Professional Documents
Culture Documents
Abstract
For the last decades information technologies (IT) have a great influence on business
processes and for today, probably, nobody doubts that efficiency of security facilities is one of the
most important components of development of IT and business processes.
In this report are shown different types of graphical password, their advantages and
disadvantages, possible attacks and solution for methods’ vulnerabilities, comparing with other
authentication schemes. Here is demonstrated the evidence of the statement that Triangle‐scheme
is the most preferable type of graphical password for now.
Introduction
Identification and authentication can be considered as the basic method for providing
system security. These two methods commonly assure access control at the first boundary of the
system. Before accessing resources of the system user needs to provide his identifier by giving some
secret information or something that only he own or only he has as the part of his personality. One
of the instances of secret information is a password. It is commonly used technology for
authentication in different kinds of computer systems. Typically passwords are presented as a
sequence of digits and letters; however this work is concerned with different types of graphical
passwords and comparing them with text password and with each other[1].
Text password has some restrictions and recommendations to follow for providing better
security. Usually guidelines for text passwords are:
Length of the password should be at least 8 characters.
Password should not consist of any relative information to user otherwise it would
be easy to guess such password.
Moreover it is a good practice not to use popular combinations or words (such as:
123456789, QAZwsx11, password) because in this case it becomes possible to use
dictionary attack on it.
Better to combine upper and lower case in the password.
So it will be critical to create strong and random password not related to the user and using
combinations of alphabetic, numeric and other symbols in it. However in this case user can face with
the problem of too complicated password which can be hard to remember[1]. Also usage of such
“strong” passwords can lead to the different side effects. In order to decrease the amount of
passwords to remember user can begin to use one everywhere, what may increase the possibility of
stealing or cracking it. If policy of the system force user to change passwords periodically he can
simplify this changes by substituting one letter or use few passwords in a loop. The main thing to
remember is that users almost always go by way of the least resistance and it does not matter how
strict the policy is.
As we can see using the text password means to find a balance between easy‐to‐remember
and easy‐to‐break passwords from one side and strong but hard to remember from the other side.
Graphical passwords can be used like alternative to the text ones. This technology is free
from text password limitations. It is based on the human’s peculiarity to remember visual images
better than the text ones.[2][3] .
So what is it – graphical password?
It is the secrret graphical informationn that the useer inputs to tthe computeer by using basic
computeer graphical interface and input/outpput devices ((Mouse, toucch screen, di splay and ettc.).
Graphical methods can b be divided innto next type es:
1) Password is the set of arreas on the bbig image
The classical rep presentative of the first tyype is the G.. Blonder’s m
method whichh was first offered in
1996 by the Greg.E.B Blonder. Thee main idea oof this method is that the user has too choose bacckground
picture ffrom the giveen library of images or u pload picturre that should correspondd with method
restrictio
on. After thaat the user mmust define ppoints of control on the ccurrent imag e. Sequence of these
points ppresents userr password. D During autheentication prrocess the usser has to reppeat clicks on the all
points at the right seequence (it’ss possible to have permisssible deviatiion in pointss because it is almost
impossib ble for man tto click in thee same posittion every timme during au uthenticationn).
2) Password iss the set of im
mages from tthe large colllection.(Recoognition baseed technics)
i) User has to choo ose some am mount of the images from m the given sset, sometimmes there
is th
he possibilityy to upload ppictures by hiimself. Usually these are pictures of tthe
people of differe ent ages, sexx and nationaalities. Chose
en ones will be the user
passsword and during the autthentication processes u user “type” hhis password by
clickking on the ppreviously chhosen imagess. For instancce, “Passfacee” from Passface
Corp p. (http://ww ww.passface .com).
ii) Thiss type of auth
hentication i s the same aas the previo
ous one, the oonly differen
nce is at
the step of authentication. I nstead of showing only o one “right” immage on the e screen
system output 3 3 or 4 of them
m. User need ds to create m
mentally thee triangle or ssquare
(passsword picture in each veertex) and click on any immage inside tthis figure. O
Only after
few repetitions ssystem will bbe able to identify user correctly. Thiis method caalled –
ngle scheme.
trian
iii) Pict‐‐O‐Lock method is the tyype where paassword is a table of strinngs created by user
and each string correspondss with the icoon. User needs to choosee m icons out of n
pressented, each of chosen iccons has 4 vaariations. For each variattion of icon u
user
need d to create a
a unique strinng.
During authentication one of the varriant for each icon is shown, so correesponding string is
going to be aa password ffor current ssession. Nextt time if icons are changeed password will be
different.
