Hung-Min Sun,Shiuan-Tung Chen,Jyh-Haw Yeh,Chia-Yun Cheng

DOI: https://doi.org/10.1109/tdsc.2016.2539942

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Xian Chu,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-030-54455-3_12

2020-01-01

Abstract:This paper proposes a two-factor graphical password authentication scheme, PassPage, which is suitable for website authentication with enhanced security. It leverages the implicit memory based on the user’s web browsing records. Whenever the user tries to log in, the server returns 9 small pages as a challenge, and asks the user to select all the pages the user has browsed besides inputting a text password. We performed user experiments on 12 volunteers. The experiment results showed that the average login success rate on a news website is steadily over 80% when the users are familiar with the login process, and the login success rate does not decrease sharply in 6 days.

Huiping Sun,Ke Wang,Xu Li,Nan Qin,Zhong Chen

DOI: https://doi.org/10.1145/2785830.2785880

2015-01-01

Abstract:Existing graphical passwords require users to proactively memorize their secrets and meanwhile these schemes are vulnerable to shoulder surfing attacks. We propose a novel graphical password scheme, PassApp, which utilizes users' everyday memory about installed apps on mobile devices as shared secrets. As the registration stage is no longer needed, PassApp exempts users from additional memory burden and greatly enhances user experience. Additionally, PassApp owns a large password set and only a small part of passwords may be exposed during a login. Therefore, PassApp has a natural advance on effectively resisting guessing attacks and shoulder surfing attacks. Our user studies demonstrate that PassApp performs well with a reasonable login time (7.27s) and a high success rate (95.48%). Our security analysis shows PassApp can effectively withstand one-time shoulder surfing attacks and on average 30 times of shoulder surfing are necessary to expose all passwords.

Hala Assal,Ahsan Imran,Sonia Chiasson

DOI: https://doi.org/10.48550/arXiv.1610.09743

2016-10-31

Abstract:In this paper, we explore graphical passwords as a child-friendly alternative for user authentication. We evaluate the usability of three variants of the PassTiles graphical password scheme for children, and explore the similarities and differences in performance and preferences between children and adults while using these schemes. Children were most successful at recalling passwords containing images of distinct objects. Both children and adults prefer graphical passwords to their existing schemes, but password memorization strategies differ considerably between the two groups. Based on our findings, we provide recommendations for designing more child-friendly authentication schemes.

Human-Computer Interaction

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Qibin Sun,Zhi Li,Xudong Jiang,Alex Kot

DOI: https://doi.org/10.1109/iscas.2008.4542082

2008-01-01

Abstract:Graphical password (i.e., image based authentication) is considered as a promising alternative to traditional textual password for mobile devices, to achieve better tradeoff between usability and security. However, previous proposals of graphical password have the limitation of limited entropy. In this paper, we propose a new scheme incorporating user face based authentication into the association-based graphical password solution we proposed before, aiming at achieving higher security without compromising user-friendliness for mobile application scenarios. System performance analysis and comparisons with other schemes are presented to validate our scheme.

Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

Haichang Gao,Zhongjie Ren,Xiuling Chang,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/cw.2010.34

2010-01-01

SSRN Electronic Journal

Abstract:Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shouldersurfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time.

Haichang Gao,Zhongjie Ren,Xiuling Chang,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1306.3054

2013-06-13

Cryptography and Security

Abstract:Graphical passwords have been demonstrated to be the possible alternatives to traditional alphanumeric passwords. However, they still tend to follow predictable patterns that are easier to attack. The crux of the problem is users' memory limitations. Users are the weakest link in password authentication mechanism. It shows that baroque music has positive effects on human memorizing and learning. We introduce baroque music to the PassPoints graphical password scheme and conduct a laboratory study in this paper. Results shown that there is no statistic difference between the music group and the control group without music in short-term recall experiments, both had high recall success rates. But in long-term recall, the music group performed significantly better. We also found that the music group tended to set significantly more complicated passwords, which are usually more resistant to dictionary and other guess attacks. But compared with the control group, the music group took more time to log in both in short-term and long-term tests. Besides, it appears that background music does not work in terms of hotspots.

