Chengxue Qian,Xingwei Song,Yun Huang,Xuejia Lai

DOI: https://doi.org/10.2991/icacsei.2013.146

2013-01-01

Abstract:In this paper, we present a novel user-friendly graphical password scheme resistant against "watching" attacks. Snapshot, remote monitoring, and shoulder-surfing have in common that all these attacks act as if one could directly watch the users' behavior on the screen, resulting in an insecure use of alphanumeric passwords ("watching" attacks). New technology based on graphical passwords uses graphs as authentication media where the user identifies, reproduces, or interacts with graphs to prove his identity, which partly blocks the danger. However, current graphical passwords such as D-A-S, PassPoints, Passfaces TM, and the algorithms D. Hong and Sobrado, etc. proposed are either too complicated or ineffective against "watching" attacks. In our proposal, the authentication process uses familiar images that only true users can recognize. It is hard to fabricate even many previous authentication processes are totally exposed. Furthermore a detailed application in OTP, which basically establishes an extra OTP input encryption, is discussed and its security analysis is presented.

Xiyang Liu,Zhongjie Ren,Xiuling Chang,Haichang Gao,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2829297

2013-01-01

Abstract:The trend toward a highly mobile workforce and the ubiquity of graphical interfaces (such as the stylus and touch-screen) has enabled the emergence of graphical authentications in Personal Digital Assistants (PDAs) [1]. However, most of the current graphical password schemes are vulnerable to shoulder-surfing [2,3], a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Several approaches have been developed to deal with this problem, but they have significant usability drawbacks, usually in the time and effort to log in, making them less suitable for authentication [4, 8]. For example, it is time-consuming for users to log in CHC [4] and there are complex text memory requirements in scheme proposed by Hong [5]. With respect to the scheme proposed by Weinshall [6], not only is it intricate to log in, but also the main claim of resisting shoulder-surfing is proven false [7]. In this paper, we introduce a new graphical password scheme which provides a good resistance to shouldersurfing and preserves a desirable usability.

Hung-Min Sun,Shiuan-Tung Chen,Jyh-Haw Yeh,Chia-Yun Cheng

DOI: https://doi.org/10.1109/tdsc.2016.2539942

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Liming Wang,Xiuling Chang,Zhongjie Ren,Haichang Gao,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/AINA.2010.46

2013-06-01

Abstract:Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

Cryptography and Security

Qibin Sun,Zhi Li,Xudong Jiang,Alex Kot

DOI: https://doi.org/10.1109/iscas.2008.4542082

2008-01-01

Abstract:Graphical password (i.e., image based authentication) is considered as a promising alternative to traditional textual password for mobile devices, to achieve better tradeoff between usability and security. However, previous proposals of graphical password have the limitation of limited entropy. In this paper, we propose a new scheme incorporating user face based authentication into the association-based graphical password solution we proposed before, aiming at achieving higher security without compromising user-friendliness for mobile application scenarios. System performance analysis and comparisons with other schemes are presented to validate our scheme.

Xian Chu,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-030-54455-3_12

2020-01-01

Abstract:This paper proposes a two-factor graphical password authentication scheme, PassPage, which is suitable for website authentication with enhanced security. It leverages the implicit memory based on the user’s web browsing records. Whenever the user tries to log in, the server returns 9 small pages as a challenge, and asks the user to select all the pages the user has browsed besides inputting a text password. We performed user experiments on 12 volunteers. The experiment results showed that the average login success rate on a news website is steadily over 80% when the users are familiar with the login process, and the login success rate does not decrease sharply in 6 days.

Xingjie Yu,Zhan Wang,Yingjiu Li,Liang Li,Wen Tao Zhu,Li Song

DOI: https://doi.org/10.1016/j.cose.2017.05.006

IF: 5.105

2017-01-01

Computers & Security

Abstract:The passwords for authenticating users are susceptible to shoulder-surfing attacks in which attackers learn users' passwords through direct observations without any technical support. A straightforward solution to defend against such attacks is to change passwords periodically or even constantly, making the previously observed passwords useless. However, this may lead to a situation in which users run out of strong passwords they can remember, or they are forced to choose passwords that are weak, correlated, or difficult to memorize. To achieve both security and usability in user authentication, we propose EvoPass, the first evolvable graphical password authentication system. EvoPass transforms a set of user-selected pass images to pass sketches as user credentials. Users are required to identify their pass sketches from a set of challenge images for user authentication. Particularly, EvoPass improves password strength gradually over time through continually degrading pass sketches without annoying users to reselect pass images. The evolving feature makes it difficult for observational adversaries to identify the pass sketches, even though part of pass sketches may have been exposed to adversaries previously. We introduce two metrics, Information Retention Rate (IRR) and Password Diversity Score (PDS) to guide the process of generating pass sketches and a set of challenge images. Our experimental analysis reveals that applying reasonable IRR and PDS in EvoPass can remarkably improve the resistance to shoulder-surfing attacks without negatively affecting user experience. We also implement a prototype of EvoPass on Android platform with reasonable IRR and PDS applied. Our experimental results on the prototype further demonstrate that EvoPass could work efficiently and achieve a desired usability.

