International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 11 - Mar 2014
Graphical Password System using Different
Techniques–A Review
Mr. Amit Kashnath Barate1, Mrs.Sunita Sunil Shinde2
1
M.E. (student), 2 Assistant Professor
Department of Electronics & Telecommunication, Annasaheb Dange College of Engineering & Technology, Ashta,
Maharastra, India.
Abstract— This review summarises the current state of
knowledge on various methods of Image authentication.
Passwords provide security mechanism for authentication and
protection of services against unwanted access to resources. The
essential function of authentication systems is to support users in
selecting better passwords to access or enter into systems. Most
frequently the authentications are based on the use of
alphanumeric passwords. However, users face difficulty in
remembering passwords that are long or random-appearing.
Thus, they create short, simple, and insecure passwords. The
graphical based password offers a better and efficient alternative
to textual passwords. Human psychology studies have indicated
that humans are able to remember pictures easily. Thus
graphical passwords have been designed to make passwords
more memorable and easier for people to use and, hence, more
secure. In a graphical password, users click on images instead of
typing alphanumeric characters. This password system is a
combination of recognition and recall based techniques that
offers many advantages over the conventional systems and could
be more convenient for the user.
Keywords—Authentication, Security, Graphical password,
Attacks, Pass Points Click Password, Cued Click Points
Password.
I.
INTRODUCTION
One of the most important functions of any security system
is the controlling of people in or out of protected areas, such
as physical buildings, information systems and our national
borders. Also, computer systems and the information they
store and process are valuable resources which need to be
protected.
Authentication is most often based on the use of
alphanumeric passwords. However, users have difficulty in
remembering a password that is long and random-appearing.
Instead, they create short, simple, and insecure passwords.
The problem arises because passwords are expected to comply
with two fundamentally conflicting requirements:
 Passwords should be easy to remember, and the user
authentication protocol should be executable quickly
and easily by humans.
 Passwords should be secure, i.e., they should look
random and should be hard to guess; they should be
changed frequently, and should be different on
different accounts of the same user; they should not
be written down or stored in plain text.
ISSN: 2231-5381
To overcome the problems associated with text password
based authentication systems, many researchers have
proposed the concept of graphical password and developed the
alternative authentication mechanisms.
A. Main problems with alphanumeric passwords
The main problem with the alphanumeric passwords is that
once a password has been chosen and learned the user must be
able to recall it to log in. But, people regularly forget their
passwords. If a password is not frequently used it will be even
more susceptible to forgetting. The recent surveys have shown
that users select short, simple passwords that are easily
guessable, for example, personal names of their family
members, names of pets, date of birth etc. [8].
B. Why Graphical Passwords?
Graphical passwords were originally described by Blonder
(1996). The basic notion for graphical Password is that
graphical passwords are expected to be easier to recall, less
likely to be written down and have the potential to provide a
richer symbol space than text based passwords. For example,
a user might authenticate by clicking a series of points on an
image, selecting a series of tiles, or by drawing a series of
lines on the screen [9].
II. CLASSIFICATION OF GRAPHICAL PASSWORD SYSTEM
Graphical based passwords schemes can be broadly
classified into four main categories: First is Recognition
based Systems. Recognition based techniques involve
identifying whether one has seen an image before. The user
must only be able to recognize previously seen images, not
generate them unaided from memory. Second is Pure Recall
based systems. In pure recall-based methods the user has to
reproduce something that he or she created or selected earlier
during the registration stage. Third is Cued Recall based
systems. In cued recall-based methods, the user is provided
with a hint so that he or she can recall his his/her password.
Fourth is Hybrid systems which are typically the combination
of two or more schemes.
III.
VARIOUS GRAPHICAL PASSWORD TECHNIQUES
A number of graphical password techniques have been
proposed to fulfill the requirements of the secure and
http://www.ijettjournal.org
Page 537
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 11 - Mar 2014
memorable password such as Pass Points Graphical Password,
Cued Click Points Graphical Password, Persuasive Cued
Click-Points (PCCP) Graphical Password.
A. Pass Points Graphical Password
In the PassPoints graphical password scheme a password
consists of a sequence of click points (say 5 to 8) that the user
chooses in an image [4]. The image is displayed on the screen
by the system. The image is not secret and has no role other
than helping the user remember the click points. Any pixel in
the image is a candidate for a click point. To log in, the user
has to click again closely to the chosen points, in the chosen
sequence. Since it is almost impossible for human users to
click repeatedly on exactly the same point, the system allows
for an error tolerance in the click locations.
B. Cued Click Points Graphical Password
The idea of click-based graphical passwords originated
with Blonder [2] who proposed a scheme where a password
consisted of a series of clicks on predefined regions of an
image. Cued Click Points (CCP) is a proposed alternative to
PassPoints. In CCP, users click one point on each of images
rather than on five points on one image. It offers cued-recall
and introduces visual cues that instantly alert valid users if
they have made a mistake when entering their latest clickpoint (at which point they can cancel their attempt and retry
from the beginning). It also makes attacks based on hotspot
analysis more challenging. If a user enters an incorrect clickpoint, then the sequence of images from that point onwards
will be incorrect and thus the login attempt will fail. For an
attacker who does not know the correct sequence of images,
this cue will not be helpful.