3) Password is the random picture draw wing by the uuser(DAS – D Draw a Secrett )
In th
his scheme p password is the image co nsisting of siimple dots, ccurves and li nes drawing by the
user. Inpput plane breeaks down o on fields, so eeach field has its own position in mattrix with
dimensionality n×n. By creating his passwordd user pass tthrough diffe erent fields aand numberss of
these fieelds will reprresent his password to thhe system. D During the authenticationn user’s task is to
repeat hhis “drawingss” on creatin ng step as cloose as possibble and pass tthrough the same fields.
Additionally there is modification of this method in w which password represennting as the
movemeent vector off the cursor. For instancee: if cursor m moved from ffield 5×10 to 6×10 system m
records it like a “dow wn” moveme ent. At the e nd password d will be a sequence of m movements
{down; lefeft; down; rig
ght; ...........up
p}
Morreover it is possible to usse the combi nation of afo orementione ed subtypes.
Advantages and disadvantages
Advantages:
In this chapter advantages and disadvantages of graphical password method are going be
considered. Firstly the advantages of this technology:
Usability
As it was mentioned before one of the most convincing reasons for using graphical
password scheme is the fact that humans seem to have an amazing ability for recalling pictures,
whether they are line drawings or real objects. Human’s brain tends to remember visual images
much more easily. So from this point of view Graphical password is more preferable for users
because combination of images is easier to remember and reproduce than the combination of
letters and digest. Another benefit for using graphical password is alphabetic independency. It does
not matter what language user operates, human’s ability to draw, memorize and recognise visual
images is nationality independent.
Security
Second advantage of graphical scheme is infeasibility to dictionary attacks, because of the
large password space, but mainly because there are no pre‐existing searchable dictionaries for
graphical information. In some methods of graphical passwords it is hard to produce automatic
attacks (for instance image recognition and determination based on content). This scheme is free of
some commonly used technics of logging.
Disadvantages:
Security
First disadvantage originates from usability advantage. Because for human it is easy to
remember visual images, possibilities of “shoulder‐surfing” attack increasing. This usability has
double effect: from one side it becomes easily for average user to remember the password, from the
other side criminal can easily remember the whole combination of images or areas on the image by
standing behind the user. There are some technics which can prevent such kind of attacks. For
example modified version of “Password is the set of images from the large collection.” (2ii method in
the previous chapter). Security properties which leads to resilience for this attack will be described in
the next chapter.
Second disadvantage is not critical nowadays but still it exists. Graphical passwords require
corresponding hardware and software availability on a user’s machine. (For instance – mouse or
touchscreen for cursor gesture recognition based passwords).
The main disadvantage of the graphical password is similar to main disadvantage of text one.
It is – human. It does not matter how complex, secure and powerful your security system is. If user
chose a weak password it can be easily hacked. For example in DAS method if user instead of using
random long graphical password draws a circle, there is a high probability that such easy password
will be remembered by attacker and reproduced easier that stronger one. In this case the only thing
that can be made is to force users to choose strong password and periodically change it. Moreover it
is better to implement a service which will control a similarity of user’s new password with the
previous one.
Usability
Apart of all advantages all graphical passwords have the same “problem”‐ they take much
longer time for log in than textual passwords. Especially for “Pick‐O‐lock scheme” where user needs
to remember all strings for all variation of password’s icon. For example if we have 4 password’s icon
user needs to remember 16 strings, for 5 – 25 strings and so on.
Security properties
In this chapter the security properties of the most common graphical schemes are going to
be consider.
Except all properties of graphical passwords which were considered in previous chapters a
Blonder based methods (recall‐based technic) has one critical parameter – input tolerance
(permissible deviation from introduction chapter). Security properties heavily depends on it. If
system increases the tolerance it will be easy to log in and easy to hack because system abates
required accuracy of user’s input (accuracy of repeating clicks on password’s areas). By decreasing
the tolerance system increases the secureness and reduces the usability of it.
In DAS scheme system does not need to transfer the images between server and client and
does not need to store them, because all user’s drawings can be converted to coordinates of each
bearing points. So it can be considered from it that in comparison with recall – based method
required less transaction and traffic between client and server and less database space and
computation time. Another security property is that background in this scheme is usually grid on a
white plane so user does not have temptation to use memorable obvious features of the
background as a password (For instance: In case of picture with few houses, clouds, ground and
church it is feasible that user will choose a window and cross as the part of his password. Moreover
in case of “Pict‐O‐Lock” it is high feasible that user will choose simple and obvious string
representation for password icons). Furthermore, the full password space for a grid based schemes
is much better than traditional textual passwords. So this password scheme provides a very good
defence against brute force.
The “Pict‐O‐Lock” scheme has a strong resistance to guessing because this scheme uses the
image variation where a same image is displayed in different variations. As it was mentioned before
all graphical methods have strong defence against dictionary attack. In order to provide defence
against the brute‐force attack all methods need large password space. So as it can be seen in Table 1
almost all technics can give required level of space to make brute‐force attack inexpedient.
Every security feature of graphical scheme is represented in Table 1[4].