Huiping Sun,Ke Wang,Xu Li,Nan Qin,Zhong Chen

DOI: https://doi.org/10.1145/2785830.2785880

2015-01-01

Abstract:Existing graphical passwords require users to proactively memorize their secrets and meanwhile these schemes are vulnerable to shoulder surfing attacks. We propose a novel graphical password scheme, PassApp, which utilizes users' everyday memory about installed apps on mobile devices as shared secrets. As the registration stage is no longer needed, PassApp exempts users from additional memory burden and greatly enhances user experience. Additionally, PassApp owns a large password set and only a small part of passwords may be exposed during a login. Therefore, PassApp has a natural advance on effectively resisting guessing attacks and shoulder surfing attacks. Our user studies demonstrate that PassApp performs well with a reasonable login time (7.27s) and a high success rate (95.48%). Our security analysis shows PassApp can effectively withstand one-time shoulder surfing attacks and on average 30 times of shoulder surfing are necessary to expose all passwords.

Mizuki Oka,Kazuhiko Kato,Yingqing Xu,Lin Liang,Fang Wen

DOI: https://doi.org/10.1109/icpr.2008.4761233

2008-01-01

Abstract:This paper presents a sketch-based password authentication system called Scribble-a-Secret as a graphical password scheme in which free-form drawings are used as a means to authenticate users. Unlike existing schemes, this approach requires no input of graphical passwords in particular sequences of strokes. Moreover, the system allows for a modicum of variation when users recreate their passwords. Our technique uses edge orientations extracted from sketch images to discern one user from another. Our experiments show that our recognition technique is robust for recognizing sketches while differentiating from others with both a false acceptance rate and false rejection rate of less than 1%.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Xiangxue Li,Yu Yu,Qiang Li,Haifeng Qian,Yuan Zhou,Jian Weng

DOI: https://doi.org/10.1145/2660267.2662379

2014-01-01

Abstract:Graphical password methods rely on human experience and hand selection (not well-quantified metric) to evaluate the appropriateness and the confusion of the challenge images. In this paper we propose to use for authentication Chinese characters, for which the entropy can be up to 9.65 (much larger than other languages). We first show an algorithmic framework to authenticate a user and then present an empirical analysis conducted at a university. The advantages of the framework include the following: the storage overhead is low; no personal experience or hand selection is involved; there is no predefined dictionary of likely choices; and it can be easily referenced by personal-style cues.Our study shows that the number of participants that prefer our framework is much close to that in favor of graphical passwords, with an interesting outcome that the two groups of participants present significantly distinct backgrounds. Our framework and graphical passwords can be used as candidate authentication methods for users with different backgrounds. We also measure user choices of patterns and find that there is a slight preference of the 3x3 grid to the circle patterns. While the proposed framework prescribes the challenge characters, the users have the option to define challenge characters of their own.

Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

Hala Assal,Ahsan Imran,Sonia Chiasson

DOI: https://doi.org/10.48550/arXiv.1610.09743

2016-10-31

Abstract:In this paper, we explore graphical passwords as a child-friendly alternative for user authentication. We evaluate the usability of three variants of the PassTiles graphical password scheme for children, and explore the similarities and differences in performance and preferences between children and adults while using these schemes. Children were most successful at recalling passwords containing images of distinct objects. Both children and adults prefer graphical passwords to their existing schemes, but password memorization strategies differ considerably between the two groups. Based on our findings, we provide recommendations for designing more child-friendly authentication schemes.

Human-Computer Interaction

Hung-Min Sun,Yao-Hsin Chen,Chiung-Cheng Fang,Shih-Ying Chang

DOI: https://doi.org/10.1145/2414456.2414513

2012-01-01

Abstract:Text passwords have been used in authentication systems for many decades. Users must recall the textual strings selected during registration to pass authentication. However, there are some serious problems with text passwords recollection and security. Hence, various graphical-password authentication systems have been proposed to solve the problems of text passwords. Previous studies indicate that humans are better at recognizing and recalling images than texts. In 2005, Wiedenbeck et al. proposed PassPoints in which a password consists of a sequence of click-points (5 to 8) that a user chooses on an image. In the paper, we proposed an alternative system in which users can memorize fewer points while providing more security than PassPoints. Based on the idea of using an extremely large image as the password space, we propose a novel world map based graphical password authentication system called PassMap in which a password consists of a sequence of 2 click-points that a user selects on an large world map. We also conducted a user study for evaluation. The result shows that the passwords of PassMap are easy to memorize for humans and PassMap is friendly to use in practice. Furthermore, PassMap provides higher entropy than PassPoints and also increases the cost of attacks.