C. Persuasive Cued Click-Points (PCCP) Graphical
Password
Persuasive Technology was first articulated by Fogg [11] as
using technology to motivate and influence people to behave
in a desired manner. He discusses how interface cues can be
designed to actively encourage users to perform certain tasks.
Forget et al. [12] propose how these may be condensed into a
set of core persuasive principles for computer security. By
adding a persuasive feature to CCP, PCCP encourages users to
select less predictable passwords, and makes it more difficult
to select passwords where all five click-points are hotspots.
graphical passwords than text-based passwords. Automatically
generated accurate mouse movement is required in brute force
attack to reproduce human input, which is mostly difficult in
case of recall based graphical passwords.
B. Dictionary Attacks
Since recognition based graphical pass-words involve
mouse input instead of keyboard input, it will be impractical
to carry out dictionary attacks against this type of graphical
passwords. For some recall based graphical passwords, it is
possible to use a dictionary attack but an automated dictionary
attack will be much more difficult than a text based dictionary
attack. Overall, graphical passwords are less vulnerable to
dictionary attacks than text-based passwords.
C. Guessing
Like a serious problem usually associated with text-based
passwords, graphical passwords also tend to be guessed. For
example, studies on the Pass face technique have shown that
people often choose weak and predictable graphical
passwords. Similar predictability is found among the graphical
passwords created with the DAS technique.
V. FUTURE IMPROVEMENTS WITH POSSIBLE INTEGRATED
SYSTEM FOR GRAPHICAL PASSWORD
Theoretically, textual password and graphical integrated
password can be used to enhance the security of the system.
Multilevel system can be implemented with different types of
password system. The detailed description of an integrated
system is not the focus of this paper.
VI.
CONCLUSION
This paper provides a record on different types of existing
graphical password techniques. The graphical password
techniques are classified into two categories; recognitionbased and recall-based techniques. The past decade has seen
an emergent interest in using graphical passwords as an
alternative to the conventional text-based passwords. To
enhance the security implementation of different multilevel
graphical system might be a prerequisite.
ACKNOWLEDGMENT
IV.
VARIOUS P OSSIBLE ATTACK ON GRAPHICAL
PASSWORD TECHNIQUES
Following are the different types of attacks on the
graphical passwords:
A. Brute Force Attack
The main defence against brute force attack is to have a
sufficiently large password space. In some graphical password
techniques password space is similar to or larger than that of
text-based passwords. Recognition based graphical passwords
tend to have smaller password spaces than the recall based
methods. A brute force attack is difficult to carry against
ISSN: 2231-5381
I would like to acknowledge and extend my heartfelt
gratitude to my guide Prof. Sunita S. Shinde for her
encouragement and support. .
REFERENCES
[1]
Ahmad Almulhem Computer Engineering Department King Fahd
University of Petroleum and Minerals Dhahran, Saudi Arabia, A
Graphical Password Authentication System.
[2]
Chiasson, S, van Oorschot, P.C., Biddle, R. Graphical Password
Authentication Using Cued Click-points. ESORICS 2007.
http://www.ijettjournal.org
Page 538
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 11 - Mar 2014
AUTHORS BIOGRAPHY
[3]
Sonia Chiasson, Member, Robert Biddle, Member, IEEE, and Paul C.
van Oorschot, Member, IEEE, Persuasive Cued Click-Points: Design,
Implementation, and Evaluation of a Knowledge-Based Authentication
Mechanism, March 2012.
[4]
Ahmet Emir Dirik, Nasir Memon, Jean-Camille Birget, Department of
Computer and Information Science, Modeling user choice in the
PassPoints graphical password scheme.
[5]
Patric Elftmann, Diploma Thesis, “Secure Alternatives to PasswordBased Authentication Mechanisms” Aachen, Germany October 2006.
[6]
FABIAN MONROSE AND MICHAEL K. REITER, ch09.10346 Page
161 Friday, August 5, 2005, Graphical Passwords.
[7]
Sonia Chiasson, Alain Forget, Robert Biddle, P.C. van Oorschot,
School of Computer Science, 2Human-Oriented Technology Lab
Carleton University, Ottawa Canada, Influencing Users Towards Better
Passwords: Persuasive Cued Click-Points.
[8]
Brown, Bracken, Zoccali, & Douglas, Sasse et al., 2001; 2004.
[9]
Bogdan Hoanca and Kenrich Mock,“Secure graphical password
system for high traffic public areas” ETRA '06 2006.
[10]
Blonder, G.E. Graphical Passwords. United States Patent 5,559,961,
1996.
[11]
Fogg, B.J. Persuasive Technologies: Using Computers to Change What
We Think and Do. Morgan Kaufmann Publishers, San Francisco, CA,
2003.
[12]
Forget, A., Chiasson, S., and Biddle, R. Persuasion as Education for
Computer Security. AACE E-Learn 2007.
ISSN: 2231-5381
Mrs. Sunita S. Shinde received the
Bachelor’s and Master’s degree in
Electronics Engineering from Shivaji
University, Kolhapur, Maharashtra.
She has teaching experience of 16
years. Her fields of interests are
Wireless communication and Adhoc
Networks. She is a life member of
ISTE. She has written three books on Computer Networks.
http://www.ijettjournal.org
Mr. Amit K. Barate is pursuing M.E in
Electronics and Telecommunication
from Shivaji University, Maharatshtra.
He has completed the Bachelor’s degree
in Electronics and Telecommunication
from Mumbai University, Maharatshtra.
Page 539