Zhixiong Zheng,Haibo Cheng,Zijian Zhang,Yiming Zhao,Ping Wang

DOI: https://doi.org/10.1155/2018/6160125

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:We present in this paper an alternative method for understanding user-chosen passwords. In password research, much attention has been given to increasing the security and usability of individual passwords for common users. Few of them focus on the relationships between passwords; therefore we explore the relationships between passwords: modification-based, similarity-based, and probability-based. By regarding passwords as vertices, we shed light on how to transforma dataset of passwords into a password graph. Subsequently, we introduce some novel notions from graph theory and report on a number of inner properties of passwords from the perspective of graph. With the assistance of Python Graph-tool, we are able to visualize our password graph to deliver an intuitive grasp of user-chosen passwords. Five real-world password datasets are used in our experiments to fulfill our thorough experiments. We discover that (1) some passwords in a dataset are tightly connected with each other; (2) they have the tendency to gather together as a cluster like they are in a social network; (3) password graph has logarithmic distribution for its degrees. Top clusters in password graph could be exploited to obtain the effective mangling rules for cracking passwords. Also, password graph can be utilized for a new kind of password strength meter.

Sam Parker,Haiyue Yuan,Shujun Li

DOI: https://doi.org/10.1109/VizSec60606.2023.00011

2024-02-18

Abstract:Passwords remain the most widely used form of user authentication, despite advancements in other methods. However, their limitations, such as susceptibility to attacks, especially weak passwords defined by human users, are well-documented. The existence of weak human-defined passwords has led to repeated password leaks from websites, many of which are of large scale. While such password leaks are unfortunate security incidents, they provide security researchers and practitioners with good opportunities to learn valuable insights from such leaked passwords, in order to identify ways to improve password policies and other security controls on passwords. Researchers have proposed different data visualisation techniques to help analyse leaked passwords. However, many approaches rely solely on frequency analysis, with limited exploration of distance-based graphs. This paper reports PassViz, a novel method that combines the edit distance with the t-SNE (t-distributed stochastic neighbour embedding) dimensionality reduction algorithm for visualising and analysing leaked passwords in a 2-D space. We implemented PassViz as an easy-to-use command-line tool for visualising large-scale password databases, and also as a graphical user interface (GUI) to support interactive visual analytics of small password databases. Using the "000webhost" leaked database as an example, we show how PassViz can be used to visually analyse different aspects of leaked passwords and to facilitate the discovery of previously unknown password patterns. Overall, our approach empowers researchers and practitioners to gain valuable insights and improve password security through effective data visualisation and analysis.

Cryptography and Security

Liming Wang,Xiuling Chang,Zhongjie Ren,Haichang Gao,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/AINA.2010.46

2013-06-01

Abstract:Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

Cryptography and Security

Hung-Min Sun,Yao-Hsin Chen,Yue-Hsun Lin

DOI: https://doi.org/10.1109/tifs.2011.2169958

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Text password is the most popular form of user authentication on websites due to its convenience and simplicity. However, users' passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, she will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. In this paper, we design a user authentication protocol named oPass which leverages a user's cellphone and short message service to thwart password stealing and password reuse attacks. oPass only requires each participating website possesses a unique phone number, and involves a telecommunication service provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. After evaluating the oPass prototype, we believe oPass is efficient and affordable compared with the conventional web authentication mechanisms.

Gloriya Mathew,Shiney Thomas

DOI: https://doi.org/10.48550/arXiv.1311.4037

2013-11-16

Abstract:User authentication is one of the most important part of information security. Computer security most commonly depends on passwords to authenticate human users. Password authentication systems will be either been usable but not secure, or secure but not usable. While there are different types of authentication systems available alphanumeric password is the most commonly used authentication mechanism. But this method has significant drawbacks. An alternative solution to the text based authentication is Graphical User Authentication based on the fact that humans tends to remember images better than text. Graphical password authentication systems provide passwords which are easy to be created and remembered by the user. However, the main issues of simple graphical password techniques are shoulder surfing attack and image gallery attack. Studies reveals that most of the graphical passwords are either secure but not usable or usable but not secure. In this paper, a new technique that uses cued click point graphical password method along with the one-time session key is proposed. The goal is to propose a new authentication mechanism using graphical password to achieve higher security and better usability levels. The result of the system testing is evaluated and it reveals that the proposed system ensures security and usability to a great extent.

