AU COLLEGE OF ENGINEERING (A), VISAKHAPATNAM

CERTIFICATE

This is to certify that the dissertation entitled

VIRTUAL REALITY

Is a bonafide work of,

MATTAPARTHI LAKSHMI PRIYANKA

(318206415019)

In the partial fulfillment for requirement for award of

the

MASTERS OF TECHNOLOGY

Signature of Incharge Signature of Head of the

Department

PROF.K.VENKATA RAO PROF. KUDA NAGESWARA RAO,

DEPT.OF COMPUTER SCIENCE DEPT.OF COMPUTER SCIENCE

AND SYSTEM ENGINEERING AND SYSYTEM ENGINEERING

 ACKNOWLEDGMENT

It is with a great sense of satisfaction that I present “VIRTUAL

REALITY” in the form of seminar topic.
I express my deep sense of gratitude to my seminar guide
PROF.K.VENKATA RAO, Department of Computer Science and Systems
Engineering (CS&SE), Andhra University College of Engineering (A), for
his able and inspiring guidance and valuable suggestions throughout my
seminar work.
I am very thankful to our beloved Head of the Department PROF.KUDA
NAGESWARARAO , HOD, Department of Computer Science and Systems
Engineering (CS&SE), Andhra University College of Engineering (A), who
has encouraged me a lot throughout the course of the seminar.
I also extend my heartfelt gratitude to all the teaching and non- teaching
staff of the Department of Computer Science and Systems Engineering
(CS&SE), for their support.

M. LAKSHMI
PRIYANKA
Regd.No.318206415014
M.Tech (CS&SE)

1
 INDEX
ABSTRACT.......................................................................................................i
1. INTRODUCTION……………………………………………………………1
2 . LITERATURE SURVEY……………………………………………………3
3.PROPOSED SYSTEM………………………………………….................... 4
4. RECALL BASED SCHEME……………………………………………….5
4.1.1 DRAW A SECRET SCHEME(DAS)……………………………..6
4.1.2 PASS POINT SCHEME…………………………………………..11
4.1.3 SIGNATURE DRAWING SCHEME…………………………....13
5 . RECOGNITION BASED SCHEME……………………………………….17
5.1 DAMIJA AND PERRIG SCHEME…………………………….......17
5.2 SOBRADO AND BIRGET SCHEME……………………………..18
5. 3 Pass Face scheme………………………………………………......19
6 . IMPLEMENTATION AND DISCUSSION…………………………….....21
6. 1 HARDWARE INTERFACES……………………………………..22
6. 2 SOFTWARE INTERFACES..........................................................22
7.SECURITY ANALYSIS FOR GRAPHICAL PASSWORD………………25
8.DESIN AND IMPLEMENTATION ISSUES..............................................33
9. CONCLUSION……………………………………………………..….…..35

2
LIST OF FIGURES:

Fig 1: Draw a secret scheme…………………………………………………....8

Fig 2: DAS scheme with coordinates…………………………………………...8
Fig 3: Pass point scheme……………………………………………………….12
Fig 4 : Signature Drawing scheme…………………………………………….13
Fig. 5. A ClickText image with 33 characters……………………………........14
Fig. 6. Captcha Zoo with horses circled red………………………………..….14
Fig. 7. A ClickAnimal image……………………………………………….....14
Fig 8 : Random images used by Dhamij and Perrig………………………......17
Fig 10: Pass object scheme…………………………………………………....18
Fig 11:Pass face scheme……………………………………………………....20
Fig 12: Flowchart of authentication system…………………………………...24
Fig 13: Dictionary Attack…………………………………………………......26
Fig 14: Spyware………………………………………………………..……..27
Fig 15: Shoulder surfing………………………………………………………27
Fig 16: Social engineering…………………………………………………....28
Table 1 comparison between methods……………….…………………….....30

3
 Abstract
Computer security depends largely on passwords to authenticate the human users from attackers. The most
common computer authentication method is to use alphanumerical usernames and passwords. However, there
are significant drawbacks in this method. For example, Passwords selected by users are easily guessed by the
attacker. On the other hand, passwords which are difficult to guess are difficult to remember. To overcome
this problem of low security, Authentication methods are developed by researchers that use images as
password. In this research paper, we conduct a comprehensive survey of the existing graphical password
techniques and provide a possible theory of our own
In a current time, the greatest prominent user authentication system which is extensively uses the out-dated
method. It comprises of "username" and "password”, which is usually through text. This system has
definitely revealed disadvantages which cannot be ignored. However, Strong text passwords are hard to
remember, thus the users incline to write them down or attempt to save them on as files on digital means.
Now, several computer systems, networks and internetbased condition are demanding the use of graphical
authentication method. Therefore, base of an authentication system is to stimulate users to pick healthier
password, which increases security, usability and also refining the password space. In this study paper, we
complete an inclusive survey of the current graphical password systems into recognition based, pure-recall
based, cued-recall based and multifactor methods. We also studied strength and drawback of graphical
password schemes.

4
 1. INTRODUCTION
A graphical password is an authentication system that works by having the user select from
images, in a specific order, presented in a graphical user interface (GUI). Graphical
passwords may be a solution to the password problem. The idea of graphical passwords, first
described by Greg Blonder [G. Blonder, Graphical Passwords, United States Patent 5559961
(1996)], is to let the user click (with a mouse or a stylus) on a few chosen regions in an image
that appears on the screen. To log in, the user has to click in the same regions again. In
Blonder-style graphical passwords, only pre-processed images can be used. The click regions
can only be chosen from certain pre-designed regions in the image. This implies that the users
cannot provide images of their own for making passwords, and users cannot choose click
places that are not among the preselected ones. Our design allows the use of any images
(including the users own images, digital photos of landscapes, paintings, etc.). Moreover, we
let users choose any places that attract them as click regions; such places are easier to
remember.

However, allowing arbitrary click locations lead to a stability problem, which we had to
overcome. The problem is that we cannot expect users to click always on exactly the same
location (when they intend to). So we discretize the image, by using a square grid. But that
leads to border problems: If the chosen click location is near the edge of a grid-square, the
user will sometimes click in one square, sometimes in a neighboring square. We devised a
multigrid method, which we call robust discretization, and which leads to a stable output for
the user's clicking actions. An approximation parameter r is used; as long as the user clicks
within distance r of the originally chosen click location, the output of the clicking will be the
same (e.g., r=2 mm).It is important to have stable output, because the output of the
discretized clicking will undergo a secure hash (“password encryption”) for security reasons,
we do not store the actual graphical password in the computer, just the hash value. So, the
system does not know the graphical password explicitly and hence cannot check whether a
user's clicks are “approximately correct”. The hashing of passwords leads to the requirement
that the user's clicks at login must always be in the same multi-grid squares; hence, we need a
robust discretization.

