8/11/2019 Stage1 (4)

1/31

GRAPHICAL PASSWORD AUTHENTICATION

USING PERSUASIVE CUED CLICK POINT

Abstract

The main issues of knowledge-based authentication, usually text-based passwords,are well known. Users tend to choose memorable passwords that are easy for

attackers to guess, but strong system assigned passwords are difficult for users toremember. In this paper focuses on the integrated evaluation of the Persuasive

Cued Click Points graphical password authentication system, including usability

and security. An important usability goal for authentication systems is to support

users in selecting better passwords, thus increasing security by expanding theeffective password space. In click-based graphical passwords, poorly chosen

passwords lead to the emergence of hotspots (portions of the image where users aremore likely to select click-points, allowing attackers to mount more successful

dictionary attacks). We use persuasion to influence user choice is used in click-based graphical passwords, encouraging users to select more random, and hence

more difficult to guess, click-points.

8/11/2019 Stage1 (4)

2/31

INTRODUCTION

There are many things that are well know about passwords; such as that user

cant remember strong password and that the passwords they can remember are

easy to guess.

A password authentication system should encourage strong and less predictablepasswords while maintaining memo ability and security. This password

authentication system allows user choice while influencing users towards strongerpasswords. The task of selecting weak passwords (which are easy for attackers to

guess) is more tedious, avoids users from making such choices. In effect, this

authentication schemes makes choosing a more secure password the path-of-least-resistance. Rather than increasing the burden on users, it is easier to follow the

systems suggestionsfor a secure passworda feature absent in most schemes.

We applied this approach to create the first persuasive click-based graphical

password system, Persuasive Cued Click- Points (PCCP) and conducted an in lab-

lab usability study with 10 participants. Our results show that our Persuasive CuedClick Points scheme is effective at reducing the number of hotspots (areas of the

image where users are more likely to select click points) while still maintaining

usability. In this paper also analyze the efficiency of tolerance value and securityrate. While we are not arguing that graphical passwords are the best approach to

Authentication, we find that they offer an excellent environment for exploring

strategies for helping users select better passwords since it is easy to compare userchoices. Indeed, we also mention how our approach might be adapted to text-based

passwords.

8/11/2019 Stage1 (4)

3/31

Literature Survey

Text passwords are the most prevalent user authentication method, but havesecurity and usability problems. Replacements such as biometric systems and

tokens have their own drawbacks. Graphical passwords offer another alternative,and are the focus of this paper. Graphical passwords were originally defined by

Blonder (1996). In general, graphical passwords techniques are classified into twomain categories: recognition-based and recall based graphical techniques. In

recognition based, a user is presented with a set of images and the user passes the

authentication by recognizing and identifying the images he selected during theregistration stage. In recall based graphical password, a user is asked to reproduce

something that he created or selected earlier during the registration stage. This

project is based on recall based Technique.

A. Why Graphical Passwords?

Access to computer systems is most often based on the use of alphanumericpasswords. Though, users have difficulty remembering a password that is long and

random-appearing. Instead, they create short, simple, and insecure passwords.Graphical passwords have been designed to try to make passwords more

memorable and easier for people to use and, therefore, more secure. Using a

graphical password, users click on images rather than type alphanumeric

characters.

B. Click-Based Graphical PasswordsGraphical password systems are a type of knowledge-based authentication that

attempts to leverage the human memory for visual information. A complete reviewof graphical passwords is available elsewhere. Of interest herein are cued-recall

click-based graphical passwords (also known as locimetric). In such systems, usersidentify and target previously selected locations within one or more images. The

images act as memory cue to aid recall. Example systems include Pass Points andCued Click-Points (CCP).

