Network Security-Overcome

Password Hacking Through

Graphical Password
Authentication
Presented by:
SAHIL
1511249

Outline

Introduction
Overview of the Authentication Methods
The survey
Recognition Based Techniques
Recall Based Techniques

Design and Implementation of Graphical Password

Discussion
Security
Usability
Shoulder surfing problem and its solution
Advantage of Graphical Password over Text based

password
Conclusion

Introduction
Authentication is the process to allow users to confirm his or

her identity to a Web application. Human factors are often

considered the weakest link in a computer security system.
Pointout that there are three major areas where humancomputer interaction is important: authentication, security
operations, and developing secure systems. Here we focus
on the authentication problem.
A password is a form of secret authentication data that is
used to control access to a resource. The password is kept
secret from those not allowed access, and those wishing to
gain access are tested on whether or not they know the
password and are granted or denied access accordingly.

Continued
How about text-based passwords ?
Difficulty of remembering passwords
easy to remember -> easy to guess
hard to guess -> hard to remember

Users tend to write passwords down or use the same passwords

for different accounts

An alternative: Graphical Passwords

Psychological studies: Human can remember pictures better than
text

Graphical Password Scheme

If the number of possible pictures is sufficiently large, the

possible password space may exceed that of text-based

schemes, thus offer better resistance to dictionary attacks.
can be used to:
workstation
web log-in application
ATM machines
mobile devices

In this paper
Conduct a comprehensive survey of the existing graphical

password techniques
Discuss the strengths and limitations of each method
Point out future research directions

Overview of the Authentication

Methods
Token based authentication
key cards, bank cards, smart card,
Biometric based authentication
Fingerprints, iris scan, facial recognition,
Knowledge based authentication
text-based passwords, picture-based passwords,
most widely used authentication techniques

The survey : two categories

Recognition Based Techniques
a user is presented with a set of images and the user passes the
authentication by recognizing and identifying the images he
selected during the registration stage
Recall Based Techniques
A user is asked to reproduce something that he created or
selected earlier during the registration stage

Recognition Based Techniques

Dhamija and Perrig Scheme
Pick several pictures out of many choices, identify them later
in authentication.
using Hash Visualization, which,

given a seed, automatically

generate a set of pictures
take longer to create graphical
passwords
password space: N!/K! (N-K)!
( N-total number of pictures; K-number of pictures selected as passwords)

Recognition Based Techniques

Sobrado and Birget Scheme
System display a number of pass-objects (pre-selected by user)
among many other objects, user click inside the convex hull bounded
by pass-objects.
authors suggested using 1000

objects, which makes the display

very crowed and the objects almost
indistinguishable.
password space: N!/K! (N-K)!
( N-total number of picture objects; K-number of pre-registered objects)

Recognition Based Techniques

Other Schemes

Using human faces as password

Select a sequence of
images as password

Recall Based Techniques

Draw-A-Secret (DAS) Scheme
User draws a simple picture on a 2D grid, the coordinates of the
grids occupied by the picture are stored in the order of drawing
redrawing has to touch the

same grids in the same

sequence in authentication
user studies showed the
drawing sequences is hard to
Remember

Recall Based Techniques

Pass Point Scheme
User click on any place on an image to create a password. A tolerance

around each chosen pixel is calculated. In order to be authenticated,

user must click within the tolerances in correct sequence.
can be hard to remember the

sequences
Password Space: N^K
( N -the number of pixels or smallest
units of a picture, K - the number of
Point to be clicked on )

Recall Based Techniques

Other Schemes

Grid Selection Scheme

Signature Scheme

Schemes Not In This Paper

Using images with random
tracks of geometric graphical
shapes

Using distorted images

to prevent revealing of
passwords

Design and Implementation of

Graphical Password

To make sure that this project will be done, a Hardware and Software

requirements are needed as follows:

The Software needed to develop the new scheme is:
1- Delphi programming language.
2- Microsoft operating system (XP).
The Hardware needed to develop the new scheme will have these
specifications because the Graphical Password schemes need to deal with
pictures or photos which need more memory and storing space where these
requirements are:
1- PC with high performance processor
2- DDR Memory minimum 512MB
3- HDD for large data stored
For example we can implement authentication of graphical password method
for our college. The interface designed to login to the system for both the
existing user and new user.

Continued

Choosing a password

Security
Is a graphical password as secure as text-based

passwords?

text-based passwords have a password space of 94^N

(94 number of printable characters, N- length of passwords).
Some graphical password techniques can compete: Draw-A-Secret Scheme,
PassPoint Scheme.
Brute force search / Dictionary attacks

The attack programs need to automatically generate accurate mouse motion

to imitate human input, which is more difficult compared to text passwords.
Guessing: guessing of graphical passwords is difficult.

Usability
Pictures are easier to remember than text strings
Password registration and log-in process take too long
Require much more storage space than text based

passwords

Shoulder Surfing problem and its

solution

Like text based passwords, most of the graphical

passwords are vulnerable to shoulder surfing.

At this point, only a few recognition-based techniques are
designed to resist shoulder-surfing . None of the recallbased based techniques are considered shoulder-surfing
resistant.
To overcome this shoulder surfing problem, we implement
a new idea when we move our mouse over the password
selection area, then the mouse pointer becomes small dot
point and another method is to rearrange the images
randomly in the password selection image.so that
shoulder surfing problem can be reduced.

Advantage of Graphical Password over

Text
based password
Graphical passwords may offer better security than text based

password because many people in attempt to memorize text based

passwords, use plain words(rather than recommended jumble of
characters).
A dictionary search can often hit on a password and allow a hacker to
gain entry into a system in seconds. But if a series of selectable
images is used on successive screen page, and if there are many
images on each page, a hacker must try every possible combination at
random.
If there are 100 images on each of the 8 pages in a 8-image password,
there are 100^8 or 10 quadrillion (10,000,000,000,000,000), possible
combinations that could form the graphical password. If the system
has the built-in delay of only 0.1 second following the selection of each
image until the selection of the next page, it would take millions of
years to break into the system by hitting it with random image
sequences. Therefore hacking by random combination is impossible.

Conclusion
main argument for graphical passwords:
people are better at memorizing graphical passwords than text-based
passwords
It is more difficult to break graphical passwords using the

traditional attack methods such as:burte force search,

dictionary attack or spyware.
Not yet widely used, current graphical password

techniques are still immature

Thank you

Queries?