The most common and popular method used for authentication is text password. The
vulnerabilities of this method such eves dropping, dictionary attack, shoulder surfing, and

5
burst force attacks are well known. Random and long text passwords can make the system
secure. But the main problem is the hardly to remember those passwords. Studies have shown
that users enter to small or short passwords or passwords that are easy to remember. But,
these passwords can be easily guessed or cracked by attacker. The alternative techniques are
graphical passwords. There are many graphical password schemes that are proposed in the
few last year. But most of them suffer from shoulder surfing problem which is become quite
a major problem. There are graphical passwords schemes that have been proposed which are
prevent to shoulder-surfing but they have their own limitations like usability problem issue or
taking more time for user to login or having long procedure levels.

6
 2 . LITERATURE SURVEY

In the literature, several techniques have been proposed to reduce the limitations of the
traditional alphanumerical password. One of the proposed solution is to use an easy to
remember long phrases (passphrase) rather than a single word [6]. Another proposed solution
is to use graphical passwords, in which graphics (images) are used instead of alphanumerical
passwords. This can be achieved by asking the user to select regions from an image rather
than typing characters as in alphanumeric password approaches.

In Dec 2009 author H. Gao proposed graphical password scheme using color login. In this
color login uses background color which decrease login time. Possibility of accidental login
is high and password is too short. The system developed by Sobrado is improved by
combining text with images or colors to generate session passwords for authentication.
Session passwords can be used only once and every time a new password is generated. The
advantages of this system is that it reduces the login time, session passwords are also
generated to improve security. The disadvantage of this system is that it the possibility of
accidental login is high and password is too short.

7
 3.PROPOSED SYSTEM
Graphical passwords refer to using images (also drawings) as passwords. In theory, graphical
passwords can be easily remembered, as users remember images better than words.Human
factors are often considered the weakest point in a computer security system. Patrick, et [1]
point out there are three major areas where human-computer interaction is important: security
operations, developing Towseef Akram et al, International Journal of Computer Science and
Mobile Computing, Vol.6 Issue.6, June- 2017, pg. 394-400 © 2017, IJCSMC All Rights
Reserved 395 secure systems, authentication. Here we focus on authentication problem . User
authentication is one of the important and fundamental component in most computer security
systems. Biometrics is one of the important authentication methods used to tackle the
problems associated with traditional username-passwords. But here we will deal with another
alternative: using image as passwords. According to a recent computer world news article,
the security team at a large company ran a network password cracker and within 30 seconds,
they identified about 80% of the passwords. On the other hand, passwords that are difficult to
guess or break are often difficult to remember. Studies showed that since user can only
remember a limited number of passwords, they tend to write them down or will use the same
passwords for different accounts. To address the problems with traditional username
password authentication, alternative authentication methods, such as biometrics [2,7] have
been used. In this paper, however, we will focus on another alternative: using pictures as
passwords. In addition, if the number of possible pictures is sufficiently large, the possible
password space of a graphical password scheme may exceed that of text-based schemes and
thus presumably offer better resistance to dictionary attacks. Because of these (presumed)
advantages, there is a growing interest in graphical password. Also, they should be more
resistant to brute-force attacks, because there is practically an infinite search space. Graphical
passwords techniques are categorized into two main techniques:

1. Recall-based techniques
2. Recognition-based graphical techniques

8
 4. RECALL BASED SCHEME:
In recall-based techniques, a user is asked to reproduce something that he or she created or
selected earlier during the registration stage. Recall-based graphical password systems are
occasionally referred to as drawmetric systems . since a secret drawing is recalled and
reproduced by the user. In these systems, users typically draw their password either on a
blank canvas or on a grid (which may arguably act as a mild memory cue). Recall is a
difficult memory task [6] because retrieval is done without memory prompts or cues. Users
sometimes devise ways from which the interface could be used as a cue even though it is not
intended as such, the task is transformed into one of cued recall, although one where the same
cue is available to all users and to attackers. Text passwords can also be categorized as using
recall memory. With text passwords, there is evidence that users often include the name of
the system as part of their passwords .

Although there is currently no evidence of this happening with graphical passwords, it

remains a seemingly valid coping strategy if users can devise a way of relating a recall based

graphical password to a corresponding account name. To a great extent these systems are

generally susceptible to shoulder surfing attack, the entire drawing is visible on the screen as

it is being entered, and thus an attacker need accurately observe or record only one login for

the entire password to be revealed. You can secure your password using various techniques in

graphical authentication. Here we are proposing a new algorithm of authentication using

images. To authenticate, we use a grid based approach by using image as a reference. User

will upload the image/set of images along with all his/her details during the time of the

registration. Then the image selected by the user will appear on the page with transparent grid

layer on it. Then certain grids are selected by the user to set his/her password as shown in the

figure below.

In recall-based techniques, a user is asked to reproduce something that he or she created or

selected earlier during the registration stage. Recall-based graphical password systems are
occasionally referred to as drawmetric systems [3] since a secret drawing is recalled and
reproduced by the user. In these systems, users typically draw their password either on a

9
blank canvas or on a grid (which may arguably act as a mild memory cue). Recall is a
difficult memory task [6] because retrieval is done without memory prompts or cues. Users
sometimes devise ways from which the interface could be used as a cue even though it is not
intended as such, the task is transformed into one of cued recall, although one where the same
cue is available to all users and to attackers. Text passwords can also be categorized as using
recall memory. With text passwords, there is evidence that users often include the name of
the system as part of their passwords . Although there is currently no evidence of this
happening with graphical passwords, it remains a seemingly valid coping strategy if users can
devise a way of relating a recall based graphical password to a corresponding account name.
To a great extent these systems are generally susceptible to shoulder surfing attack, the entire
drawing is visible on the screen as it is being entered, and thus an attacker need accurately
observe or record only one login for the entire password to be revealed. You can secure your
password using various techniques in graphical authentication. Here we are proposing a new
algorithm of authentication using images. To authenticate, we use a grid based approach by
using image as a reference. User will upload the image/set of images along with all his/her
details during the time of the registration. Then the image selected by the user will appear on
the page with transparent grid layer on it. Then certain grids are selected by the user to set
his/her password as shown in the figure below.

