Professional Documents
Culture Documents
Faculty of Computer Science and Information Technology, University Malaysia (UM), Kuala Lumpur, Malaysia.
Information Technology and Quantitative Science, University Technology MARA (UITM), Shah Alam, Malaysia.
Today user authentication stands out as one of the most essential areas in information security which
has several ways of being implemented. From time in memorial authentication schemes that apply
strong text-based passwords have been typically expected to offer some assurance of security. But
committing to memory such strong passwords can prove to be quite a daunting task thus forcing users
to resort to writing them down on pieces of papers or even storing them onto a computer file. As a
means of thwarting such habits, graphical authentication has been proposed as a replacement for textbased authentication. This has been spurred by the fact the humans have a natural inclination to
remember images more easily than text. Most Information Communication and Telecommunication (ICT)
environments in the last 20 years have tried to implement graphical user authentication schemes. The
effectiveness of a graphical password is measured by its level of usability and security. Despite there
being many existing algorithms most have failed to achieve both aspects simultaneously. To start with
this paper reviews the pure and cued recall-based algorithms graphical password authentication
schemes together with their shortcomings and probable attacks. Thereafter a comparative analysis of
all Recall-Based algorithms based on attack patterns of graphical user authentication is tabulated. This
is then followed by a discussion on the newly proposed algorithm that is based on a multi size grid and
its evaluation by an attacker team. Finally, a comparison of the newly proposed algorithm and previous
algorithms will be evaluated in a table.
Key words: Recall-based GUA, pure recall-based algorithm, cued recall-based algorithm, graphical password,
usability, security, attack patterns.
INTRODUCTION
Only in the last few years has computer and network
security been recognized as a technical problem,
especially when dealing with user authentication. User
authentication typically in form of a password, is a key
security process that either allows or denies access to a
system or resource depending on the credentials
presented. A password comprises of authentication data
which is used to control access to resources. The
security of a password lies in it being kept secret from
unauthorized users while those wishing to gain access
use passwords for the system to be able to determine
3866
Lashkari et al.
3867
3868
Lashkari et al.
3869
PassPoint
PassMap
3870
Lashkari et al.
3871
3872
Lashkari et al.
3873
3874
DATA COLLECTION
A web based system was developed and accessible online using
the URL www.graphicalpassword.net to allow us to gather users
feedback and execute the attack plan.
Data analysis
In order to evaluate users feedback on the proposed algorithm, we
considered two plans. To start with, a questionnaire was distributed
to get user perceptions on satisfaction and usability attributes
based on 15 questions. This was then followed by a policy
designed in such a way that 5 attackers positioned on the left, right
and behind a user in a public place (our faculty hall) could be
attempt a shoulder surfing attack. To augment this one camera was
also used for monitoring.
Spyware
Shoulder surfing
Social engineering
N
N
N
N
N
Y
Y
Y
N
Y
Y
Y
Y
Y
N
N
Y
Y
Y
Y
N
Y
N
N
Y
Y
Y
Y
N
Y
N
N
N
N
N
Y
Y
N
N
N
Y
Y
Y
N
N
N
Dictionary
Brute force
Pure Recall-Based
Passdoodle
Draw A Secret (DAS)
Grid Selection
Qualitative DAS
Syukri Algorithm
Proposed algorithm
Blonder
Passpoint
Background DAS
PASSMAP
Passlogix V-Go
Viskey SFR
Pass-Go
Attacks
Guessing
1
2
3
4
5
6
7
8
9
10
11
12
13
Algorithm
Row
RESULTS
DISCUSSION
i. Easy to use
ii. Easy to memorize
iii. Easy to understand
iv. Easy to execute
Lashkari et al.