Table1. security features of graphical passwords
Graphical Security Features on Graphical
Password Password
Scheme
Large Randomly Hash Image Decoy Repeat
password assign function variation images verification
space images
Passfaces X √ √
Blonder √
DAS √ √
Pick‐O‐ √ √ √ √ √
Lock
Triangle √ √ √
scheme
√ = Yes X = No Blank = not mentioned
For increasing the security of graphical authentication, more that the half of methods used
decoy images and randomly assigned features. The reason for it is to defend against shoulder‐surfing
attacks. But only Triangle scheme and partly “Pict‐O‐Lock” have good security design against this
kind of attacks. As it was mentioned in introduction the repeat verification is a feature of “Pict‐O‐
Lock” which from one side increases the security of the password, from the other side time for
authentication. It cannot be said about Passfaces technic because it has limited password space so in
reasonable amount of time attacker can get all possible combination of log in screen and all
password images. Lastly only DAS has implementation of hash function to protect a row data from
user’s drawings.
Threat analysis
In this chapter we are going to examine feasible attacks on the given authentication schemes
without covering of potential consequences because it is always the same – getting the user’s
password and getting the accesses to the information or resources for which this user legible to get
access to.
According to previous chapter there are few main methods of attack on the authentication
mechanism:
Brute force
Dictionary
Guessing
Spyware
Shoulder‐surfing
Social engineering
As it was discussed in “security properties” chapter the only scheme which is persistent to brute‐
force attack is DAS method because it provides a large password space. All other methods can be
hacked in a reasonable time by exhaustive search of possible password combination.
The strong sides of almost all graphical schemes are resilience to dictionary attacks. However it
was discovered that in “Passfaces” users usually tend to choose people’s faces of the same
nationality and race as they are, so if the criminal knows the victim it will significantly reduce the
amount of possible combinations[9].
The same situation is with DAS authentication scheme, if user chooses the simple geometric
figure or signs it can lead to decreasing in password space and as the result breaching the security.
That is why it was mentioned in “advantages and disadvantages” chapter that sometimes it’s
easy to guess the passwords of the users because they use simple and obvious password
representation or representations somehow connected with them. From this perspective Passfaces
and recall (Blonder) schemes are vulnerable to guessing attack. Passfaces vulnerability was discussed
in previous paragraph and in recall technics users usually choose memorable and distinguish areas of
the background image. (For instant sharp edge of the building, top of the tree and so on).
Almost all graphical schemes based on mouse gestures and clicks so typical key‐loggers doesn’t
work in this methods. So for obtaining the password spyware needs to record mouse movements
(cursor coordinates in relation to global or window’s) and button pressing and additionally capture
the screen.
Theoretically it is possible to “record” all mouse clicks and movements by using the same key‐
loggers technics. The main challenge here is the process of capturing and transferring screen images.
For example for Passfaces it is possible to capture the screen on event ‐ “left button pressed”, so
criminal can easily collect all password’s pictures. The same situation with Blonder (capturing on
mouse pressed event) and DAS (recording sequence of cursor coordinates), but in case of Triangle
scheme it is almost impossible because of design. This was proved in original work of Leonardo
Sobrado and Jean‐Camille Birget dedicated to current method [1].
In “Pict‐O‐Lock” scheme criminal can use key‐logger to collect all secret phrases corresponding
to given password’s images and additionally take a screenshot of the log‐in screen. Even if it is
collected only one pair of images‐secret phrases there is already a small chance to pass
authentication successfully.
Shoulder‐surfing attack has similarity with spyware & loggers attack, but in this case instead of
computer based software, attacker himself will be a tool for getting password information. So it sets
boundary conditions on this attack. It is still feasible for average human to remember sequence of
password’s faces in Passfaces scheme, all password areas in Blonder scheme and drawings in DAS.
However it is impossible to remember all possible combination in “Pict‐O‐Lock” method, moreover it
is very unlikely to stand behind the user every time he or she logs‐in. Finally it is still infeasible to
remember and compute a password combination in Triangle scheme.
At last it is very hard or even impossible to worm out the password combinations during the
chart with user, because all graphical passwords visual and do not consist of text password in their
original state.
All this thoughts reflected in Table 2.