DRAW A SECRET SCHEME(DAS):

In this section we present a purely graphical password selection and input scheme, which we
call ``draw a secret'' (DAS). In this scheme, the password is a simple picture drawn on a grid.
This approach is alphabet independent, thus making it equally accessible for speakers of any
language. Users are freed from having to remember any kind of alphanumeric string.

The most compelling reason for exploring the use of a picture-based password scheme is that
humans seem to possess a remarkable ability for recalling pictures (i.e., line drawings and
real objects). The ``picture effect'', that is, the effect of pictorial and object representations on
a variety of measures of learning and memory has been studied for decades [7,27,25,30,5].
Cognitive scientists have shown that there is a substantial improvement of performance in
recall and recognition with pictorial representations of to-be-remembered material than for
verbal representations.

10
Superiority in recall of objects over words in immediate recall and over short retention
intervals has been demonstrated through a number of experiments. Empirical evidence of the
power of pictures over words dates back to the 1800s; experiments performed by Calkins [7]
showed the recall of words declining by 50 % or more over a 72 hour retention interval, and
recall of objects dropping by less than 20% over the same period. Studies exhibiting
strikingly high differences in memory recall of pictures over words have since been
replicated on numerous.

Consider an interface consisting of a rectangular grid of size . Each cell in this grid is

denoted by discrete rectangular coordinates . Suppose that the the

user is given a stylus with which she can draw a design on this grid. The drawing is then
mapped to a sequence of coordinate pairs by listing the cells through which the drawing
passes in the order in which it passes through them, with a distinguished coordinate pair
inserted in the sequence for each ``pen up'' event, i.e., whenever the user lifts the stylus from
the drawing surface. For example, consider the drawing in Figure 2. Here, the coordinate
sequence generated by this drawing is (2,2), (3,2), (3,3), (2,3), (2,2), (2,1), (5,5) where (5,5)
is the distinguished ``pen up'' indicator. If there were a second stroke in this example, then its
sequence would be appended to the end of the sequence above, and similarly for subsequent
strokes. In this way, we divide the space of possible drawings into equivalence classes, two
drawings being equivalent if they have the same encoding, or in other words if they cross the
same sequence of grid cells, with the breaks between strokes occurring in the same places.

Figure: Input of a graphical password on a grid. The drawing is mapped to a sequence

of coordinate pairs by listing the cells in the order which the stylus passes through them, with
a distinguished coordinate pair inserted in the sequence whenever the stylus is lifted from the
drawing surface.

11
 Fig 1: Draw a secret scheme

Fig 2: DAS scheme with coordinates

12
First we give some terminology. We define the neighbors, , of a cell (x,y) to be the

subset of the set of cells whose elements exist

in the grid. We then define a stroke to be a sequence of cells , in which , and

which does not contain a ``pen up'' event. A password is then defined to be a sequence of
strokes separated by ``pen up'' events. The length of a stroke is the number of coordinate pairs
it contains, while the total length of a password is the sum of the lengths of its component
strokes (excluding the ``pen up'' characters).

As with the scheme of Section 2, this scheme is most viable if the user's strokes are echoed as
curves while they are drawn. Again we appeal to the maneuverability of the devices we are
targeting (i.e., PDAs) to support the restriction that the user must shield the input display
from onlookers.

Our requirement of repeatability constrains the parameters of this scheme. As long as the
user's current drawing lies in the same equivalence class as the original drawing, she has
successfully repeated a chosen password. In general, this gives the user sufficient tolerance
when (involuntarily) varying the drawing, provided that the cells of the grid are not too small.
Indeed, this was the purpose of separating the drawings into equivalence classes to begin
with. Difficulties might arise however, when the user chooses a drawing that contains strokes
that pass too close to a grid-line. In those cases, the user might vary the drawing in such a
way as to change the resulting sequence of coordinates. There are at least two solutions to
this problem: (1) The user is offered to view the internal representation, depicting the path of
cells, when she chooses a password so that she can confirm which cells were actually touched
by the drawing. (2) The system does not accept a drawing which contains strokes that are
located ``too close'' to a grid line. In the implementation, described in Section 3.2, we offer
both alternatives.

Security of the DAS Scheme:

We define the information content of a password space as the entropy of the probability
distribution over that space given by the relative frequencies of the passwords that users
actually choose. Information content is the correct measure for describing difficulty of attack,
since it determines the optimal choices to be made when trying different possibilities for a
password.

13
High information content renders a password scheme more or less invulnerable. For example,
if users did in fact choose passwords uniformly from the space of all textual passwords,
successful attacks would be extremely unlikely. What is it that renders such attacks
successful in practice? There are two factors. The first is that in reality users do not choose
their passwords uniformly. If we assume that the data collected in Klein's study [12] is
representative of the general population, then users in fact use only 10-8 of the possible

passwords of the time. Such a distribution is highly peaked, and the information content
of the textual password space is correspondingly reduced.

However, the fact that users do not pick passwords uniformly is in itself not sufficient to
make password guessing attacks successful. The second factor that renders textual passwords
vulnerable is that the attacker has significant knowledge of the distribution of user passwords,
and can use that knowledge to her advantage. In the case of textual passwords, this
knowledge includes information about specific peaks in the distribution (users often choose
passwords based on their own name), and information about gross properties (words in the
English dictionary are likely to be chosen). Without information about the distribution, an
attacker would be no better off than if users were in fact choosing uniformly.

Due to the dependence of the security of a scheme on the passwords that users choose in
practice, a new password scheme can not be proven better than an old scheme. Performing
trials on subjects in order to learn the distribution of user passwords for a new scheme is
impractical for such large sample spaces. In the case of textual passwords, learning the
knowledge that attackers routinely use would correspond to trying to learn the English
dictionary (among others) given no prior knowledge of the types of letter combinations used
in English, by having subjects type in 8-character passwords. In the absence of such objective
proof, we present three plausibility arguments that suggest that the DAS scheme is
considerably harder to crack than the conventional textual scheme. Two of these are estimates
of the information content of the DAS password space, which we argue improves on the
information content available with textual passwords. The third argument discusses the effect
that lack of knowledge of the distribution of user choices has on an attacker.

14
 PASS POINT SCHEME:
We are further discussing new and moresecure graphical password system called pass points.
In pass points system users can create manypoints click sequence on a background image.
The graphical password is new technique which ismore secure than text-based passwords. In
graphical passwords, sequence of clicks is generated toderive the password. The click events
are performed on same image or different image. Or users canalso select sequence of images.
In this system there are four main modules namely, Imagesubmission, Image Password Point
Mark, Pixel Tolerance Calculation and Authentication. Users cansubmit image then he/she
can click on the image to create a password then the system pixeltolerance calculates each
pixel around. And then while authenticating user needs to click within thetolerances in the
correct sequences.

