the database falls within a previously
5

set threshold. Identification mode can be used either for 'positive recognition' (so that the user does not have
to provide any information about the template to be used) or for 'negative recognition' of the person "where
the system establishes whether the person is who she (implicitly or explicitly) denies to be". The latter
function can only be achieved through biometrics since other methods of personal recognition such as
passwords, PINs or keys are ineffective.
The first time an individual uses a biometric system is called enrollment. During the enrollment, biometric
information from an individual is captured and stored. In subsequent
uses, biometric information is detected and compared with the information stored at the time of enrollment.
Note that it is crucial that storage and retrieval of such systems themselves be secure if the biometric system
is to be robust. The first block (sensor) is the interface between the real world and the system; it has to
acquire all the necessary data. Most of the times it is an image acquisition system, but it can change
according to the characteristics desired. The second block performs all the necessary pre-processing: it has
to remove artifacts from the sensor, to enhance the input (e.g. removing background noise), to use some
kind of normalization, etc. In the third block necessary features are extracted. This step is an important step
as the correct features need to be extracted in the optimal way. A vector of numbers or an image with
particular properties is used to create a template. A template is a synthesis of the relevant characteristics
extracted from the source. Elements of the biometric measurement that are not used in the comparison
algorithm are discarded in the template to reduce the filesize and to protect the identity of the
enrollee[citation needed].
During the enrollment phase, the template is simply stored somewhere (on a card or within a database or
both). During the matching phase, the obtained template is passed to a matcher that compares it with other
existing templates, estimating the distance between them using any algorithm (e.g. Hamming distance). The
matching program will analyze the template with the input. This will then be output for any specified use or
purpose (e.g. entrance in a restricted area)[citation needed]. Selection of biometrics in any practical
application depending upon the characteristic measurements and user requirements. We should consider
Performance, Acceptability, Circumvention, Robustness, Population coverage, Size, Identity theft deterrence
in selecting a particular biometric. Selection of biometric based on user requirement considers Sensor
availability, Device availability, Computational time and reliability, Cost, Sensor area and power
consumption.
K.B.A-Quickly being able to confirm someone is who they claim to be ultimately leads to faster purchase
approvals, a better customer experience and quicker revenue for you. The key is to do this without
increasing your costs or putting your customers identity at risk.
6

We offer two knowledge-based authentication (KBA) solutions, both based on an out-of-wallet questions
process, that businesses can use to establish trust with their consumers and then maintain this trust
throughout the entire customer lifecycle. Use them individually, or together, to expand your out-of-wallet
authentication capabilities.
ExpectID IQ verify consumers and generate out-of-wallet KBA questions based on IDologys data sources
ExpectID Enterprise create custom out-of-wallet KBA questions using internal proprietary data behind
your firewall.

3. CATEGORIES OF SECURITY SYSTEMS

As known, the most common computer authentication method is to use alphanumerical usernames and
passwords, which requires a significant amount of human involvement. It has been shown that this method
7

suffers from many weaknesses. Users tend to choose either very short passwords which are easy to beak
or long passwords that are hard to remember. In addition, they commonly choose the passwords that can be
easily guessed or they choose the ones which are hard to guess; but have problems remembering them
afterwards. Computer scientists have come up with different techniques in order to address this problem.
One of those techniques is to use images as passwords and its called Graphical Passwords. There are
different kinds of Graphical Password Techniques, classified in two categories: recognition-based and
recall-based approaches. In our survey, we conducted a research on this topic, more specifically Recognition
Based Authentication Methods with Graphical Passwords. In this paper we discussed advantages and
drawbacks of those Graphical Password Techniques. Moreover different types of applications were assessed
as well as our own application Concept-Based.

3.1 Recognition based techniques

In recognition-based techniques, a user is presented with a set of images and the user passes the
authentication by recognizing and identifying the images he or she selected during the registration stage.
There are many recognition based schemes. Some of them are is PassFac-es which was developed by Real
User Corporation . Another recognition-based schemeis Pass-Objects which was developed by Sobrado and
Birget. Although a recognition-based graphical password seems to be easy to remember, which increases the
usability, it is not completely secure. Also, it is obvious that recognition based systems are vulnerable to
replay attack and mouse tracking becauseof the use of a fixed image as a password.

3.2 Recall based techniques.

Recall based techniques are those which require you to reproduce the image that you selected at the time of
setting up the account ,like the biometric system or a iris scan or a das. These techniques will be discussed
later on.

4. RECOGNITION BASED TECHNIQUES

4.1DHAMIJA PERRIG MODEL
8

Dhamija and Perrig proposed a graphical authentication scheme based on the HashVisualization technique .
In their system, the user is asked to select a certain number of images from a set of random pictures
generated by a program . Later, the user will be required to identify the pre selected images in order to be
authenticated. The results showed that 90% of all participants succeeded in the authentication using this
technique, while only 70% succeeded using text-based passwords and PINS. The average log-in time,
however, is longer than the traditional approach. A weakness of this system is that the server needs to store
the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures
from the picture database can be tedious and time consuming for the user.

