Graphical Passwords

Submitted By: Joju P Antony R7A 41Guided By : Sindhu Vino

Contents Introduction Authentication Methods Requirements Of A Password Text Based Passwords

Vulnerabilities An Alternative : Graphical Passwords Techniques Used For Graphical Password

Recognition Based TechniquesDhamija And Perrig SchemeSobrado And Birget Scheme

Recall Based Techniques Pass Faces Pass Clicks

Advantages Disadvantages References

Introduction

Now a days, Information Security is the most describing problem

Informations stored in the databases are much precious for the user

To cop up with the security of the Informations, the passwords were introduced

Thus the password is the benchmark that checks the authentication/role of the user in that database

Authentication Methods

Token based authentication Key cards, band cards, smart card, …

Biometric based authentication Fingerprints, iris scan, facial recognition, …

Knowledge based authentication Text-based passwords, picture-based

passwords, … Most widely used authentication

techniques

Requirements of a password

Passwords should be easy to remember

Should be quickly and easily executable

Should be secureShould look random and should be

hard to guessShould be changeable

Text Based Passwords

What about text-based passwords ?Difficulty of remembering passwords

If easy to remember -> Easy to guessIf hard to guess -> Hard to remember

Users tend to write passwords down or use the same passwords for different accounts

Vulnerabilities

Shoulder surfing (watching a user log on as they type their password).

Dictionary attacks (using L0phtCrack or Jack the Ripper).

User may forget the password if it is too long and complicated.

Contd…

Key logging software records all the keystrokes input from the keyboard and stores it for the hacker to look through and find what could be a password.

So the user need to ensure that computer systems are secure which is practically infeasible for an untrained user.

An alternative: Graphical Passwords

Graphical passwords may be a solution to the text based password vulnerabilities.

The idea of graphical passwords was pioneered by Greg Blonder who also holds the US patent 5559961

A graphical password is a secret that a human user inputs to a computer with the aid of the computers’ graphical input (e.g., mouse, stylus, or touch screen) and output devices.

Contd…

Psychological studies: Human can remember pictures better than text

Here the user uses visual recollection in order to gain authentication to a system

Therefore the human factor in securing information is limited

Four techniques used for Graphical Passwords

Recognition Based TechniquesRecall Based TechniquesPass FacesPass Clicks

Recognition Based Techniques A user is presented with a set of images and the

user passes the authentication by recognizing and identifying the images he selected during the registration stage

Recognition Based Techniques

Dhamija and Perrig SchemePick several pictures out of many choices, identify

them laterin authentication.using Hash Visualization, which, given a seed, automatically generate a set of pictures

Recognition Based Techniques

Sobrado and Birget Scheme System display a number of pass-objects (pre-

selected by user) among many other objects, user click inside the convex hull bounded by pass-

objects.Suggested using 1000 objects, which makes the display

very crowed and the objects Almost indistinguishable.

Recall Based TechniquesA user is asked to reproduce something that he created or selected earlier during the registration stage

Recall Based Techniques

Draw-A-Secret (DAS) Scheme : User draws a simple picture on a 2D grid, the coordinates of the grids occupied by the picture are stored in the order of drawing

Redrawing has to touch the same grids in the same sequence in authentication user studies showed the drawing sequences is hard to remember

PASS FACES

PASS FACES

Passfaces (formerly known as Real User Corporation) is an information security technology company based in Annapolis, Maryland.

Commercial application leverages the brain’s innate cognitive ability to recognize human faces.

PASS FACES

PASS FACES

Logon Process:– Users are asked to pick their assigned

Passfaces from a 3 x 3 grids containing one Passface and 8 decoys.

– The faces appear in random positions within the grid each time.

– This process is repeated until each of the assigned Passfaces is identified.

PASS FACES

PASS CLICK

PASS CLICK

PassClick Scheme: User click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in correct sequence.

PASS CLICK

PASS CLICK

In the above example, the PassClicks are the points that are circled. The first was the light on the light post, then the headlight on the streetcar, followed by the middle of the clock tower, the face of the street clock, and the P on the parking sign.

By looking at this picture, you can see that there are an extreme number of places you could set as PassClicks and still remember where they are.

An individual could easily choose a face, something on the side of a building, or even the dashes on the street.

Advantages of Graphical Passwords

Human brains can process graphical images easily.

Examples include places we visited, faces of people and things we have seen.

Difficult to implement automated attacks (such as dictionary attacks) against graphical passwords.

Disadvantages

Shoulder surfing problem.

(watching a user log on as they type their password).

More storage space required

Hard to implement when compared to text passwords

Conclusion

Main argument for graphical passwords: people are better at memorizing graphical passwords than text-based passwords

It is more difficult to break graphical passwords using the traditional attack methods such as : brute force search, dictionary attack or spyware.

Not yet widely used, current graphical password techniques are still immature

References• [01] Fabian Monrose and Michael Reiter• Chapter 9 - Security and Usability• [02] The Graphical Passwords Project• Funded by the NSF CyberTrust Project• Co-PIs: J.C. Birget (Rutgers-Camden), D. Hong (Rutgers-Camden), N. Memon

(Brooklyn Polytechnic), S.Man (SW Minn. State), S. Wiedenbeck (Drexel)• [03] The Graphical Passwords Project• Funded by the NSF CyberTrust Project• Co-PIs: J.C. Birget (Rutgers-Camden), D. Hong (Rutgers-Camden), N. Memon

(Brooklyn Polytechnic), S.Man (SW Minn. State), S. Wiedenbeck (Drexel)• [04] Graphical Passwords• Leonardo Sobrado and Jean-Camille Birget• Department of Computer Science, Rutgers University• [05] Graphical Passwords• Leonardo Sobrado and Jean-Camille Birget• Department of Computer Science, Rutgers University• [06] Graphical Passwords• Leonardo Sobrado and Jean-Camille Birget• Department of Computer Science, Rutgers University• [07] Graphical Passwords• Leonardo Sobrado and Jean-Camille Birget• Department of Computer Science, Rutgers University• [08] A Password Scheme Strongly Resistant to Spyware