Text passwords are the most popular user authentication method in today, but have security
and user friendly problems. Graphical passwords offer another alternative, and are the focus
of this paper. Graphical password systems are a type of Image-based authentication that
attempt to understand the human memory for visual information.

A comprehensive review In Pass Points, passwords consist of sequence pixel click-points on

a given image. Users may choose one pixels in that image as click-points for their password.
To log in process, they repeat the sequence of clicks in the same order

PERSUASIVE CUED CLICK POINTS (PCCP) :

In persuasive cued click point algorithm, image divided in small grid or small parts of view,
after that user choose any one grid of that image, then choosing one pixel on that selected
grid and those chooses pixel set as password.

During user name creation, the most of the image is fragmented in a small view grid
area that is randomly positioned on the image as shown in Figure. Users must choose it‟s
own a click-point within the view grid. If they are choose wrong pixel or to choose a wrong
point in the current view grid, they may click on move button to randomly reposition the
view grid. This procedure repeated in three times that is three different images user is choose.
After one pixel choosed then next image is come and choose second pixel and similarly
choose third pixel on next image. If user chooses wrong pixel then system manipulate to user
i.e. wrong image is come and user doesn‟t authenticate in system.

15
 The view grid‟s size is intended to offer a variety of distinct points but still cover only
an acceptably small fraction of all possible points. Users must choose a clickpoint within this
highlighted view grid area and cannot click outside of the view grid area, unless they click on
move button to randomly reposition the view grid area. While users may move as often as
desired, this significantly slows password creation. The view grid and move button appear
only during password creation. During later password entry, the images are displayed
normally, without shading or the view grid, and users may click anywhere on the images.

Syukri developed a technique where authentication is done by drawing user signature using a
mouse as shown in figure 4. This technique included two stages, registration and verification.
At the time of registration stage the user draws his signature with a mouse, after that the
system extracts the signature area. In the verification stage it takes the user signature as input
and does the normalization and then extracts the parameters of the signature. The
disadvantage of this technique is the forgery of signatures. Drawing with mouse is not
familiar to many people, it is difficult to draw the signature in the same perimeters at the time
of registration.

Fig 3: Pass point scheme

16
 SIGNATURE DRAWING SCHEME:
Jermyn, et al. proposed a technique, called “Draw - a -secret (DAS)”, which allows the user
to draw their unique password .A user is asked to draw a simple picture on a 2D grid. The
coordinates of the grids occupied by the picture are stored in the order of the drawing. During
authentication, the user is asked to redraw the picture. If the drawing touches the same grids
in the same sequence, then the user is authenticated. Jermyn, et al. suggested that given
reasonablelength passwords in a 5 X 5 grid, the full password space of DAS is larger than
that of the text based password.

Fig 4 : Signature Drawing scheme

A. ClickText

ClickText is a recognition-based CaRP scheme built on top of text Captcha. Its alphabet
comprises characters without any visually-confusing characters. For example, Letter “O” and
digit “0” may cause confusion in CaRP images, and thus one character should be excluded
from the alphabet. A ClickText password is a sequence of characters in the alphabet, e.g., ρ
=“AB#9CD87”, which is similar to a text password. A ClickText image is generated by the
underlying Captcha engine as if a Captcha image were generated except that all the alphabet

17
characters should appear in the image. During generation, each character’s location is tracked
to produce ground truth for the location of the character in the generated image. The
authentication server relies on the ground truth to identify the characters corresponding to
user-clicked points. In ClickText images, characters can be arranged randomly

Fig. 5. A ClickText image with 33 characters.

Fig. 6. Captcha Zoo with horses circled red.

Fig. 7. A ClickAnimal image (left) and 6 × 6 grid (right) determined by red turkey’s
bounding rectangle. on 2D space.

This is different from text Captcha challenges n which characters are typically ordered from
left to right n order for users to type them sequentially. Fig. 2 shows a ClickText image with
an alphabet of 33 characters. In entering password, the user clicks on this image the
characters in her password, in the same order, for example “A”, “B”, “#”, “9”, “C”, “D”, “8”,
and then “7” for password ρ = AB#9CD87”.

B. ClickAnimal

18
Captcha Zoo [32] is a Captcha scheme which uses 3D models of horse and dog to generate
2D animals with different textures, colors, lightings and poses, and arranges hem on a
cluttered background. A user clicks all the horses in a challenge image to pass the test. Fig. 3
shows a sample challenge wherein all the horses are circled red. ClickAnimal is a recognition-
based CaRP scheme built on top of Captcha Zoo [32], with an alphabet of similar animals
Such as dog, horse, pig, etc. Its password is a sequence of animal names such as ρ = “Turkey,
Cat, Horse, Dog,….” For each animal, one or more 3D models are built. TheCaptcha
generation process is applied to generate ClickAnimal images: 3D models are used to
generate 2D animals by applying different views, textures, colors, lightning effects, and
optionally distortions. The resulting 2D animals are then arranged on a cluttered background
such as grassland. Some animals may be occluded by other animals in the image, but heir
core parts are not occluded in order for humans to identify each of them. Fig. 4 shows a
ClickAnimal image with an alphabet of 10 animals. Note that different views applied in
mapping 3D models to 2D animals, together with occlusion in the following step, produce
many different shapes for the same animal’s instantiations in the generated images.
Combined with the additional anti-recognition mechanisms applied in the mapping step, these
make it hard for computers to recognize animals in the generated image, yet humans can
easily identify different instantiations of animals.

C. AnimalGrid

The number of similar animals is much less than the number of available characters.
ClickAnimal has a smaller alphabet,and thus a smaller password space, than ClickText. CaRP
should have a sufficiently-large effective password space to resist human guessing attacks.
AnimalGrid’s password space can be increased by combining it with a grid-based graphical
password, with the grid depending on the size of the selected animal.

To be consistent with ClickAnimal, we change from drawing to clicking: Click-A-Secret

(CAS) wherein a user clicks the grid cells in her password. AnimalGrid is a combination of
ClickAnimal and CAS. The number of grid-cells in a grid should be much larger than the
alphabet size. Unlike DAS, grids in our CAS are object-dependent, as we will see next. It has
the advantage that a correct animal should be clicked in order for the clicked grid-cell(s) on
the follow-up grid to be correct. If a wrong animal is clicked, the follow-up grid is wrong.

