International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 10 - Apr 2014
Secure Password Authentication Approach using
Cued Click Points
T.Ravi Kiran1, P.Varaha Mounika2 , S.V.Vasavi Swapna3, S.Satya Rao4, N.Raju5
Assistant Professor1,B.Tech Scholar2,3,4,5
Dept of CSE, VITS College of Engineering, Sontyam, Visakhapatnam, Andhra Pradesh
Abstract: Click-based graphical passwords and which involve
clicking a set of user-selected points have been proposed as a
usable alternative to text passwords. We found significant
differences in the usability results of the two studies that
providing empirical evidence that relying solely on lab studies
for security interfaces can be problematic. In this we
proposed a graphical password method can yield passwords
with entropy far below the theoretical optimum and it is in
some cases that are highly correlated with the race or gender
of the user.
I.INTRODUCTION
Click based classical passwords is referred as generation of
password selecting multiple images or multiple parts from
the image. Click-based graphical passwords it involve
clicking a set ofuser-selected points and it have been
proposed as a usable alternative totext passwords. Some
researchers conducted in-labuser studies of a proposed
click-based graphical password schemecalled PassPoints.
While initial results were optimistic withrespect to usability
and acknowledged that further work wasneeded to address
several remaining questions. These includedconducting a
field study assessing the usability of PassPoints in amore
realistic setting and then investigating the effect of screen
size onusability of examining whether hotspots cause
security concernsand that is looking at the effect of
interference whether having toremember multiple graphical
passwords might cause memorabilityor usability problems.
A security analysis was conducted on both data sets,
lookingspecifically at the emergence of hotspots, seeing
whether hotspotscould be predicted by automated methods,
and demonstrating how collecting a small subset of
passwords can be used to conduct successful dictionary
attacks. This security analysis is reportedseparately. Using
these results shown and we subsequently evaluated an
additional security issue: whether more memorable
passwords (That means passwords for which users had a
higher login success rate)were weaker from a security point
of view (more easily cracked).
A security analysis was conducted on both data
sets, lookingspecifically at the emergence of hotspots,
seeing whether hotspotscould be predicted by automated
methods, and demonstrating howcollecting a small subset
ISSN: 2231-5381
of passwords can be used to conductsuccessful dictionary
attacks. This security analysis is reported separately. Using
these results, we subsequently evaluated anadditional
security issue: whether more memorable passwords(that is
passwords for which users had a higher login success
rate)were weaker from a security point of view (which
means more easilycracked).
Graphical password schemes have been proposed
as apossible alternative to text-based schemes and
motivatedpartially by the fact that humans can
rememberpictures better than text and in psychological
studies supports such assumption and pictures are
generallyeasier to be remembered or recognized than text.
If the number of possible pictures issufficiently large the
possible password space of agraphical password scheme
may exceed that of textbasedschemes and thus presumably
offer betterresistance to dictionary attacks. Because of
these(presumed) advantages and there is a growing interest
ingraphical password. In addition to workstation andweb
login applications and graphical passwords have alsobeen
applied to ATM machines and mobile devices.
Clearly our everyday non-user-friendly password
in not secure in the sense we require - by merely recording
the input of the user to the intermediate computer, the
adversary can discover the user’s password after a single
successful authentication session. Biometric identification
(based on such physiological traits as fingerprints and iris
shape) is indeed more secure against theft or forgetting, but
it is just as easy for the adversary to obtain this key as it is
to obtain a password. There are a numberof existing secure
solutions which require the user tocarry a computational
aid, such as an OTP card that generatesone time passwords,
one-time password sheets,or a laptop armed with secure
authentication protocols.But this approach has its
drawbacks: users cannot getauthenticated without the
device, which can be stolen,lost, or made unusable (e.g.,
when its battery runs out).
II.RELATED WORK
Token based techniques, such as key cards and
bank cardsand smart cards are widely used. It has many
token-basedauthentication systems also use knowledge
basedtechniques to enhance security. ATMcards are
http://www.ijettjournal.org
Page 478
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 10 - Apr 2014
generally used together with a PIN number.Biometric
based security techniques and such asfingerprints and iris
scan or facial recognition and they are not yetwidely
adopted. The mainlimit of this approachis that such
systems can be expensive and identification process can be
slow and oftenun-reliable. This type of technique
providesthe highest level of security and knowledge based
techniques are the most widely usedauthentication
techniques and include both text-basedand picture-based
passwords and picture-basedtechniques can be further
divided into two categories:recognition-based and recallbased graphicaltechnical methods. Using recognition-based
techniques and a useris presented with a set of images and
user passesthe authentication by recognizing it and it is
identifying theimages he or she selected during the
registration stage.Using recall-based techniques and the
user is asked toreproduce something that he or she created
or selectedearlier during the registration stage.
there is no report on real cases of breaking graphical
passwords. The exams some of the possible techniques for
breaking the graphical passwords and comparison with
text-based passwords.The main defence against brute force
search is to havea sufficiently large space. Textualbasedpasswords need password space of 94^N and where
N isthe length of the password and 94 is the number
ofprintable characters excluding SPACE. There are some
graphical passwordmethods have been shown toprovide a
password space similar to or larger than thatof text-based
passwords. Another one is recognitionbased graphical
passwords tend to have smallerpassword spaces than the
recall based methods.
