Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Seminar Report the ma+or design and implementation issues for graphical passwords(. n this paper , we are conducting a comprehensive survey of existing graphical image password authentication techni!ues. &lso we are here proposing a new techni!ue for graphical authentication. developing secure systems. ,ere we focus on the authentication problem.On the other hand, passwords that are hard to guess or break are often hard to remember. Studies showed that since user can only remember a limited number of passwords, they tend to
Introduction:
,uman factors are often considered the weakest link in a computer system. security
write them down or will use the same passwords for different accounts. To address the problems with traditional username$password authentication, alternative authentication methods, such as biometrics, have been used. n this paper, however, we will focus
pointout that there are three ma+or areas where human$computer interaction is important# authentication, security operations, and
www.seminarsTopics.com
Seminar Report on another alternative# using .raphical schemes pictures as passwords. password have been graphical password. n addition to workstation and web have log$in graphical also applications, passwords
proposed as a possible alternative to text$based schemes, motivated partially by the fact that humans can remember pictures better than text) psychological supports studies such
been applied to &T2 machines and mobile devices. n this paper, we a survey conduct comprehensive password strengths limitations out future of
ofthe existing graphical techni!ues. and each "e will discuss the
assumption. /ictures are generally easier to be remembered or recogni0ed than text. n addition, if the number of possible pictures is sufficiently large, the possible password space of a graphical password scheme may exceed that of text$ based schemes and thus presumably offer better resistance to dictionary attacks. 1ecause of these advantages, there is a growing interest in
method and also point research directions in this area. n this paper, we want to answer the following !uestions# &re graphical passwords as secure as text passwords' "hat are the ma+or design and implementation issues for graphical passwords'
Overvie o! t"e
www.seminarsTopics.com
Seminar Report
Aut"entication #et"ods:
4urrent authentication methods can be divided into Three main areas# Token based authentication 1iometric based authentication 5nowledge based authentication Token based techni!ues, such as key cards, bank cards and smart cards are widely used. 2any token$based authentication systems also use knowledge based techni!ues to enhance security. For example, &T2 cards are generally used together with a / 6 number.
1iometric based authentication techni!ues, such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The ma+or drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable. ,owever, this type of techni!ue provides he highest level of security. 5nowledge based techni!ues are the most widely used authentication techni!ues and include both text$based and picture$based passwords. The picture$ based techni!ues can be further divided into two categories# recognition$based and recall$based graphical
www.seminarsTopics.com
Seminar Report techni!ues. 8sing recognition$based techni!ues, a user is presented with a set of images and the user passes the authentication by recogni0ing and identifying the images he or she selected during the registration stage. 8sing recall$ based techni!ues, a user is asked to reproduce something that he or she created or selected earlier during the registration stage. a set of random pictures generated by a program . ;ater, the user will be re!uired to identify the pre selected images in order to be authenticated. The results showed that <=> of all participants succeeded in the authentication using this techni!ue, while only ?=> succeeded using text$based passwords and / 6S. The average log$in time, however, is longer than the traditional approach. & weakness of this system is that the server needs to store the seeds of the 9hami+a and /errig proposed a graphical authentication scheme based on the ,ash:isuali0ation techni!ue . n their system, the user is asked to select a certain number of images from portfolio images of each user in plain text. &lso, the process of selecting a set of pictures from the picture database can be tedious and time consuming for the user.
www.seminarsTopics.com
Seminar Report crowded and the ob+ects almost indistinguishable, but using fewer ob+ects may lead to a smaller password space, since
Rando' i'a$es used b( D"a'i)a and Perri$
the resulting convex hull can be large. n their second algorithm, a user moves a frame Aand the ob+ects within itB until the pass ob+ect on the frame lines up with the other two pass$ ob+ects. The authors also suggest repeating the process a few more times to minimi0e the likelihood of logging in by randomly clicking or rotating. The main drawback of these algorithms is that the log in process can be slow.