19
 A click on the correctly labeled grid-cell of the wrong grid would likely produce a
wrong grid-cell at the authentication server side when the correct grid is used. To enter a
password, a ClickAnimal image is displayed first. After an animal is selected, an image of n ×
n grid appears, with the grid-cell size equaling the bounding rectangle of the selected animal.
Each grid-cell is labeled to help users identify. gridwhentheredturkeyintheleftimage of Fig. 4
was selected. A user can select zero to multiple grid-cells matching her password. A
password must begin with an animal. When a ClickAnimal image appears, the user clicks the
animal on the image that matches the first animal in her password. The coordinates of the
clicked point are recorded. The bounding rectangle of the clicked animal is then found
interactively as follows: a bounding rectangle is calculated and displayed, e.g., the white
rectangle shown

The user checks the displayed rectangle and corrects inaccurate edges by dragging if
needed. This process is repeated until the user is satisfied with the accuracy of the bounding
rectangle. In most cases, the calculated bounding rectangle is accurate enough without
needing manual correction. Once the bounding rectangle of the selected animal is identified,
an image of n ×n grid with the identified bounding rectangle as its grid-cell size is generated
and displayed. If the grid image is too large or too small for a user to view, the grid image is
scaled to a fitting size. The user then clicks a sequence of zero to multiple grid-cells that
match the grid- cells following the first animals in her password, and then gets back to the
ClickAnimal image. For the example password ρ given previously, she clicks a point inside
grid-cell_2_,and then a point inside grid-cell_1_ to select the two grid-cells. The coordinates
of user-clicked points on the grid image (the original one before scaling if the grid image is
scaled) are recorded. The above process is repeated until the user has finished entering her
password. The resulting sequence of coordinates of user-clicked points, denotes the point
with Coordinates _x,y_ on a grid image, is sent to the authentication server. Using the
ground truth, the server recovers the first animal from the received sequence, regenerates the
grid image from the animal’s bounding rectangle, and recovers the clicked grid-cells. This
process is repeated to recover the passwordthe user clicked. Its hash is then calculated and
compared with the stored hash.

20
 5 . RECOGNITION BASED SCHEME

Dhamija and Perrig Scheme

Dhamija and Perrig proposed a graphical authentication scheme based on thee Hash

Visualization technique. In their system, the user is asked to select a certain number of

images from a set of random pictures generated by a program. Later, the use r will be

required to identify the pre selected images in order to be authenticated. The results showed

that 90% of all participants succeeded in the authentication using this technique, while only

70% succeeded using textbased passwords and PINS. The average log-in time, however, is

longer than the traditional approach. A weakness of this system is that the server needs to

store the seeds of the portfolio images of each user in plain text. Also, the process of selecting

a set of pictures from the picture database can be tedious and time consuming for the user

Fig 8 : Random images used by Dhamij and Perrig

21
 Sobrado and Birget Scheme:

Sobrado and Birget developed graphical password technique that deals with the shoulder

surfing problem. In the first scheme, the system will display a number of pass-objects (pre-

selected by user) among many other objects. To be authenticated, a user needs to recognize

passobjects and click inside the convex hull formed by all the pass-objects. In order to make

the password hard to guess, Sobrado and Birget suggested using 1000 objects, which makes

the display very crowded and the objects almost indistinguishable, but using fewer objects

may lead to a smaller password space, since the resulting convex hull can be large. In their

second algorithm, a user moves a frame (and the objects within it) until the pass object on the

frame lines up with the other two pass-objects. The authors also suggest repeating the process

a few more times to minimize the likelihood of logging in by randomly clicking or rotating.

The main drawback of these algorithms is that the log in process can be slow.

Fig 10: Pass object scheme

22
Man, et al. proposed another shoulder-surfing resistant algorithm. In this algorithm, a user
selects a number of pictures as pass-objects. Each pass-object has several variants and each
variant is assigned a unique code. During authentication, the user is challenged with several
scenes. Each scene contains several pass-objects (each in the form of a randomly chosen
variant) and many decoy-objects. The user has to type in a string with the unique codes
corresponding to the pass object variants present in the scene as well as a code indicating the
relative location of the pass objects in reference to a pair of eyes. The argument is that it is
very hard to crack this kind of password even if the whole authentication process is recorded
on video because where is no mouse click to give away the pass-object information.
However, this method still requires users to memorize the alphanumeric code for each pass-
object variant. Hong, et al. later extended this approach to allow the user to assign their own
codes to pass-object variants. However, this method still forces the user to memorize many
text strings and therefore suffer from the many drawbacks of text-based password.

5. 3 Pass Face scheme

In this technique human faces are treated as passwords. In using Pass faces to authenticate an
application, the user is presented with a grid of nine faces. Only one face on the grid is from
the user's unique set of faces; the rest are decoys. He must select his specific face on the grid
to get passed the digital gate. This process continues for the other four faces of his set. If he
fails to recognize or select all of his faces, he is taken back a step to try again. If too many
failures occur, he is locked out of the application.

Jansen et al proposed a graphical password mechanism for mobile device .during the
enrollment stage, a user selects a theme (e.g. sea, cat, etc.) which consists of thumbnail
photos and then registers a sequence of images as a password .During the authentication, the
user must enter the registered images in the correct sequence. One drawback of this technique
is that since the number of thumb nail images is limited to 30, the password space is small.
Each thumbnail image is assigned a numerical value, and the sequence of selection will
generate a numerical password. The result showed that the image sequence length was
generally shorter than the textural password length. To address this problem, two pictures can
be combined to compose a new alphabet element, thus expanding the image alphabet size.

23
Fig 11:Pass face scheme

24
 6 . IMPLEMENTATION AND DISCUSSION
The proposed system was implemented using PHP, CSS, JavaScript and Macromedia flash
2008(Action Script 2). This Graphical Password can be implemented in authenticating
several systems and websites. The implementation has few focuses: • Password: Contain
image as reference & encryption algorithm. • Grids: Contains unique grid values and grid
clicking related methods. • Login: Contains username, images, Graphical password and
related methods. • SSR shield: Contains shield for Shoulder surfing. As shown in the figure
below researchers are trying to stabilize the goal in text based system. However, the text
based approach is not able to achieve the goal because as the password strength increases
usability decreases. Our main aim is to achieve this goal. In which the usability as well as the
security of the system is maintained in such a way that we don’t need to compromise on
either of these constraints.