In further research developed a graphical
password technique that deals with the shoulder surfing
problem. In the first scheme and system will display a
number of pass-objects (pre-selected by user) among many
other objects. For security a user needs to recognize passobjects and click inside theconvex hull formed by all the
pass-objects.For making the password hard to guess and
researchers suggested using 1000 objects and it which
makesthe display very crowded and the objects
almostindistinguishable and but using fewer objects may
lead toa smaller password space and since the resulting
convexhull can be large. In their second algorithm and
usermoves a frame (and the objects within it) until the
passobject on the frame lines up with the other two
passobjects.They suggest repeating the processa few more
times to minimize the likelihood oflogging in by randomly
clicking or rotating.
II.PROPOSED WORK
As mentioned earlier, our evaluation is based on
twographical schemes. In the Face scheme, the passwordis
a collection of k faces, each selected froma distinct set of n
> 1 faces. Each of the n facesare chosen uniformly at
random from a set of facesclassified as belonging to either
a typicalblack or white male or female or an Asian and
black orwhite male or female model. For our evaluationwe
choose k = 4 and n = 9. So, while choosing herpassword,
the user is shown four successive 3 × 3grids containing
randomly chosen images (see Figure1, for example), and
for each and she selects one imagefrom that grid as an
element of her password.The images are distinct and do not
appear more thanonce for a given user. During the
authenticationphase and the same group of images are
shown to theuser and but with the images randomly
permuted.In the Story scheme, a password is a sequence
ofk unique images selected by the user to make a“story”,
from a single set of n > k images, each derivedfrom a
distinct category of image types. Thepictures are drawn
from categories that depict everydayobjects such as food
and automobiles.
The basic idea is as follows and user will be asked to
choose four images of human faces from a face database as
their future password. In the authentication stage and the
user sees a grid of nine faces and it consisting of one face
previously chosen by the user and eight unique faces. The
user recognizes and clicks anywhere on the known face.
This process is repeated for several rounds. User is
authenticated if user correctly identifies the four faces. This
technique depends on the consideration that people can
recall human faces easier than other pictures.
Very little research has been done to study the
difficulty of cracking graphical passwords. That isbecause
graphical passwords are not frequently used in practice and
For the Story scheme, the “men” and “women”
categorieswere the same as the male and female modelsin
our Face experiment. All other images were chosenfrom
PicturesOf.NET and span the previouslymentioned
categories.To lessen the effect that an image’s intensity,
hue,and background colour may have on influencing auser
choice, we used the ImageMagicklibrary to set image
backgroundsto a light pastel colour at reduced intensity.
Additionally,images
with
bright
or
distracting
backgrounds,or of low quality, were deleted. All
remainingimages were resized to have similar aspect
ratios.Of course, it is always possible that differences
insuch secondary factors influenced the results of
ISSN: 2231-5381
http://www.ijettjournal.org
Page 479
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 10 - Apr 2014
ourexperiment, though we went to significant effort toavoid
this and have found little to support a hypothesisof such
influence.
. . .in non-increasing order of Pr[pi(k) ← S], then
theguessing entropy is simply
∑
.
[pi(k) S]
Guessing entropy is closely related to the entropy and
relations between the two are known.Since guessing
entropy intuitively corresponds moreclosely to the
attacker’s task in which we are interestedand we will
mainly considermeasures motivated by the guessing
entropy
IV.CONCLUSION
First we introduce some notation. An -element
tuplex is denoted x(l). If S is either the Face or
Storyscheme, then the expression x(l) ← S denotes
theselection of an -tuple x(l) (a password or passwordprefix,
consisting of image categories) accordingto S, involving
both user choices and random algorithmchoices.
In this section we describe how we
approximatelycompute Pr [p(K) S]for any p(k), i.e., the
probabilitythat the scheme yields the password p(k).
Thisprobability is taken with respect to both
randomchoices by the password selection algorithm and
userchoices.
We compute this probability inductively as
follows. Suppose p(l+1) = q(l)r(1). Then
Pr[p(l+1)S]
=Pr[q(l)  S].