Sobrado and 1irget developed a graphical password techni!ue that deals with the shoulder$ surfing problem. n the first scheme, the system will display a number of pass$ob+ects Apre$selected by userB among many other ob+ects. To be authenticated, a user needs to recogni0e pass$ ob+ects and click inside the convex hull formed by all the pass$ ob+ects. n order to make the password hard to guess, Sobrado and 1irget suggested using *=== ob+ects, which makes the display very www.seminarsTopics.com
Seminar Report present in the scene as well as a code indicating the relative
A s"ou*der+sur!in$ resistant $ra,"ica* ,ass ord sc"e'e
location of the pass$ ob+ects in reference to a pair of eyes. The argument is that it is very hard to crack this kind of password even if the whole authentication process is recorded on video because where is no mouse click to give away the pass$ob+ect information. ,owever, this method still re!uires users to memori0e the alphanumeric code for each pass$ob+ect variant. ,ong, et al. later extended this approach to allow the user to assign their own codes to pass$ob+ect variants. ,owever, this method still forces the user to memori0e many
2an, et al. proposed another shoulder$ surfing resistant algorithm. n this algorithm, a user selects a number of pictures as pass$ob+ects. Dach pass$ ob+ect has several variants and each variant is assigned a uni!ue code. 9uring authentication, the user is challenged with several scenes. Dach scene contains several pass$ob+ects Aeach in the form of a randomly chosen variantB and many decoy$ob+ects. The user has to type in a string with the uni!ue codes corresponding to the pass$ob+ect variants
www.seminarsTopics.com
Seminar Report text strings and therefore suffer from the many drawbacks of text$based passwords. password .9uring the authentication, the user must enter the registered images in the correct se!uence. One drawback of this techni!ue is that since the number of thumb nail images is limited to 3=, the password
An e-a',*e o! Pass!aces
space is small. Dach thumbnail image is assigned a numerical value, and the se!uence of selection will generate a numerical password. The result showed that the image se!uence length was generally shorter than the textural password length. To address this problem, two pictures can be combined to compose a new alphabet
Eansen et al proposed a graphical password mechanism for mobile device .during the enrollment stage, a user selects a theme Ae.g. sea, cat, etc.B which consists of thumbnail p
.
www.seminarsTopics.com
Seminar Report authentication, the user is asked to re$draw the picture. f the drawing touches the same grids in the same se!uence, then the user is authenticated. Eermyn, et al. suggested that given reasonable$length passwords in a @ G @ grid, the full password space of 9&S is larger
A $ra,"ica* ,ass ord sc"e'e ,ro,osed b( /ansen0 et a*
<
RECALL %ASED
Reproduce a drawing#
Eermyn, et al. proposed a techni!ue, called %9raw $ a $ secret A9&SB(, which allows the user to draw their uni!ue password .& user is asked to draw a simple picture on a -9 grid. The coordinates of the grids occupied by the picture are stored in the order of the drawing. 9uring www.seminarsTopics.com 6ali and Thorpe conducted further analysis of the %9raw$ &$Secret A9&SB(
Dra +a+Secret 1DAS2 tec"ni&ue ,ro,osed b( /er'(n0 et a* .
Seminar Report scheme. n their study, users were asked to draw a 9&S password on paper in order to determine if there are predictable characteristics in the graphical passwords that people choose. The study did not find any predictability in the start and end points for 9&S password strokes, but found that certain symmetries Ae.g. crosses and rectanglesB, letters, and numbers were common. The %/ass/oint( system by "iedenbeck, et al. extended 1londerHs idea by eliminating the predefined boundaries and allowing arbitrary images to be used. &s a result, a user can click on any place on an image Aas opposed to some pre$defined areasB to create a password. &
An i'a$e used in t"e Pass,oint S(te'0
*= tolerance around each chosen pixel is calculated. n order to be authenticated, the user must click within the tolerance of their chosen pixels and also in the correct se!uence . This techni!ue is based on the discreti0ation method proposed by 1irget, et al. . 1ecause any picture can be used and because a picture may contain hundreds to thousands of memorable points, the possible password space is !uite large.
www.seminarsTopics.com
Seminar Report
Wiedenbec30 et a*
** in original form.so it is not easy for hacker to reproduce the original form of image. The flow chart of the proposed techni!ue is given below. Step *#8ser will select an image from data base as password Step F 8ser will allow sufing on website Othe r wise go to step
Step -# mage clustering will takes place Step 3#9istributes the clusters throughout image space
f passwor d mathces
given by server. Since any image is made of pixels we have its gray level concentration. n this way the image will be distorted and cant be
Step @#For login user wll again asked to pick up an image from database
www.seminarsTopics.com
%*oc3 dia$ra' !or t"e Ne Tec"ni&ue Is a $ra,"ica* ,ass ord as secure as te-t+based ,ass ord5
:ery little research has been done to study the difficulty passwords. of cracking 1ecause graphical
smaller password spaces than the recall based methods. t is more difficult to carry out a brute force attack against The attack graphical need to passwords than text$based passwords. programs generate automatically accurate
mouse motion to imitate human input, which is particularly difficult for recall based graphical passwords. Overall, force we believe a graphical than a text$based password is less vulnerable to brute attacks password.
graphical passwords are not widely used in practice, there is no report on real cases of breaking graphical passwords. ,ere we briefly exam some of the possible techni!ues for breaking graphical passwords and try to do a comparison with text$based passwords.