C. Persuasive Technology

Persuasive Technology was first articulated by Fog as using technology tomotivate and influence people to behave in a desired manner. Persuasive

Technology is the emerging field of interactive computing systems designed tochange peoples attitudes and behaviors. An authentication system which applies

Persuasive Technology should guide and encourage users to select strongerpasswords, but not impose system-generated passwords. To be effective, the users

must not ignore the persuasive elements and the resulting passwords must be

https://www.cse.ust.hk/ct/FYP/content/literature_survey.htmlhttps://www.cse.ust.hk/ct/FYP/content/literature_survey.htmlhttps://www.cse.ust.hk/ct/FYP/content/literature_survey.html

8/11/2019 Stage1 (4)

4/31

memorable. As detailed in the next section, our proposed system accomplishes this

by making the task of selecting a weak password more tedious and time-consuming. The path-of-least resistance for users is to select a stronger password

(not comprised entirely of known hotspots or following a predictable pattern). As a

result, the system also has the advantage of minimizing the formation of hotspotsacross users since click points are more randomly distributed.

8/11/2019 Stage1 (4)

5/31

Proposed System

Using CCP as a base system, we added a persuasive feature to encourage users to

select more secure passwords, and to make it more difficult to select passwords

where all five click-points are hotspots. Specifically, when users created apassword, the images were slightly shaded except for a randomly positionedviewport. The viewport is positioned randomly rather than specifically to avoid

known hotspots, since such information could be used by attackers to improveguesses and could also lead to the formation of new hotspots. The viewports size

was intended to offer a variety of distinct points but still cover only an acceptablysmall fraction of all possible points. Users were required to select a click-point

within this highlighted viewport and could not click outside of this viewport. If

they were unwilling or unable to select a click-point in this region, they could press

the shuffle button to randomly reposition the viewport. While users were

allowed to shuffle as often as they wanted, this significantly slowed the passwordcreation process. The viewport and shuffle buttons only appeared during passwordcreation. During password confirmation and login, the images were displayed

normally, without shading or the viewport and users were allowed to click

anywhere.

1. Users will be less likely to select click-points that fall into known hotspots.

2. The click-point distribution across users will be more randomly dispersed and

will not form new hotspots.

3. The login security success rates will be higher than to those of the original CCPsystem.4. The login security success rates will increase, when tolerance value is lower

value.5. Participants will feel that their passwords are more secure with PCCP than

participants of the original CCP system.

The theoretical password space for a password system is the total number of

unique passwords that could be generated according to the system specifications.Ideally, a larger theoretical password space lowers the likelihood that any

particular guess is correct for a given password. For PCCP, the theoreticalpassword space is ((w h)/t2)c where the size of the image in pixels (w * h) is

divided by the size of a tolerance square (t2), to get the total number of toleranceSquares per image, raised to the power of the number of click-points in a password

(c, usually set to 5 in our experiments).

8/11/2019 Stage1 (4)

6/31

SYSTEM DESIGN

The system designed consist of three modules such as user registration module,

picture selection module and system login module

In user registration module user enter the user name in user name field and alsosuitable tolerance value (tolerance value is use to compare registration profile

vector with login profile vector). When user entered the all user details inregistration phase, these user registration data stored in data base and used during

login phase for verification. In picture selection phase there are two ways forselecting picture password authentication.

1. User defines pictures: Pictures are selected by the user from the hard disk or anyother image supported devices.

2. System defines pictures: pictures are selected by the user from the database ofthe password system.

8/11/2019 Stage1 (4)

7/31

User registration flow chart

Below flowchart shows the user registration procedure, this procedure include bothregistration phase (user ID) and picture selection phase. The process flow starts

from registering user id and tolerance value. Once user completes all the userdetails then proceed to next stage, which is selecting click points on generated

images, which ranges from 1-5. After done with all these above procedure, userprofile vector will be created.

8/11/2019 Stage1 (4)

8/31

Login flow chart

In this login procedure (see figure 6), first user enters the unique user ID as sameas entered during registration. Then images are displayed normally, without

shading or the viewport, and repeat the sequence of clicks in the correct order,

within a system-defined tolerance square of the original click-points. After donewith all these above procedure, user profile vector will be opened.

8/11/2019 Stage1 (4)

9/31

1.6 Hardware and software requirements

HARDWARE REQUIREMENTS:

1 GB RAM.

200 GB HDD.

Intel 1.66 GHz Processor Pentium 4

SOFTWARE REQUIREMENTS:

Windows XP, Windows 7,8

Visual Studio 2010

MS SQL Server 2008

Windows Operating System

8/11/2019 Stage1 (4)

10/31

8/11/2019 Stage1 (4)

11/31

System Security

An authentication system must provide adequate security for its intended

environment; otherwise it fails to meet its primary goal. The classification of

attacks on knowledge-based authentication into two general categories: guessingand capture attacks.