Pr[q(l)r(l)  S |q(l) S] (1)
We are primarily concerned with measuring the
abilityof an attacker to guess the password of a user.Given
accurate values for Pr[p(k) ← S] for eachp(k), a measure
that indicates this ability is the“guessing entropy” of
passwords. Based on information guessing entropy
measures the expected number ofguesses an attacker with
perfect knowledge of theprobability distribution on
passwords would need inorder to guess a password chosen
from that distribution.If we enumerate passwords p1(k), p2(k),
ISSN: 2231-5381
A conclusion of our workis that graphical
password schemes of the type westudy may generally
require a different posture towardpassword selection than
text passwords and where the selection by the user remains
the norm today.The graphical password methods we
initialize inthis study have the property that the set of
passwords can be searched in short orderif an offline search
is possible. Therefore any use of theseschemes requires that
guesses be mediated and confirmedby a trusted online
system. In such situations initially we quantify
factorsrelevant to the security of user-chosen
graphicalpasswords. This method is againstthe use of a
Passfaceslike system that permits user choice of the
password without some means tomitigate the dramatic
effects of attraction and racethat our study quantifies. There
is no imposed limiton the number of incorrect password
guesses wouldsuffice to render the system adequately
secure since,e.g., 10% of the passwords of males could
have beenguessed by merely two guesses.
REFERENCES
1. Birget, J.C., D. Hong, and N. Memon. Graphical Passwords
Based on Robust Dis- cretization. IEEE Transactions on
Information Forensics and Security, vol. 1, no. 3, September
2006.
2. Blonder, G.E. Graphical Passwords. United States Patent
5,559,961, 1996.
3. Chiasson, S., Biddle, R., and van Oorschot, P.C. A Second
Look at the Usability of Click-based Graphical Passwords.
Technical Report TR-07-10.School of Computer Science,
Carleton University. March 2007.
4. Cranor, L.F., Garfinkel, S. Security and Usability. O’Reilly
Media, 2005.
5. Davis, D., F. Monrose, and M.K. Reiter. On User Choice in
Graphical
Password
Schemes.13th
USENIX
Security
Symposium, 2004.
6. Jermyn, A., et al. The Design and Analysis of Graphical
Passwords.8th USENIX Security Symposium, 1999.
http://www.ijettjournal.org
Page 480
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 10 - Apr 2014
7. Nelson, D.L., U.S. Reed, and J.R. Walling. Picture Superiority
Effect. Journal of Experimental Psychology: Human Learning and
Memory 3, pp. 485-497, 1977.
8. Passfaces. http://www.realuser.com Last accessed: December
1, 2006.
9. Peters, M. Revised Vandenberg &Kuse Mental Rotations Tests:
forms MRT-A to MRT-D. Technical Report, Department of
Psychology, University of Guelph, 1995.
10. Pinkas, B. and Sander, T. Securing Passwords Against
Dictionary
Attacks
Proceedings
of
Computer
and
Communications Security (CCS), 2002.
11. Renaud, K. Evaluating Authentication Mechanisms. Chapter 6
in [4].
12. Renaud, K., De Angeli, A. My password is here! An
investigation
into
visio-spatial
authentication
mechanisms.Interacting with Computers 16, pp. 1017-1041, 2004.
13. Suo, X, Y. Zhu, and G.S. Owen. Graphical Passwords: A
Survey. Annual Computer Security Applications Conference
(ACSAC), 2005.
14. Tari, F., Ozok, A.A., Holden, S.H. A Comparison of
Perceived and Real Shoulder- surfing Risks between
Alphanumeric and Graphical Passwords.Symposium on Us- able
Privacy and Security (SOUPS), 2006.
15. Thorpe, J. and P.C. van Oorschot. Human-Seeded Attacks and
Exploiting Hot- Spots in Graphical Passwords. USENIX Security
Symposium, 2007 (to appear). Preliminary version available as
Technical Report, TR-07-05. School of Computer Science,
Carleton University, Feb. 2007.
16. van Oorschot, P.C., Stubblebine, S. On Countering Online
Dictionary Attacks with Login Histories and Humans-in-theLoop. ACM Transactions on Information and System Security
(TISSEC) v.9(3), pp. 235-258, August 2006.
S.V.VasaviSwapna is currently pursuing
B.Tech. degree in Computer Science &
Engineering, VITS College of Engineering,
Sontyam, Visakhapatnam, Andhra Pradesh.
Her research interests include Data Mining,
Image Processing.
S.Satya Rao is currently pursuing B.Tech.
degree
in
Computer
Science
&
Engineering, VITS College of Engineering,
Sontyam, Visakhapatnam, Andhra Pradesh.
His research interests include Data Mining,
Image Processing.
N.Raju is currently pursuing B.Tech. degree
in Computer Science & Engineering, VITS
College
of
Engineering,
Sontyam,
Visakhapatnam, Andhra Pradesh. His
research interests include Data Mining,
Image Processing.
BIOGRAPHIES
T.Ravi Kiran is an Assistant Professor in
the Department of Computer Science &
Engineering, VITS College of Engineering,
Sontyam, Visakhapatnam, Andhra Pradesh.
He has 5 years of experience in Teaching.
His research interests include Cloud
Computing, Web Technologies, Information Security, Data
Mining, Search Engines, Information Retrieval, Network
Security, Database Systems, Data Privacy, Image
Processing, Computer Networks.
P.Varaha Mounika is currently
pursuing B.Tech. degree in Computer
Science & Engineering, VITS College
of
Engineering,
Sontyam,
Visakhapatnam, Andhra Pradesh. Her
research interests include Data Mining,
Image Processing.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 481