• Password: Contain image as reference & encryption algorithm.

• Grids: Contains unique grid values and grid clicking related methods.

• Login: Contains username, images, Graphical password and related methods.

• SSR shield: Contains shield for Shoulder surfing.

As shown in the figure below researchers are trying to stabilize the goal in text based system.
However, the text based approach is not able to achieve the goal because as the password
strength increases usability decreases. Our main aim is to achieve this goal. In which the
usability as well as the security of the system is maintained in such a way that we don’t need
to compromise on either of these constraints.

Design Constraints
The system need to design base on the HTML code and database using J2EE1.4
, oracle 8i or above and and Struts 1.2.x.. All components follow Model-View-Controller
pattern.

Purchased Components

* Application server software and version (Tomcat 5 or above)

* Database software and version (ORACLE 8i or above)

25
* J2EE (typically because of app server requirements/supportability)
* Servlet Specification (typically because of app server requirements/supportability)

Interfaces

User interfaces
All pages of the system are following a consistent theme and clear structure. The
occurrence of errors should be minimized through the use of checkboxes, radio buttons and
scroll down in order to reduce the amount of text input from user. JavaScript implement in
HTML in order to provide a Data Check before submission. HTML Tables to display
information to give a clear structure that easy to understand by user.

Error message should be located beside the error input which clearly highlight
and tell user how to solve it. If system error, it should provide the contact methods. Each
level of user will have its own interface and privilege to mange and modify the project
information such as supervisor or admin able to monitor/ manage his user’s data and user can
change his details.

6. 1 Hardware Interfaces

a. Server Side

The web application will be hosted on one of the Linux or Windows servers and
connecting to one of the Hostel Oracle Database server. The web server is listening on the
web standard port, port 80.

b. Client Side
The system is a web based application; clients are requiring using a modern web
browser such as Mozilla Firebox 1.5, Internet Explorer 6 and Enable Cookies. The computer
must have an Internet connection or LAN in order to be able to access the system on any
other system with enough credentials.

6. 2 Software Interfaces

a. Server Side
The ORSCM already has the required software to host a Java web
application. An Apache Web server will accept all requests from the client and
forward ORSCM specific requests to Tomcat 5.5 Servlet Container with J2EE 5.0 and

26
 Strut 1.2.8 hosting ORSCM. A development database will be hosted locally (using
MySQL or ORACLE); the production database is hosted centrally (using Oracle).

b. Client Side
An OS is capable of running a modern web browser which supports HTML
version 3.2 or higher.

Communication Interfaces
The HTTP protocol will be used to facilitate communications between the
client and server.

27
FLOW CHART FOR GRAPHICAL PASSWORD SCHEME

Fig 12: Flowchart of authentication system

28
 7. SECURITY ANALYSIS FOR GRAPHICAL PASSWORD

Enough research is yet to be undertaken to study the difficulty of cracking graphical

passwords. As graphical passwords are still not widely used in real world applications, there
is no report on real cases of breaking graphical passwords. Here we briefly examine some of
the possible techniques for breaking graphical passwords and try to do a comparison with
text-based passwords. A. Brute force search: Brute-force attacks are simple to understand. An
attacker has an encrypted file say, yourLastPass or KeePass passworddatabase. They know
that this file contains data they want to see, and they know that there’s an encryption key that
unlocks it. To decrypt it, they can begin to try every single possible password and see if that
results in a decrypted file.They do this automatically with a computer program, so the speed
at which someone can brute-force encryption increases as available computer hardware
becomes faster and faster, capable of doing more calculations per second.

The bruteforce attack would likely start at one-digit passwords before moving to two-digit
passwords and so on, trying all possible combinations until one works. The main defense
measure against brute force search is to have a sufficiently large password space. Text-based
passwords have a password space of 94N, where N is the length of the password, 94 is the
number of printable characters (shift and non-shift keys excluding SPACE) on a standard
keyboard. Some graphical password techniques have been shown to provide a password
space similar to or larger than that of text-based passwords [9]. Recognition based graphical
passwords tend to have smaller password spaces than the recall based methods. It is more
difficult to carry out a brute force attack against graphical passwords than text-based
passwords. The attack programs needto automatically generate accurate mouse motion to
imitate human input, which is particularly difficult for recall based graphical passwords.
Overall, in terms of brute force attacks, it is believed that a graphical password has less
vulnerability than a text-based password.

Dictionary attacks:

A “dictionary attack” is similar and tries words in a dictionary or a list of common passwords
instead of all possible passwords. This can be very effective, as many people use such weak
and common passwords. It is impractical to carry out dictionary attacksagainst graphical

29
passwords as recognition based graphical passwords involve mouse input instead of keyboard
input. For some recall based graphical passwords [10], it is possible to use a dictionary attack
but an automated dictionary attack will be much more complex than a text based dictionary
attack. More researchis needed in this area. However, it is evident that graphical password
has less vulnerability to dictionary attacks than text-based passwords.

Fig 13: Dictionary Attack

Spyware:
Spyware is infiltration software that secretly monitors unsuspecting users. It can enable a
hacker to obtain sensitive information, such as passwords, from the user's computer. Spyware
exploits user and application vulnerabilities and is often attached to free online software
downloads or to links that are clicked by users. Except for few cases, key listening or key
logging spyware cannot be used to break graphical passwords. It is not clear whether “mouse
tracking” spyware will be an effective tool against graphical passwords. However, motion of
the mouse alone is not enough to break graphical passwords. Such information has to be
correlated with application information, such as window location, its position and size, as
well as desktop resolution and size also matters. Fig: Spyware Attack

30
 Fig 14: Spyware

Shoulder surfing:
Shoulder surfing refers to a direct observation, such as looking over a person's shoulder, to
obtain information. In some cases ShoulderSurfing is done for no reason other than to get an
answer, but in other instances it may constitute a security breach as the person behind may be
gleaning private information such as your PIN at a bank machine, or Credit card information
as you enter it into a webbased shopping cart check-out. Like text based passwords, most of
the graphical authentication methods are vulnerable to shoulder surfing. Until now, only a
few recognition-based methods claim to resist shoulder-surfing. None of the recall-based
based methods are considered shoulder-surfing resistant.

Fig 15: Shoulder surfing

31
Social engineering:
Social engineering is the art of manipulating people so they give up confidential information.
The types of information these criminals are seeking can vary, but when individuals are
targeted the criminals are usually trying to trick you into giving them your passwords or bank
information, or access your computer to secretly install malicious software–that will give
them access to your passwords and bank information as well as giving them control over your
computer.