A .Guessing AttacksIn successful guessing attacks, attackers are able to either exhaustively search

through the entire theoretical password space, or predict higher probabilitypasswords (i.e., create a dictionary of likely passwords) so as to obtain an

acceptable success rate within a manageable number of guesses. We now consider

how these could be leveraged in guessing attacks.

Pattern-Based Attack

One of the proposed attacks on Pass Points is an automated pattern-based

dictionary attack that prioritizes passwords consisting of click-points ordered in aconsistent horizontal and vertical direction (including straight lines in anydirection, arcs, and step patterns), but ignores any image-specific features such as

hotspots. The attack guesses approximately half of passwords collected in a fieldstudy on the Cars and Pool images (two of the 17 core images) with a dictionary

containing 235 entries, relative to a theoretical space of 243. Given that PCCP

passwords are essentially indistinguishable from random for click-point

distributions along the x- and y-axes, angles, slopes, and shapes (see technicalreport such pattern-based attacks would be ineffective

against PCCP passwords.Hotspot Attack with All Server-Side InformationPassPoints passwords from a small number of users can be used [21] to determine

likely hotspots on an image, which can then be used to form an attack dictionary.Up to 36 percent of passwords on the Pool image were correctly guessed with a

dictionary of 231 entries. To explore an offline version of this attack, assume in theworst case that attackers gain access to all serverside information: the username,

user-specific seed, image identifiers, images, hashed user password, andcorresponding grid identifiers .The attackers task is more difficult for PCCP

because not only is the popularity of hotspots reduced, but the sequence of images

must be determined and each relevant image collected, making a customized attackper user. An online attack could be thwarted by limiting the number of incorrect

guesses per account.

8/11/2019 Stage1 (4)

12/31

B .Capture Attacks

Password capture attacks occur when attackers directly obtain passwords (or parts

thereof) by intercepting user entered data, or by tricking users into revealing their

passwords. For systems like PCCP, CCP, and PassPoints (and many otherknowledge-based authentication schemes), capturing one login instance allows

fraudulent access by a simple replay attack. We summarize the main issues below.

Shoulder Surfing: All three cued-recall schemes discussed (PCCP, CCP, andPassPoints) are susceptible to shoulder surfing although no published empirical

study to date has examined the extent of the threat. Observing the approximate

location of clickpoints may reduce the number of guesses necessary to determinethe users password. User interfacemanipulations such as reducing the size of the

mouse cursor or dimming the image may offer some protection, but have not been

tested. A considerably more complicated alternative is to make user input invisibleto cameras, for example, by using eye tracking as an input mechanism.

Malware: Malware is a major concern for text and graphical passwords, since key

logger, mouse logger, and screen scraper malware could send captured dataremotely or otherwise make it available to an attacker.

8/11/2019 Stage1 (4)

13/31

Testing Technology

System testing is a critical phase implementation. Testing of the system involves

hardware devise and debugging of the computer programs and testing information

processing procedures. Testing can be done with text data, which attempts to stimulate

all possible conditions that may arise during processing. If structured programming

Methodologies have been adopted during coding the testing proceeds from higher level

to lower level of program module until the entire program is tested as unit. The testing

methods adopted during the testing of the system were unit testing and integrated

testing.

UNIT TESTING:

Unit testing focuses first on the modules, independently of one another, to locate

errors. This enables the tester to detect errors in coding and logical errors that is

contained within that module alone. Those resulting from the interaction between

modules are initially avoided.

INTEGRATION TESTING:

Integration testing is a systematic technique for constructing the program structure

while at the same time to uncover the errors associated with interfacing. The objective

8/11/2019 Stage1 (4)

14/31

is to take unit-tested module and build a program structure that has been detected by

designing. It also tests to find the discrepancies between the system and its original

objectives. Subordinate stubs are replaced one at time actual module. Tests were

conducted at each module was integrated. On completion of each set another stub was

replaced with the real module.