Conclusions
Seven Pure Recall-Based and five Cued Recall-Based
graphical password authentication algorithms were
reviewed in this study. From all these algorithms we were
able to come up with a number of shortcomings that can
allow attacks to be perpetuated. Therefore, it can be
concluded that the most common Lacks on the nine
algorithms were:
i. Due to users frequently being fascinated by pictures
drawn by other users the common picture for passwords
became obvious.
ii. After some time has elapsed users tend to forget
iii. The drawing sequence that they had used
iv. Typically users have a tendency to choose weak
passwords which are vulnerable to the graphical
dictionary attack.
v. The use of a mouse as a drawing input device for
graphical password is not common.
vi. It is not easy to commit to memory and use some of
the algorithms.
vii. The choice of weak passwords leads to passwords
that are easily guessable or predictable.
After this a GUA attack patterns survey was done in an
attempt to make a comparison table for recall-based
algorithms based on attack patterns. As part of future
works, an algorithm that is resistant to most of the
shortcomings mentioned in this paper will be proposed
and developed.
In conclusion, our newly proposed algorithm for a
graphical password is based on multi size grids used
during the login phase and was uploaded on a website
(www.graphicalpassword.net) for a 3 month evaluation
period. The evaluation included an attacking scenario
and an on-line questionnaire on the same website.
ACKNOWLEDGMENTS
We would like to express our appreciation to our parents
and all the teachers and lecturers who helped us to
understand the importance of knowledge and show us
the best way to gain it.
3875
REFERENCES
Ahmet ED, Nasir M, Jean-Camille B (2007). Modeling user choice in the
PassPoints graphical password scheme, Symposium on Usable
Privacy and Security. Pittsburgh, Pennsylvania, USA. ACM, 20-28;
July.
Ali Mohamed E (2008). Study and Develop a New Graphical Password
System, University Technology Malaysia, Master Dissertation.
Arash HL, Rosli S, Samaneh F, Omar BZ (2009). A wide-range survey
on Recall-Based Graphical User Authentications algorithms based on
ISO and Attack Patterns, IJCSIS, 6: 3.
Christopher VP (2004). a Lightweight Authentication Method,
Massachusetts Institute of Technology, Research Science Institute,
July 27.
Di L, Paul D, Patrick O, Jeff Y (2007). Graphical Passwords and
Qualitative Spatial Relations, Proceedings of the 3rd symposium on
Usable privacy and security. Pittsburgh, Pennsylvania. ACM, 161162; July.
Greg EB (1996). Graphical Password, U.S. Patent No. 5559961.
Jermyn I, Mayer A, Monrose XA, Reiter MK, Rubin AD (1999). The
design and analysis of graphical passwords, Proceedings of the
Eighth USENIX Security Symposium. August 23-26. USENIX Assoc.,
pp. 1-14.
Karen R (2008). On user involvement in production of images used in
visual authentication; Elsevier, J. Visual Languages and Computing.
Muhammad DH, Abdul HA, Norafida IT, Hazinah KM (2008). Towards
Identifying Usability and Security Features of Graphical Password in
Knowledge Based Authentication Technique; IEEE Explore, 2008
Roman VY (2007). User Authentication via Behavior Based Passwords;
IEEE Explore, 2007.
Saranga K, Dugald RH (2008). Order and Entropy in Picture
Passwords, Proceedings of graphics interface 2008. Windsor,
Ontario, Canada. Canadian Information Processing Society, pp. 115122.
Susan W, Jean-Camille B, Alex B (2005a).Authentication Using
Graphical Passwords: Effects of Tolerance and Image Choice,
Symposium On Usable Privacy and Security (SOUPS), Pittsburgh,
PA, USA.
Susan W, Jim W, Jean-Camille B, Alex B, Nasir M (2005b). PassPoints,
Design and longitudinal evaluation of a graphical password system,
Academic Press, Inc. 102-127, July.
Xiaoyuan S, Ying ZG, Scott O (2005). Graphical Passwords: A Survey,
Proceedings of the 21st Annual Computer Security Applications.
IEEE, pp. 463-472.