Cryptography and Security

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

zhang min,brendan ryan,sarah atkinson

DOI: https://doi.org/10.1007/978-94-007-2792-2_4

2012-01-01

Abstract:Nowadays alphanumeric passwords are still widely used, even though it causes the well-known ‘password problem’. There are a lot of studies on alternative user authentication schemes which try to take place of the textual password. PixelPin is one of the picture-based authentication systems, which are base on Blonder’s patent (Graphical Passwords. United States Patent 55599611996). This paper is the report on our evaluation of the PixelPin by conducting four experiments. In specific, we summarized the issues of PixelPin’s usability and security via web-based user study and focus group. We also tried to understand users’ choice of picture and the way of their memorization of the click-points. A cursor effect was studies in the last experiment. Finally, some issues are proposed to be solved in the future work.

Tony McBryan,Karen Renaud,J. Paul Siebert

DOI: https://doi.org/10.48550/arXiv.1407.8004

IF: 6.4588

2014-07-30

Human-Computer Interaction

Abstract:Computer users are generally authenticated by means of a password. Unfortunately passwords are often forgotten and replacement is expensive and inconvenient. Some people write their passwords down but these records can easily be lost or stolen. The option we explore is to find a way to cue passwords securely. The specific cueing technique we report on in this paper employs images as cues. The idea is to elicit textual descriptions of the images, which can then be used as passwords. We have defined a set of metrics for the kind of image that could function effectively as a password cue. We identified five candidate image types and ran an experiment to identify the image class with the best performance in terms of the defined metrics. The first experiment identified inkblot-type images as being superior. We tested this image, called a cueblot, in a real-life environment. We allowed users to tailor their cueblot until they felt they could describe it, and they then entered a description of the cueblot as their password. The cueblot was displayed at each subsequent authentication attempt to cue the password. Unfortunately, we found that users did not exploit the cueing potential of the cueblot, and while there were a few differences between textual descriptions of cueblots and non-cued passwords, they were not compelling. Hence our attempts to alleviate the difficulties people experience with passwords, by giving them access to a tailored cue, did not have the desired effect. We have to conclude that the password mechanism might well be unable to benefit from bolstering activities such as this one.

Jaryn Shen,Timothy T. Yuen,Kim-Kwang Raymond Choo,Qingkai Zeng

DOI: https://doi.org/10.1007/978-3-030-21548-4_28

2019-01-01

Abstract:Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.

Konstantinos Karampidis

DOI: https://doi.org/10.1093/jigpal/jzae009

2024-03-16

Abstract:Abstract Digitization of every daily procedure requires trustworthy verification schemes. People tend to overlook the security of the passwords they use, i.e. they use the same password on different occasions, they neglect to change them periodically or they often forget them. This raises a major security issue, especially for elderly people who are not familiar with modern technology and its risks and challenges. To overcome these drawbacks, biometric factors were utilized, and nowadays, they have been widely adopted due to their convenience of use and ease of hardware installation. Many biometric-based authentication schemes were proposed, but despite the advantages that they offer, recent research has shown that biometrics by itself cannot be considered as an inviolable technique. Recently, we have proposed StegoPass, a novel method that obtains the 68 facial points of a user and utilizes them as a stego message to an image. This produced stego image was the password. Although the experiments conducted showed maximum security, it would be challenging to enhance the robustness of the proposed model for even more attacks. This paper examines the utilization of multimodal biometrics as the secret message embedded in the image. More specifically, besides the extraction of the facial points, we extract the unique minutiae moments and combine them in a feature vector. This feature vector is then embedded in the image. Two different datasets were used, and the security of the method was tested against state-of-the-art deep learning models, i.e. generative adversarial networks, to test whether the image could be digitally synthesized and fool the proposed verification scheme. The results proved that the new enhanced version of StegoPass offers an extremely secure method as its predecessor.

mathematics, applied,logic

Hongyu Wang,Jin Xu,Bing Yao

DOI: https://doi.org/10.1109/itoec.2017.8122383

2017-01-01

Abstract:Graphical passwords have been proposed as a possible alternative to text-based schemes, but graphical passwords, in storage and communication, require much more storage space than text based passwords, and network transfer delay is also a concern for them. An idea of "graphical structure plus number theory" (GSPNT) for designing new type of passwords is an alternative to typical graphical passwords. Magic matching set having many magic parameters is one of graphical passwords produced by GSPNT. Some results on magic matching sets are obtained and interesting problems are proposed at the end of this article.