FUNCTIONAL TESTING:

Functional testing is a technique in which all the functionalities of the program are

tested to check whether all the functions that where proposed during the planning

phase are full filled.

This is also to check that if all the functions proposed are working properly.

This is further done in two phases:

- One before the integration to see if all the unit components work properly

- Second to see if they still work properly after they have been integrated to

check if some functional compatibility issues arise.

PERFORMANCE TESTING:

Expected Result

The client should be able to connect to the server properly without any

problems.

8/11/2019 Stage1 (4)

15/31

The connection establishment between the mobile device and the server

should take minimal time.

The mobile device should be able receive data from the server

uninterruptedly.

Information provided by the application should be correct and as per the

users need.

Observation

Connection can be established easily provided that the server is on.

The connection with the server takes time as it uses Internet connection.

Receiving data from the server takes time.

Information coming from the database is correct.

LOAD / STRESS TESTING :

Expected Result

Response time should be unaffected irrespective of the no of users.

8/11/2019 Stage1 (4)

16/31

The introduction of the newer clients should not make the server to work

hap hazardously.

Continuous use of the server by different clients should not result into the

server getting slowed down.

Response time should not be degraded if there is congestion in network.

Observation

The speed of transmission was fine even when the newer clients were

getting added. The response of the server was satisfying even with the

introduction of newer client.

ASP.NET

ASP.NET is more than the next version of Active Server Pages (ASP); it is a

unified Web development platform that provides the services necessary for developers to

build enterprise-class Web applications. While ASP.NET is largely syntax-compatible

with ASP, it also provides a new programming model and infrastructure that enables a

powerful new class of applications. You can migrate your existing ASP applications by

incrementally adding ASP.NET functionality to them.

ASP.NET is a compiled .NET Framework -based environment. You can author

applications in any .NET Framework compatible language, including Visual Basic and

Visual C#. Additionally, the entire .NET Framework platform is available to any

ASP.NET application. Developers can easily access the benefits of the .NET Framework,

which include a fully managed, protected, and feature-rich application execution

environment, simplified development and deployment, and seamless integration with a

wide variety of languages.

8/11/2019 Stage1 (4)

17/31

2.3 IDENTIFICATION OF THE PROJECT FROM THE STUDY

FEASIBILITY STUDY :

The very first phase in any system developing life cycle is preliminary

investigation. The feasibility study is a major part of this phase. A measure of how

beneficial or practical the development of any information system would be to the

organization is the feasibility study.

The feasibility of the development software can be studied in terms of the

following aspects:

1.Operational Feasibility.

2.Technical Feasibility.

3.Economical feasibility.

4.Motivational Feasibility.

5.Legal Feasibility

OPERATIONAL FEASIBILITY :

The site will reduce the time consumed to maintain manual records and is not

tiresome and cumbersome to maintain the records. Hence operational feasibility is

assured.

8/11/2019 Stage1 (4)

18/31

TECHNICAL FEASIBILITY :

At least 166 MHz Pentium Processor or Intel compatible processor.

At least 512 MB RAM.

14.4 kbps or higher modem.

A mouse or other pointing device.

At least 50 GB free hard disk space.

Microsoft Internet Explorer 4.0 or higher.

ECONOMICAL FEASIBILTY :

Once the hardware and software requirements get fulfilled, there is no need for the

user of our system to spend for any additional overhead.

For the user, the web site will be economically feasible in the following aspects:

The web site will reduce a lot of paper work. Hence the cost will be reduced.

Our web site will reduce the time that is wasted in manual processes.

The storage and handling problems of the registers will be solved.

LEGAL FEASIBILITY :

The licensed copy of the required software is quite cheap and easy to get. So

from legal point of view the proposed system is legally feasible.

8/11/2019 Stage1 (4)

19/31

Steps Towards Implementation

System Development Life Cycle:

The System Development Life Cycle is the process of developing information

systems through investigation, analysis, design, implementation, and maintenance. The

System Development Life Cycle (SDLC) is also known as Information Systems

Development or Application Development.