Dictionar( attac3s
Since recognition based graphical passwords involve mouse input instead of keyboard input, it will be impractical to carry out dictionary attacks against this type of graphical passwords. For some recall basedgraphical passwords it is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text based dictionary attack. 2ore research is needed in this area. Overall, we believe graphical passwords are less vulnerable to dictionary attacks than text$based
passwords.
Guessin$
8nfortunately, it seems that graphical passwords are often predictable, a serious problem typically associated with text$based passwords. For example, studies on the /assface techni!ue have shown that people often choose weak and predictable graphical passwords. 6ali and ThorpeHs study revealed similar predictability among the graphical passwords created with the 9&S techni!ue . 2ore research efforts are needed to understand the nature of graphical passwords created by real world users.
n the above section, we have briefly examined thesecurity issues with graphical passwords.
Usability
One of the main arguments for graphical passwords is that pictures are easier to remember than text strings. /reliminary user studies presented in some research papers seem to support this. ,owever, current user studies are still very limited, involving only a small number of users. "e still do not have convincing evidence demonstrating that graphical passwords are easier to remember than text based passwords. & ma+or complaint among the users of
S"ou*der sur!in$
graphical passwords is that the password registration and log$in process take too long, especially in recognition$based approaches. For example, during the registration stage,a user has to pick images from a large set of selections. 9uring authentication stage, a user has to scan many images to identify a few pass$images. 8sers may find this process long and tedious. 1ecause of this and also because most users are not familiar
of the graphical passwords are vulnerable to shoulder surfing. &t this point, only a few recognition$based techni!ues are designed to resist shoulder$surfing . 6one of the recall$ based based techni!ues are considered should$surfing resistant.
W"at are t"e 'a)or desi$n and i',*e'entation issues o! $ra,"ica* ,ass ords5 Security
with the graphical passwords, they often find graphical passwords less convenient than text based passwords.
passwords as an alternative to the traditional text$based passwords. n this paper, we have conducted a comprehensive survey of existing graphical password techni!ues. The current graphicalpassword techni!ues can be classified into two categories# recognition$based and techni!ues.. <hough the main argument for graphical passwords is that people are better at memori0ing graphical passwords than text$based passwords, the existing user studies are very limited and there is not yet convincing evidence to support this argument. Our preliminary analysis suggests that it is more difficult to break graphical passwords using the traditional attack methods such as brute force search, dictionary attack,or spyware. ,owever, since there is not yet wide deployment of graphical password systems, understood. Overall, password the current graphical are still techni!ues the vulnerabilities of graphical passwords are still not fully recall$based
Reliability
The ma+or design issue for recall$ based methods is the reliability and accuracy of user input recognition. n this type of method, the error tolerances have to be set carefully J overly high tolerances may lead to many false positives while overly low tolerances may lead to many false negatives. n addition, the more error tolerant the program, the more vulnerable it is to attacks.
.raphical passwords re!uire much more storage spacethan text based passwords. Tens of thousands of pictures may have to be maintained in a centrali0ed database. 6etwork transfer delay is also a concern for graphical passwords, especially for recognition$based techni!ues in which a large number of pictures may need to be displayed for each round of verification.
Conc*usion:
The past decade has seen a growing interest in using graphical
immature. 2uch more research and user studies are needed for graphical
techni!ues of
to
achieve and
levels
maturity
Re!erences:
K*L &. S. /atrick, &. 4. ;ong, and S. Flinn, M,4 and Security Systems,M presented at 4, , Dxtended &bstracts A"orkshopsB. Ft. ;auderdale, Florida, 8S&., -==3. K-L &. &dams and 2. &. Sasse, M8sers are not the enemy# why users compromise computer security mechanisms and how to take remedial measures,M Communications of the ACM, vol. 7-, pp. 7*$7C, *<<<. K3L 5. .ilhooly, M1iometrics# .etting 1ack to 1usiness,M in Computerworld, May 09, -===.