Fig 16: Social engineering

Criminals use social engineering tactics because it is usually easier to exploit your natural
inclination to trust than it is to discover ways to hack your software. For example, it is much
easier to fool someone into giving you their password than it is for you to try hacking their
password (unless the password is really weak).It is less convenient for a user to give away
graphical passwords to another person as compared to text based passwords. For instance, to
tell a graphical password to others over the phone would be very difficult. Even if an attacker
isto set up a phishing website so as to obtain graphical passwords from targeted users, it
would be more time consuming to set up such sites. Overall, it is more difficult to break
graphical passwords using the traditional attack methods like brute force search, dictionary
attack, and spy-ware. As graphical passwords are still not widely deployed, an indepth
research and studies that investigates possible attack methods are still needed.

32
 8. DESIGN AND IMPLEMENTATION ISSUES OF
GRAPHICAL PASSWORDS
Security:
Security is the state of being free from danger or threat or errors. Graphical passwords are
way more secure than textual passwords. Since, Graphical passwords are not widely used in
real world hence enough research is yet to be done in field of graphical passwords. We have
briefly examined the security issues with graphical passwords alreadyin the above section.

Usability:
One of the major arguments for graphical authentication is that images are much easier to
remember than text strings. Some research papers presented preliminary user studies to
support this. However, a current user study involves only a small number of users and is still
very limited. A major complaint among the users of graphical authentication procedure is that
the registration process and log-in process take too much time, especially in recognition-
based approaches. For instance, in the registration phase, a user has to pick few images from
a larger number of image sets. Then in the authentication phase, a user has to identify a few
pass-images by scanning through all the images displayed. Users may find this process long
and tedious.

Reliability:
The major design issue for recall-based methods is the reliability and accuracy of user input
recognition. The error tolerances in graphical authentication schemes have to be set carefully
if the tolerances are overly high then it may lead to many false positives. And if the
tolerances are overly low, then again it may lead to many false negatives. In addition, if the
program is more error tolerant, then it will be more vulnerable to attacks.

Communication and Storage:

Graphical authentication schemes require much more space for storage than text based
passwords. Huge numbers of images may have to be maintained in a centralized storage
database. The delay in loading or transfer of images is also a concern for graphical
authentication schemes. Especially for recognition-based techniques in which a large number

33
of images are needed to be displayed for each round of verification in the authentication
process.

Usability Study

1) Experimental Settings
We conducted an in-lab usability study to compare ClickText, AnimalGrid, PassPoints, text
password (Text ), and text password combined with text Captcha (P + C). P + C was used to
simulate a CbPA-protocol when a Captcha challenge was used in login. In P + C, a user was
asked to enter a password and solve a Captcha challenge generated with the same Captcha
engine used in ClickText. Each Captcha challenge contained 6 to 8 random characters.
Keyboard input was used to create and enter passwords for Text and P + C as well as to enter
user IDs for all the schemes. As explained later, Text and P + C were conducted as if they
were a single scheme to participants. We recruited 40 (30 males and 10 females) voluntary
senior and graduate students majoring in engineering and sciences,with ages ranging from 20
to 28 years (the average age = 23.4 and the standard deviation = 1.74). For pragmatic reasons,
they were recruited from interns working at Microsoft Research Asia. None of them had
studied security or was involved in any security usability study before. They were involved in
this work solely as participants in our usability study. All participants were trained to get
familiar with each authentication scheme and their experimental tasks before our data

34
collection. During the experiment, one of the authors got each participant when it was time
for the participant to take a test, which ensures that we could collect the required data from
every participant. Each scheme was tested in the following setting: a participant used a web
browser to interact with an authentication server, creating passwords or logging into the
server. Once a participant submitted his/her credentials to the server, the browser would show
the login result.

The schemes were classified into two categories according to their types of passwords:
AnimalGrid and PassPoints in the first category, and the remaining schemes in the second
category. A password for the schemes in the second category was a string of characters. Each
participant was asked to create a new password never used previously for each scheme, 4 in
total, and a user ID for all the schemes. Each created password consisted of 8 characters or
click-points. We also made it explicit that participants were not allowed to write down their
passwords. Each password must meet the following minimum complexity requirements. A
password must contain at least one letter, one digit, and one non-alphanumerical character for
both Text and ClickText, and at least three different animals for AnimalGrid. No repeating
patterns such as “A#A#…” or “Dog, Dog,…” were allowed. For PassPoints, click-points in a
password must be distinct (i.e., no click-point was inside another click-point’s tolerance
range). Each password was verified immediately after creation. The study was partitioned
into two stages. Two schemes were tested in each stage. In the first stage, two schemes, one
from each category, were randomly selected for a participant to test. One scheme had a string
of text characters as a password while the other had a string of animals and grid cells or
clickpoints as a password. During the study, each participant was asked to log in with the
following intervals between two consecutive login tests: one hour after creation, one day, one
week, and three weeks. In each test, a participant was allowed three tries to log in. If he/she
failed three attempts, his/her password was considered forgotten, and no more test would be
conducted with the participant for that specific scheme. In the second stage, the remaining
two schemes were tested in the same way as above. In the end, each participant was required
to fill a questionnaire to compare ClickText and AnimalGrid with PassPoints and Text, and to
compare ClickText with P+C, in terms of ease of use as a password system, taking both
memorizing and entering a password into consideration. A participant’s login time in each
trial was recorded by the server. We define the login time as the duration from the time when
the server received a login request to the time when the server gave its response to the login

35
request, which includes the time to enter user ID and password, to generatea CaRP image,
and to communicate between the server and a participant’s browser. For Text and P + C, a
participant was asked to enter a password. If successful, the server recorded the time as the
login time for Text, and then generated a Captcha challenge and sent to the user to solve. If
the participant failed with the challenge, another challenge was generated and used. This
process was repeated until the server received a correct answer to a challenge. Then the
server recorded the time as the login time for P + C, which included the time that the
participant failed to solve a challenge.