8/11/2019 Stage1 (4)

20/31

Steps involved in the System Development Life Cycle :

Below are the steps involved in the System Development Life Cycle. Each phase within

the overall cycle may be made up of several steps.

Step 1:Software Concept

The first step is to identify a need for the new system. This will include

determining whether a business problem or opportunity exists, conducting a feasibility

study to determine if the proposed solution is cost effective, and developing a project

plan.

This process may involve end users who come up with an idea for improving their

work. Ideally, the process occurs in tandem with a review of the organization's strategic

plan to ensure that IT is being used to help the organization achieve its strategic

objectives. Management may need to approve concept ideas before any money is

budgeted for its development.

Step 2:Requirements Analysis

Requirements analysis is the process of analyzing the information needs of the

end users, the organizational environment, and any system presently being used,

developing the functional requirements of a system that can meet the needs of the

users. Also, the requirements should be recorded in a document, email, user interface

storyboard, executable prototype, or some other form. The requirements

8/11/2019 Stage1 (4)

21/31

documentation should be referred to throughout the rest of the system development

process to ensure the developing project aligns with user needs and requirements.

Professionals must involve end users in this process to ensure that the new

system will function adequately and meets their needs and expectations.

Step 3:Architectural Design

After the requirements have been determined, the necessary specifications for the

hardware, software, people, and data resources, and the information products that will

satisfy the functional requirements of the proposed system

can be determined. The design will serve as a blueprint for the system and helps detect

problems before these errors or problems are built into the final system. Professionals

create the system design, but must review their work with the users to ensure the

design meets users' needs.

Step 4:Coding and Debugging

Coding and debugging is the act of creating the final system. This step is done by

software developer.

Step 5:System Testing The

system must be tested to evaluate its actual functionality in relation to expected or

intended functionality. Some other issues to consider during this stage would be

converting old data into the new system and training employees to use the new system.

End users will be key in determining whether the developed system meets the intended

requirements, and the extent to which the system is actually used.

Step 6:Maintenance

8/11/2019 Stage1 (4)

22/31

Inevitably the system will need maintenance. Software will definitely undergo change

once it is delivered to the customer. There are many reasons for the change. Change

could happen because of some unexpected input values into the system. In addition, the

changes in the system could directly affect the software operations. The software shouldbe developed to accommodate changes that could happen during the post implementation

period.

There are various software process models like:-

Prototyping Model

RAD Model

The Spiral Model

The Waterfall Model

The Iterative Model

Of all these process models weve used the Iterative model(The Linear Sequential Model)

for the development of our project.

The Iterative model

The waterfall model derives its name due to the cascading effect from one phase to

the other as is illustrated in Figure1.1. In this model each phase well defined starting and

ending point, with identifiable deliveries to the next phase.

8/11/2019 Stage1 (4)

23/31

This model is sometimes referred to as the linear sequential model or the software

life cycle.

The model consists of six distinct stages, namely:

1. In the requirements analysisphase

(a) The problem is specified along with the desired service objectives (goals)

(b) The constraints are identified

8/11/2019 Stage1 (4)

24/31

2. In the specification phase the system specification is produced from the

detailed definitions of (a) and (b) above. This document should clearly define the

product function.

3. In the system and software design phase, the system specifications are

translated into a software representation. The software engineer at this stage is

concerned with:

Data structure

Software architecture

Algorithmic detail

Interface representations

The hardware requirements are also determined at this stage along with a picture

of the overall system architecture. By the end of this stage should the software

engineer should be able to identify the relationship between the hardware,

software and the associated interfaces. Any faults in the specification should

ideally not be passed down stream.

4. In the implementation and testingphase stage the designs are translated into

the software domain

Detailed documentation from the design phase can significantly reduce

the coding effort.

Testing at this stage focuses on making sure that any errors are

identified and that the software meets its required specification.

5. In the integration and system testingphase all the program units are integrated

and tested to ensure that the complete system meets the software requirements.

After this stage the software is delivered to the customer [Deliverable The

software product is delivered to the client for acceptance testing.]

