Kok-Chie Daniel Pu - MSISPM
Wow ... Daniel will be presenting a lecture on
Graphical Passwords !!!
Definition of Graphical
Passwords
• A graphical password is a secret that a
human user inputs to a computer with the
aid of the computers’ graphical input (e.g.,
mouse, stylus, or touch screen) and
output devices. [01]
Example – Slot Machine !!!
• Has human user input.
• There is high user
acceptance.
• Graphical passwords
(i.e. icons, pictures)
• What are the problems
here?
Background / History
• Information and computer security is
dependent on passwords for the
authentication of human users.
• As presented in previous lectures,
common methods include text
passwords, biometrics and etc.
Background / History
• Main drawback of passwords is the
password problem.
• What is this password problem ?
– Passwords should be easy to remember.
– User authentication protocol should be
executed quickly and easily by humans.
– Passwords should be secure (random, hard
to guess and not in plain text). [02]
Background / History
• Graphical passwords may be a solution to
the password problem.
• The idea of graphical passwords was
pioneered by Greg Blonder who also
holds the US patent 5559961 (1996).
• His idea – is to let the user click (with a
mouse or stylus) on a few chosen (predesigned) regions in (pre-processed) an
image that appears on the screen. [03]
Passwords: Text vs Graphical
Text Passwords:
• Alpha-numeric passwords guidelines
– At least 8 characters long.
– Should not be easy to relate to the user (e.g.
last name, birth date).
– Should not be a word that can be found in a
dictionary or public dictionary.
– Should combine upper and lower case letters
and digits. [04]
Text Passwords:
• Examples:
– DiNoSaUr (by alternating upper and lower
case).
– rUaSoNiD (by reversing the string).
– oSNaiUDr (by shuffling the string).
– D9n6s7u3 (combining numbers and letters).
[05]
Text Passwords:
• Vulnerabilities
– Shoulder surfing (watching a user log on as
they type their password).
– Dictionary attacks (using L0phtCrack or Jack
the Ripper).
– User may forget the password if it is too long
and complicated.
Graphical Passwords:
• Advantages
– Human brains can process graphical images
easily.
– Examples include places we visited, faces of
people and things we have seen.
– Difficult to implement automated attacks
(such as dictionary attacks) against graphical
passwords. [06]
Graphical Passwords:
• Disadvantages
– Shoulder surfing problem.
• Countermeasures
– Existing schemes limit usage of graphical
passwords to handhelds or workstations
where only one person is able to view the
screen at the time of login. [07]
What’s Next ?
Research papers & applications
• A Password Scheme Strongly Resistant
to Spyware.
• Picture Password: A Visual Login
Technique for Mobile Devices.
• Passfaces.
• On User Choice in Graphical Password
Schemes.
A Password Scheme Strongly
Resistant to Spyware
• Spyware is one of the biggest threat to
computer security.
• Spyware gathers information about users
and their computer systems without their
permissions and send these lucrative
information to parties who installed the
spyware.
• It is an arms race for the counter spyware
vendors.
A Password Scheme Strongly
Resistant to Spyware
• This research focuses on deploying a
login screen that is divided into 121 grid,
11 rows and 11 columns.
• When a new user creates a password, he
chooses all 121 icons from an icon library
on the server.
• User determines 4 pass icons. Each icon
has 4 variations. [08]
A Password Scheme Strongly
Resistant to Spyware
A Password Scheme Strongly
Resistant to Spyware
• Password system will lead the user going
through the 4 pass icons to set up the
password.
• User will choose a string and enters the
string beneath the variation.
• Strings are chosen to relate to some
events in the user’s life. [09]
A Password Scheme Strongly
Resistant to Spyware
A Password Scheme Strongly
Resistant to Spyware
A Password Scheme Strongly
Resistant to Spyware
• Once the password is created, the
password system will display a summary
which can be printed for the users’
reference.
• In average, it took one person 15 minutes
from creating the password to using it
fluently. [10]
A Password Scheme Strongly
Resistant to Spyware
Picture Password
• NIST – National Institute of Standards
and Technology.
• A Visual Login Technique for Mobile
Devices. (NISTIR 7030)
• Focuses on devices such as PDAs and
possibly cell phones.
• Uses images in a matrix similar to a
keypad. [11]
Picture Password
Picture Password
Picture Password
• Organizational policies must enforce
password expiration.
• This is to prevent / reduce the
opportunities for attackers to crack the
passwords.
• If password reuse is required, the image
sequence must generate completely new
password values. [12]
Picture Password
Picture Password
• NIST Secure Hash Algorithm is used to
compute the cryptographic hash and
results in a 20-byte binary value.
• The value matrix maps selected
thumbnails to their underlying alphabet
values.
• This scheme matches the capabilities and
limitations of the handheld devices. [13]
Passfaces
• Passfaces (formerly known as Real User
Corporation) is an information security
technology company based in Annapolis,
Maryland.