2) Experimental Results
Among all the recorded login attempts, 24.4% failed. Tests after a larger interval tended to
ave more failed attempts. Some participants contributed significantly more failed attempts
than others. At the end of tests, 40 (100%) participants remembered their PassPoints
passwords, 39 (97.5%) emembered their passwords of both ClickText and AnimalGrid, and
34 (85%) remembered their Text passwords. One participant forgot the AnimalGrid password
at the onehour test, and another one forgot the ClickText password at the one-week test. For
Text, two participants forgot their passwords at the one-week test, and four forgot at the
threeweek test. PassPoints scored the best in memorability whereas Text scored the worst.
This may be partially due to the fact that hotspots were allowed for PassPoints passwords,
and that Text passwords had a much larger alphabet than both ClickText and AnimalGrid.
Table I shows the login time averaged over the 40 participants’ successful login attempts and
the sample standard deviation as well as the maximum and minimum login times for each
scheme. ClickText, AnimalGrid and P + C had similar average login time whereas PassPoints
had a little shorter average login time. Text had a much shorter average login time than the
other schemes. Each scheme had a large sample standard deviation relative to the average
login time, indicating large variations of login time for each scheme, which is confirmed by
the great difference between the minimum and maximum login times in each column shown
in Table I. This is mainly caused by large individual differences. We did not detect obvious
patterns indicating that a test with a longer interval had a larger login time than a test with a
shorter interval. We did notice that some participants had a much larger login time when the
preceding trial failed, but many other participants didn’t follow this observation. The
passwords in our tests were used much less frequently than typical usage of a password in
practice since we would like to test password memorability for each scheme. We expect

36
improved results when a password is used more frequently. Table II shows the comparison
results of different scheme for ease of use as a password system. We assign a value ranging
from 1 to 5 to each category, indicating the spectrum from “much more difficult” to “much
easier”. ClickText has a mean value of 3.2 and a median value of 3 as compared to
PassPoints, and a mean of 2.85 and a median of 2 as compared to Text. AnimalGrid has a
mean of 3.325 and a median of 4 as compared to PassPoints, and a mean of 3.5 and a median
of 4 as compared to Text. ClickText has a mean of 3.875 and a median of 4 as compared to P
+ C.

BALANCE OF SECURITY AND USABILITY

Some configurations of Graphical passwords offer acceptable usability across common
device types, e.g. our usability studies used 400 × 400 images, which fit displays of smart
phones, iPads, and PCs. While graphical password may take a some time to enter a password
, it takes a longer time to enter a password than widely used text passwords. We discuss two
approaches for balancing CaRP’s

A. Alphabet Size

Increasing alphabet size produces a larger password space, and thus is more secure, but also

leads to more complex images. When the complexity of images gets beyond a certain point,

humans may need a significant amount of time to recognize the characters in a CaRP image

and may get frustrated. The ptimal alphabet size for a graphical password scheme such as

ClickText remains an open question. It is possible to use a fixed subset of the alphabet to

generate graphical password images for a user if the server receives her user ID before

sending an image. In this case, the authentication server allows a user to create her password

from the full alphabet.

Once the password is created, the server finds a suitable subset of a reasonable size, which

contains all the symbols in the password. The server stores the subset or its index for the

account, and retrieves it later when the account attempts to log in to generate a password

image. This scheme is suitable when the alphabet must be large while some people would log

37
in on small-screen devices for which an image using the full alphabet would be too complex

to quickly identify the objects in the image.

B. Advanced Mechanisms

The CbPA-protocols described in Section II-C require a user to solve a Captcha challenge in

addition to inputting a password under certain conditions. For example, the scheme described

in applies a Captcha challenge when the number of failed login attempts has reached a

threshold for an account. A small threshold is applied for failed login attempts from unknown

machines but a large threshold is applied for failed attempts from known machines on which

a successful login occurred within a given time frame. This technique can be integrated into

CaRP to enhance usability:

1. A regular image is applied when an account has reached a threshold of failed login

attempts. As in different thresholds are applied for logins from known and unknown

machines.

2. Otherwise an “easy” image is applied. An “easy” image may take several forms depending

on the application requirements.

It can be an image generated by the underlying Captcha generator with less distortion or

overlapping, a permuted “keypad” wherein undistorted visual objects (e.g. characters) are

permuted, or even a regular “keypad” wherein each visual object (e.g., character) is always

located at a fixed position. These different forms of “easy” images allow a system to adjust

the level of difficulty to fit its needs. With such a modified IMAGE a user would always enter

a password on an image for both cases listed above. No extra task is required. The only

difference between the two cases is that a hard image is used in the first case whereas an easy

image is used in the second case.

38
 9. CONCLUSION
We have proposed Graphical passwords a new security primitive relying on unsolved hard

AI problems. The notion of this scheme introduces a new family of graphical passwords,

which adopts a new approach to counter online guessing attacks: a new image, which is also

a password challenge, is used for every login attempt to make trials of an online guessing

attack computationally independent of each other. A password can be found only

probabilistically by automatic online guessing attacks including brute-force attacks, a desired

security property that other text password schemes lack. Hotspots in images can no longer be

exploited to mount automatic online guessing attacks, an inherent vulnerability in many

graphical password systems. Graphical password forces adversaries to resort to significantly

less efficient and much more costly human-based attacks. In addition to offering protection

from online guessing attacks, . Graphical password is also resistant to Captcha relay attacks,

and, if combined with dual-view technologies, shoulder-surfing attacks. . Graphical password

can also help reduce spam emails sent from a Web email service. Our usability study of two .

Graphical password schemes we have implemented is encouraging. For example, more

participants considered AnimalGrid and ClickText easier to use than PassPoints and a

combination of text password and Captcha. Both AnimalGrid and ClickText had better

password memorability than the conventional text passwords. On the other hand, the usability

of CaRP can be further improved by using images of different levels of difficulty based on

the login history of the user and the machine used to log in. The optimal tradeoff between

security and usability remains an open question for . Graphical password and further studies

are needed to refine CaRP for actual deployments.

Like Captcha, . Graphical password utilizes unsolved AI problems. However, a password is

much more valuable to attackers than a free email account that. Graphical password is

39
typically used to protect. Therefore there are more incentives for attackers to hack . Graphical

password than Captcha. That is, more efforts will be attracted to the following win-win game

by CaRP than ordinary Captcha: If attackers succeed, they contribute to improving AI by

providing solutions to open problems such as segmenting 2D texts. Otherwise, our system

stays secure, contributing to practical security. As a framework, . Graphical password does

not rely on any specific Captcha scheme. When one Captcha scheme is broken, a new and

more secure one may appear and be converted to a CaRP scheme. Overall, our work is one

step forward in the paradigm of using hard AI problems for security. Of reasonable security

and usability and practical applications, . Graphical password has good potential for

refinements, which call for useful future work. More importantly, we expect . Graphical

password o inspire new inventions of such AI based security primitives.

40