8/11/2019 Stage1 (4)

25/31

6. The maintenance phase the usually the longest stage of the software. In this

phase the software is updated to:

Meet the changing customer needs

Adapted to accommodate changes in the external environment

Correct errors and oversights previously undetected in the testing phases

Enhancing the efficiency of the software

Observe that feed back loops allow for corrections to be incorporated into the

model. For example a problem/update in the design phase requires a revisit to the

specifications phase. When changes are made at any phase, the relevant documentation

should be updated to reflect that change.

Advantages of the Iterative Model:-

Testing is inherent to every phase of the Iterative model

It is an enforced disciplined approach

It is documentation driven, that is, documentation is produced at every stage

Disadvantages of the Iterative Model:-

The waterfall model is the oldest and the most widely used paradigm. However,

many projects rarely follow its sequential flow. This is due to the inherent problems

associated with its rigid format. Namely:

It only incorporates iteration indirectly, thus changes may cause

considerable confusion as the project progresses.

8/11/2019 Stage1 (4)

26/31

As The client usually only has a vague idea of exactly what is required

from the software product, this IM has difficulty accommodating the natural

uncertainty that exists at the beginning of the project.

The customer only sees a working version of the product after it has been

coded. This may result in disaster any undetected problems are precipitated to

this stage.

4.User Manual

.net Framework:

The .NET Framework is Microsoft's Managed Code programming model for building

applications on Windows clients, servers, and mobile or embedded devices.

Microsoft's .NET Framework is a software technology that is available with several

Microsoft Windows operating systems. In the following sections describes , the

basics of Microsoft .Net Frame work Technology and its related programming

models.

C# is a language for professional programming. C# (pronounced C sharp) is a

programming language designed for building a wide range of enterprise applications

that run on the .NET Framework. The goal of C# is to provide a simple, safe,

modern, object-oriented, highperformance , robust and durable language for .NET

development. Also it enables developers to build solutions for the broadest range of

clients, including Web applications, Microsoft Windows Forms-based applications,

and thin- and smart-client devices.

8/11/2019 Stage1 (4)

27/31

Microsoft SQL Server 2008

Business today demands a different kind of data management solution.

Performance scalability, and reliability are essential, but businesses now expect more

from their key IT investment.

SQL Server 2008 exceeds dependability requirements and provides innovative

capabilities that increase employee effectiveness, integrate heterogeneous IT

ecosystems,and maximize capital and operating budgets. SQL Server 2008 provides the

enterprise data management platform your organization needs to adapt quickly in a fast

changing environment.

Benchmarked for scalability, speed, and performance, SQL Server 2008 is a fully

enterprise-class database product, providing core support for Extensible Markup

Language (XML) and Internet queries.

Easy-to-use Business Intelligence(BI) Tools

Through rich data analysis and data mining capabilities that integrate with

familiar applications such as Microsoft Office, SQL Server 2008 enables you to provide

all of your employees with critical, timely business information

tailored to their specific information needs. Every copy of SQL Server 2008 ships

with a suite of BI services.

Self-Tuning and Management Capabilities

Revolutionary self-tuning and dynamic self-configuring features optimize

database performance, while management tools automate standard activities. Graphical

tools and performance, wizards simplify setup, database design, and performance

8/11/2019 Stage1 (4)

28/31

monitoring, allowing database administrators to focus on meeting strategic business

needs.

Data Management Application and Services

Unlike its competitors, SQL Server 2008 provides a powerful and comprehensive

data management platform. Every software license includes extensive management and

development tools, a powerful extraction, transformation, and loading (ETL) tool,

business intelligence and analysis services such as Notification Service. The result is the

best overall business value available.

Enterprise Edition includes the complete set of SQL Server data management andanalysis features are and is uniquely characterized by several features that makes it the

most scalable and available edition of SQL Server 2008 .It scales to the performance

levels required to support the largest Web sites, Enterprise Online Transaction Processing

(OLTP) system and Data Warehousing systems. Its support for failover clustering also

makes it ideal for any mission critical line-of-business application.