• Commercial application leverages the
brain’s innate cognitive ability to
recognize human faces. [14]
Passfaces
Passfaces
• Logon Process:
– Users are asked to pick their assigned
Passfaces from a 3 x 3 grids containing one
Passface and 8 decoys.
– The faces appear in random positions within
the grid each time.
– This process is repeated until each of the
assigned Passfaces is identified. [15]
Passfaces
Passfaces
User Choice in Graphical
Password Schemes
• Darren Davis and Fabian Monrose (John
Hopkins University) and Micheal Reiter
(Carnegie Mellon University).
• Strength of graphical passwords based
on users’ selections.
• Face and story schemes were chosen for
this research. [16]
User Choice in Graphical
Password Schemes
• Face scheme was modeled after the
commercial Passfaces where users
select a collection of faces to make the
password.
• Story scheme requires a sequence of
images to tell a story.
• Experiment was conducted at two
universities with 154 subjects in 2003.
[17]
User Choice in Graphical
Password Schemes
• Subjects used graphical passwords to
access homework, grades, homework
solutions, course reading materials and
etc.
• At the end of the semester, these
students were given a survey to describe:
– Why they picked the faces they did (for Face)
or their chosen stories (for Story) and some
demographic information about themselves.
[18]
User Choice in Graphical
Password Schemes
• Studies show that people agree about the
attractiveness of both adults and children,
even across different cultures.
• Individuals are better able to recognize
faces of people from their own race than
faces of people from other races. [19]
User Choice
in Graphical
Password
Schemes
User Choice
in Graphical
Password
Schemes
User Choice in Graphical
Password Schemes
• Exit surveys (Face) confirmed the following:
User Choice in Graphical
Password Schemes
• Exit surveys (Story) confirmed the following:
User Choice in Graphical
Password Schemes
• Conclusions of the study:
– User choice of passwords is not a good
method.
– Limits should be imposed on the number of
incorrect password guesses.
– Educate the users on better approaches to
select passwords.
– Graphical passwords (faces or story) must
be easy to remember. [20]
The End
Questions ???
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
References for Graphical Password Lecture:
[01] Fabian Monrose and Michael Reiter
Chapter 9 - Security and Usability
[02] The Graphical Passwords Project
Funded by the NSF CyberTrust Project
Co-PIs: J.C. Birget (Rutgers-Camden), D. Hong (Rutgers-Camden), N. Memon (Brooklyn Polytechnic),
S.Man (SW Minn. State), S. Wiedenbeck (Drexel)
[03] The Graphical Passwords Project
Funded by the NSF CyberTrust Project
Co-PIs: J.C. Birget (Rutgers-Camden), D. Hong (Rutgers-Camden), N. Memon (Brooklyn Polytechnic),
S.Man (SW Minn. State), S. Wiedenbeck (Drexel)
[04] Graphical Passwords
Leonardo Sobrado and Jean-Camille Birget
Department of Computer Science, Rutgers University
[05] Graphical Passwords
Leonardo Sobrado and Jean-Camille Birget
Department of Computer Science, Rutgers University
[06] Graphical Passwords
Leonardo Sobrado and Jean-Camille Birget
Department of Computer Science, Rutgers University
[07] Graphical Passwords
Leonardo Sobrado and Jean-Camille Birget
Department of Computer Science, Rutgers University
[08] A Password Scheme Strongly Resistant to Spyware
Dawei Hong (Rutgers University) , ShuShuang Man & Barbra Hawes (Southwest Minnesota State
University) , Manton Matthews (University of South Carolina).
[09] A Password Scheme Strongly Resistant to Spyware
Dawei Hong (Rutgers University) , ShuShuang Man & Barbra Hawes (Southwest Minnesota State
University) , Manton Matthews (University of South Carolina).
[10] A Password Scheme Strongly Resistant to Spyware
Dawei Hong (Rutgers University) , ShuShuang Man & Barbra Hawes (Southwest Minnesota State
University) , Manton Matthews (University of South Carolina).
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
[11]
NIST National Institute of Standards and Technology - NISTIR 7030
Picture Password: A Visual Login Technique for Mobile Devices.
[12] NIST National Institute of Standards and Technology - NISTIR 7030
Picture Password: A Visual Login Technique for Mobile Devices.
[13] NIST National Institute of Standards and Technology - NISTIR 7030
Picture Password: A Visual Login Technique for Mobile Devices.
[14] Passfaces as a Countermeasure for Phishing and Malware
Passfaces_countermeasures.pdf
www.passfaces.com
[15] Passfaces Technology Overview
Passfaces%20Tech%200verview.pdf
www.passfaces.com
[16] On User Choice in Graphical Password Schemes
Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter
(Carnegie Mellon University)
[17] On User Choice in Graphical Password Schemes
Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter
(Carnegie Mellon University)
[18] On User Choice in Graphical Password Schemes
Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter
(Carnegie Mellon University)
[19] On User Choice in Graphical Password Schemes
Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter
(Carnegie Mellon University)
[20] On User Choice in Graphical Password Schemes
Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter
(Carnegie Mellon University)
All South Park Characters are copyrighted and belong to their creators at South Park
Studios.