Fig. 3-Dhamija Perring scheme[4]

4.2SobradoBridget scheme
Sobrado and Birget developed a graphical password technique that deals with the shoulder-surfing problem.
In the first scheme, the system will display a number of pass-objects (pre-selected by user) among many
other objects. To be authenticated, a user needs to recognize pass-objects and click inside the convex hull
formed by all the pass-objects.In order to make the password hard to guess, Sobrado and Birget suggested
using 1000 objects, which makes the display very crowded and the objects almost indistinguishable, but
using fewer objects may lead to a smaller password space, since the resulting convex hull can be large. In
their second algorithm, a user moves a frame (and the objects within it) until the pass object on the frame
lines up with the other two pass-objects. The authors also suggest repeating the process a few more times to
minimize the likelihood of logging in by randomly clicking or rotating. The main drawback of these
algorithms is that the log in process can be slow.
During the authentication, the user must enter the registered images in the correct sequence. One drawback
of this technique is that since the number of thumb nail images is limited to 30, the password space is small.
Each thumbnail image is assigned a numerical value, and the sequence of selection will generate a
9

numerical password. The result showed that the image sequence length was generally shorter than the
textural password length. To address this problem, two pictures can be combined to compose a new alphabet
element, thus expanding the image alphabet size.
Very little research has been done to study the difficulty of cracking graphical passwords. Because graphical
passwords are not widely used in practice, there is no report on real cases of breaking graphical passwords.
Here we briefly exam some of the possible techniques for breaking graphical passwords and try to do a
comparison with text-based passwords.
The main defense against brute force search is to have a sufficiently large password space. Text-based
passwords have a password space of 94^N, where N is the length of the password, 94 is the number of
Printable characters excluding SPACE. Some graphical password techniques have been shown to provide a
password space similar to or larger than that of text-based passwords. Recognition based graphical
passwords tend to have smaller password spaces than the recall based methods. It is more difficult to carry
out a brute force attack against graphical passwords than text-based passwords.

5. RECALL BASED TECHNIQUES

5.1 DRAW A SECRET (DAS)
10

It is a purely graphical password selection and input scheme. The scheme replaces alphanumeric password
strings, with a picture drawn on a grid. Instead of entering an alphanumeric password, this authentication
method allows users to use a set of gestures drawn on a grid to authenticate. The user's drawing is mapped
to a grid on which the order of coordinate pairs used to draw the password are recorded in a sequence. New
coordinates are inserted to the recorded "password" sequence when the user ends one stroke (the motion of
pressing down on the screen or mouse to begin drawing followed by taking the stylus or mouse off to create
a line or shape) and begins another on the grid.In DAS, a password is a picture drawn free-form on a grid of
size N x N. Each grid cell is denoted by two-dimensional discrete coordinates (x, y) [1, N] [1, N]. A
completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst
constructing the secret.
The predominant argument in favor of graphical over alphanumeric passwords is use of the Picture
superiority effect which describes the improved performance of the human mind in recalling images and
objects over strings of text. This effect is utilized through DAS, as complex drawings are less difficult for
the human mind to memorize than a long string of alphanumeric characters. This allows for the user to input
stronger and more secure sequences through graphical password input schemes than conventional text input
with relative ease.

Fig 4-DAS on a 2d grid[4]

6.SECURITY ISSUES
Multiple Accepted Passwords
11

The encoding of a particular secret has a one-to-many relationship with the possible drawings it can
represent, this implies that more than one drawing may in fact be accepted as a successful authentication of
the user. This is especially true with a small number of cells in the N x N grid.
To resolve this issue, more cells can be included in the grid. This makes it more difficult to cross through all
of the cells required to fulfill the password sequence. The cost of this added security is an increase in
difficulty to reproduce the password by the actual user. The more cells that are present in the grid, the more
accurate the user must be when entering the password to stroke through all of the required cells in the
correct order.

Graphical Dictionary Attacks

Through the use of common "hotspots" or "Points-of-interest" in a grid or background image, a graphical
dictionary attack can be initiated to guess users' passwords .Other factors such as similar shapes and objects
in the background image also form "click order" vulnerabilities as these shapes may be clumped together
and used in a sequence . These attacks are far more common to the Background variation of Draw a Secret
as it utilizes an image that can used to exploit the vulnerabilities explained above. A study in 2013 also
showed that users have the tendency to go through similar password selection processes across different
background images.

Shoulder Surfing Attacks

This form of an attack is initiated by a bystander watching the user enter their password. This attack is
present in most input schemes for authentication, but DAS schemes are especially vulnerable as the users
strokes are displayed on the screen for all to see, unlike alphanumeric text input where the characters
entered are not actually displayed on screen.
Three techniques have been designed for protecting DAS and BDAS systems from shoulder surfing attacks:
Decoy Strokes - the use of strikes which are inputted simply to confuse potential onlookers, they may be
differentiated by colors chosen by the user.
Disappearing Strokes - each stroke is removed from the screen after it is inputted by the user.
Line Snaking - an extension of the disappearing strokes method, where shortly after a stroke is started, the
end of the stroke begins disappearing shortly after, giving the appearance of a "line snaking"

12

7.CONCLUSION
The past decade has seen a growing interest in using graphical passwords as an alternative to the traditional
text-based passwords .Although the main argument for graphical passwords is that people are better at
13

memorizing graphical passwords than text-based passwords, the existing user studies are very limited and
there is not yet convincing evidence to support this argument. Our preliminary analysis suggests that it is
more difficult to break graphical passwords using the traditional attack methods such as brute force search,
dictionary attack,or spyware. However, since there is not yet wide deployment of graphical password
systems, the vulnerabilities of graphical passwords are still not fully understood. Overall, the current
graphical password techniques are still immature. Much more research and user studies are needed for
graphical password techniques to achieve higher levels of maturity and usefulness.

8.REFERENCES
1.

http://www.seminarsonly.com/Labels/Graphical-Password-Authentication-Advantages-andDisadvantages.php
14

2.
3.
4.

clam.rutgers.edu/~birget/grPssw/susan3.pdf
Wikipedia
Ieee paper.

15