8/11/2019 Stage1 (4)

29/31

CONCLUSION

An important usability and security goal in authentication systems is to help usersselect better passwords and thus increase the effective password space. We believe

that users can be persuaded to select stronger passwords through better userinterface design. As an example, we designed Persuasive Cued Click-Points

(PCCP) and conducted a usability study to evaluate its effectiveness. We obtained

favorable results both for usability and security.

PCCP encourages and guides users in selecting more random click-based graphicalpasswords. A key feature in PCCP is that creating a secure password is the path-

of-least-resistance, making it likely to be more effective than schemes where

behaving securely adds an extra burden on users. The approach has proveneffective at reducing the formation of hotspots, avoid shoulder surfing problem and

also provide high security success rate, while still maintaining usability.

8/11/2019 Stage1 (4)

30/31

REFERENCES

[1] S. Chiasson, R. Biddle, and P. van Oorschot, A Second Look at the Usability of Click-Based

Graphical Passwords, Proc. ACMSymp. Usable Privacy

and Security (SOUPS), July 2007.

[2] S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot, Influencing Users towards BetterPasswords: Persuasive Cued Click- Points, Proc. British HCIGroup Ann. Conf. People and Computers: Culture, Creativity, Interaction, Sept. 2008.

[3] S. Chiasson, A. Forget, E. Stobert, P. van Oorschot, and R. Bddle, Multiple Password

Interference in Text and Click-Based Graphical Passwords, Proc.ACM Conf. Computer and Comm. Security CCS), Nov. 2009.

[4] E. Stobert, A. Forget, S. Chiasson, P. van Oorschot, and R.Biddle, Exploring Usability

Effects of Increasing Security in Click-Based Graphical Passwords,

Proc. Ann. Computer Security Applications Conf. (ACSAC), 2010.[5] S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot, User Interface Design Affects

Security: Patterns in Click-Based Graphical Passwords, Intl J.

Information Security, vol. 8, no. 6, pp. 387- 398, 2009.[6] J. Yan, A. Blackwell, R. Anderson, and A. Grant, The Memorability and Securi ty of

Passwords, Security and Usability: Designing Secure Systems That

People Can Use, L. Cranor and S. Garfinkel, eds., ch. 7, pp. 129-142, OReilly Media, 2005.

[7] S. Chiasson, P. van Oorschot, and R. Biddle, Graphical Password Authentication UsingCued Click Points, Proc. European Symp. Research in Computer

Security (ESORICS), pp. 359-374, Sept. 2007.

[8] L. Jones, A. Anton, and J. Earp, Towards Understanding User Perceptions of AuthenticationTechnologies, Proc. ACM Workshop Privacy in Electronic

Soc., 2007.

[9] L. OGorman, Comparing Passwords, Tokens, and Biometrics for User Authentication,

Proc. IEEE, vol. 91, no. 12, pp. 2019-2020, Dec. 2003.[10] A. Jain, A. Ross, and S. Pankanti, Biometrics: A Tool for Information Security, IEEE

Trans. Information Forensics and Security (TIFS), vol. 1, no. 2, pp.

125-143, June 2006.[11] R. Biddle, S. Chiasson, and P. van Oorschot, Graphical Passwords: Learning from the First

Twelve Years, to be published in ACM Computing Surveys,

vol. 44, no. 4, 2012.[12] A. De Angeli, L. Coventry, G. Johnson, and K. Renaud, Is a Picture Really Worth a

Thousand Words? Exploring the Feasibility of Graphical

Authentication Systems, Intl J. Human-Computer Studies, vol. 63, nos. 1/2, pp. 128-152, 2005.

[13] E. Tulving and Z. Pearlstone, Availability versus Accessibility of Information in Memoryfor Words, J. Verbal Learning and Verbal Behavior, vol. 5, pp.

381-391, 1966.

[14] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, PassPoints: Design and

Longitudinal Evaluation of a Graphical Password System,Intl J. Human-Computer Studies, vol. 63, nos. 1/2, pp. 102-127, 2005.

[15] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, Authentication Using

Graphical Passwords: Effects of Tolerance and Image Choice,Proc. First Symp. Usable Privacy and Security (SOUPS), July 2005.

8/11/2019 Stage1 (4)

31/31