Table2. Possible attacks methods on graphical passwords
Graphical Possible Attack Methods
Password Brute force Dictionary Guessing Spyware & Shoulder‐ Social
Scheme loggers surfing engineering
Passfaces √ √ √ √ √ X
Blonder √ X √ √ √ X
DAS X √ X √ √ X
Pick‐O‐ √ X X √ X X
Lock
Triangle √ X X X X X
scheme
√ = Yes X = No
Potential alternatives and enhancements
Graphical and text passwords are not the only methods for user’s authentication. There are few
other typical methods exist:
Biometrical (finger print, typing behaviour, etc.) – Something that already part of you
Objective (USB token, smart card, etc.) – Something that you have
This methods are not going to be deeply discussed in this report due to size limitation (moreover
they all are well known and explored). Each of them has own advantages and disadvantages, the
main idea of mentioning them is to have clear understanding that there are a lot of possible
alternatives for authentication process. Different schemes might be used for almost any application
or system, this depends on purposes and situation. Of cause all of them have different cost for
implementation and maintaining. The plus for graphical methods is that they are cheap as text ones
and do not require any additional equipment except mouse, keyboard (not always), display and
simple graphical subsystem. For strengthening position of these schemes all previously discussed
security breaches and problems need to be overcoming.
The cheapest, simplest and obvious solution for overcoming brute‐force and dictionary attack is
restriction on amount of unsuccessful authentication tries and condition on minimal password
strength. By doing this we can protect from exhaustive search of feasible password combination.
Moreover possibility of guessing can be dramatically reduced by using such limitations. Usually
default number of tolerated unsuccessful authentication tries is 3.
Two other types of attack (Spyware & loggers and Shoulder‐surfing) can be overcame by
inclusion some organisation and access rules and establishing good management. Fort instance,
company can train employees to be aware of shoulder‐surfing attack and organise work space in the
way that nobody can hide behind the user and so on. Finally company can establish policy of use for
users. Put some access monitors and policy into system and restrict usage of mobile storage devices
and internet surfing for avoiding of getting spyware & loggers in addition to firewalls and antiviruses.
If it is for personal usage all these steps should be taken by user himself.
Except of two first types of attack (brute‐force and dictionary attack) all other attacks mostly
depend of human’s actions and behaviour. What password strength will be chosen, what firewalls
and antiviruses will be installed, what access rules will be introduced and so on. The point is that it is
the human’s fault rather technical one.
From other side the important thing is to remember not to overcomplicate authentication
process. The “Pict‐O‐Lock” can be considered as a perfect example of overcomplicating as it was
previously discussed. The idle is to find “the golden mean” between usability of method and it
secureness.
From this point of view the best graphical method is “Triangle scheme” and relative schemes
from the same authors Leonardo Sobrado and Jean‐Camille which were considered in work
“Graphical passwords”[1].
Conclusions
The above consideration and discussion of graphical methods of authentication does not prove
their secureness superiority over the textual methods. In fact except of difference in input process
between those two methods they are very similar. The only things that can be getting out of this
report are:
Usability efficiency (in almost all cases) and human friendliness compare to text password;
Graphical methods are not a panacea and they have disadvantages too.
Finally we should not forget about psychological aspect of graphical schemes. For some users
graphical way of authentication seems to be more “childlike business” rather “adult” because of all
these visual images, pictures and drawings.
After all discussion and examining the Triangle scheme” and relative schemes are the most
preferable methods for graphical authentication because they are resilience to almost all types of
attack and with little help from policy and access rules they can be proof to brute‐force attack.
Graphical methods are very promising type of authentication especially in a light of fast
developing of touch interfaces where their usability’s property of graphical password can serve a
good term.
References
1. “Graphical passwords”, Leonardo Sobrado and Jean‐Camille Birget Department of Computer
Science,Rutgers University, Camden New Jersey 08102, 2002;
2. “Recognition Memory for Words, Sentences, and Pictures” ,R. N. Shepard, Journal of Verbal
Learnings and Verbal Behavior 6 (1967), 156–163.
3. Why Are Pictures Easier to Recall Than Words?” , A. Paivio, T. B. Rogers, and P. C. Smythe,
“Psychonomic Science 11 (1968),137–138
4. “Towards Identifying Usability and Security Features of Graphical Password in Knowledge
Based Authentication Technique”, Muhammad Daniel Hafiz, Abdul Hanan Abdullah, Norafida
Ithnin, Hazinah K. Mammi, Faculty of Computer Science and Information Systems, Universiti
Teknologi Malaysia, 81300 Skudai, Johor, Modeling & Simulation, 2008. AICMS 08. Second
Asia International Conference on May 2008, 396 – 403
5. “The Design and Analysis of Graphical Passwords”, Ian Jermyn, Alain Mayer,Fabian Monrose,
Michael K. Reiter, Avi Rubin, March 8, 1999
6. "Graphical Passwords", G. Blonder. United States patent 5559961 (1996).
7. Graphical Password Technology, Passfaces technology, Passfaces Corporation.
8. “A password scheme strongly resistant to spyware”, D. Hong, S. Man, B. Hawes, and M.
Mathews. In Proceedings of International conference on security and management, Las
Vergas, NV, 2004.
9. “On User Choice in Graphical Password Schemes”, D. Davis, F. Monrose and M.K. Reiter, In
Proceedings of the 13th USENIX Security Symposium. California, 2004.