Argyris Constantinides,Christos Fidas,Marios Belk,Anna Maria Pietron,Ting Han,Andreas Pitsillides

DOI: https://doi.org/10.1016/j.ijhcs.2021.102602

IF: 4.866

2021-01-01

International Journal of Human-Computer Studies

Abstract:This paper suggests a novel cued-recall-based graphical authentication method, which leverages on users' sociocultural experiences for improving the security and memorability of selected secrets. We evaluated the suggested approach in the context of three user studies (n = 139): a) an eye-tracking study (n = 42) focusing on security in terms of resistance to brute-force attacks; b) a two-week study (n = 71) focusing on memorability and login usability; and c) a controlled in-lab user study (n = 26) focusing on human attack vulnerabilities among people sharing common sociocultural experiences. Analysis of results revealed that the suggested approach influenced visual behavior strategies of end-users, which subsequently resulted in significantly stronger passwords created on images reflecting their prior experiences than on images unfamiliar to them. Simultaneously, both reference and control groups performed similarly in terms of memorability and login efficiency and effectiveness. On the downside, the suggested approach introduces password guessing vulnerabilities in terms of allowing attackers who share common experiences with the end-users to more easily identify regions of their selected secrets. Findings point towards a new direction for delivering personalized cued-recall graphical authentication schemes that depict image semantics bootstrapped to users' real-life experiences.

Anna Maria Pietron,Ting Han

DOI: https://doi.org/10.1145/3386392.3399558

2020-01-01

Abstract:The strength and memorability of picture passwords, that corelate with user's visual behavior, not only diverse between their cognitive styles but also within the culture predispositions. As part of the works investigating this topic, this paper reports a case study investigating visual behavior of Chinese students (N=36) on establishing graphical password. To examine cognitive and visual behavior, we have provided our participants with two sets of images: the first set illustrated images highly related to their daily-life experiences (culture-internal), while the second set illustrated images presenting daily-life experiences in a different sociocultural context (culture-external). Our results have indicated that users spent more time exploring culture-internal, rather than culture-external photos before they made graphical password selection. Different content of our pictures also affected the percentage of password gestures chosen by participants with culture-external image type falling higher on hot-spots segments. Our study sustains previous findings that promote individual approach towards users' sociocultural experiences in the design of personalized graphical password schemes.

Ziming Zhao,Gail-Joon Ahn,Jeong-Jin Seo,Hongxin Hu

2013-01-01

Abstract:Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8™ operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.

Can Liu,Shridatt Sugrim,Gradeigh D. Clark,Janne Lindqvist

DOI: https://doi.org/10.48550/arXiv.1812.09410

2018-12-21

Cryptography and Security

Abstract:Gesture and signature passwords are two-dimensional figures created by drawing on the surface of a touchscreen with one or more fingers. Prior results about their security have used resilience to either shoulder surfing, a human observation attack, or dictionary attacks. These evaluations restrict generalizability since the results are: non-comparable to other password systems (e.g. PINs), harder to reproduce, and attacker-dependent. Strong statements about the security of a password system use an analysis of the statistical distribution of the password space, which models a best-case attacker who guesses passwords in order of most likely to least likely. Estimating the distribution of recognition passwords is challenging because many different trials need to map to one password. In this paper, we solve this difficult problem by: (1) representing a recognition password of continuous data as a discrete alphabet set, and (2) estimating the password distribution through modeling the unseen passwords. We use Symbolic Aggregate approXimation (SAX) to represent time series data as symbols and develop Markov chains to model recognition passwords. We use a partial guessing metric, which demonstrates how many guesses an attacker needs to crack a percentage of the entire space, to compare the security of the distributions for gestures, signatures, and Android unlock patterns. We found the lower bounds of the partial guessing metric of gestures and signatures are much higher than the upper bound of the partial guessing metric of Android unlock patterns.

Zhi Li,Qibin Sun,Yong Lian,D. D. Giusto

DOI: https://doi.org/10.1007/11538356_78

2005-01-01

Abstract:Motivated by the need for designing secure and user-friendly authentication method for mobile devices, we present a novel image-based authentication (IBA) scheme in this paper. Its mnemonics efficacy rests on the human cognitive ability of association-based memorization. To tackle the shoulder-surfing attack issue, an interactive authentication process is presented. System performance analysis and comparisons with other schemes are presented to support our proposals.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.