Graphical Password Security Attacks Computer Science

Essay add: 11-01-2017, 11:11   /   Views: 17

People encounter security mechanisms daily, such as physical keys to unlock doors or security alarms intended to alert them of intruders. With respect to computer security mechanisms, people are most often required to authenticate themselves using knowledge-based schemes such as passwords. Even though these are commonly used, and perhaps because they are so prevalent, passwords are plagued with security and usability problems. Technical solutions such as imposing minimum password requirements, and encryption and communication algorithms, for protecting passwords in transit and storage, have not resolved the human factors problems with passwords: usability, memorability, memory interference from having multiple passwords, and predictability in user choice. the current situation where many passwords used in practice are either weak- and-memorable or secure-but difficult-to-remember, despite the need for secure and memorable passwords.

The term Authentication describes the process of verifying the identity of a person or entity. It is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is part of most online applications. Before a user can access its email account, its online banking account or its favorite online shopping account, it has to identify and authenticate itself to the application. The most common form of authentication is done through the use of passwords.

Before describing the process of the authentication, we explain some terms. In this context, AAA is often used. AAA stands for Authentication, Authorization and Accounting. It is important to know the differences between those terms

Authentication: the confirmation that a user is who it is claiming to be.

Authorization: the process to determine whether the user has the authority to issue certain commands.

Accounting: measuring the resources a user consumes during access.

Identification: Identification is the process that enables recognition of a user described to an automated data processing system.

Authentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. The most prevalent form is probably the authentication with a user name and a password. Unfortunately it is also one of the most insecure methods. There is an unlimited range of variations of how a user can be authenticated to a web application. Some of the most popular ones are going to be described in the following.

Authentication methods can involve up to three factors:

1. Knowledge: What a user knows (i.e., a password or challenge question)

2. Possession: What a user has (i.e., a security token or mobile phone)

3. Attribute: What the user is (i.e. biometric characteristics like a fingerprint or the pattern of the eye)

Possession based techniques, such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance security. For example, ATM cards are generally used together with a PIN number.

Biometric based authentication techniques, such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often un- reliable. However, this type of technique provides the highest level of security.

It has also been suggested that graphical passwords may be hard to guess or broken by brute force search. If the number of possible pictures is sufficiently large, the possible password space of a graphical password scheme may exceed that of text-based schemes and thus presumably offer better resistance to dictionary attacks. Because of these (presumed) advantages, there is a growing interest in graphical password. In addition to workstation and web log-in applications, graphical passwords have also been applied to ATM machines and mobile devices. Strong authentication is also commonly referred to as two-factor authentication or multi-factor authentication. This alludes to the fact that there is more than one factor, or proof, needed in order for an authentication to be made. When only one factor is utilized to authenticate a user, it is considered to be a weak form of authentication. Multi-factor authentication may include multiple types of the same authentication method (for example, two static passwords) but would not necessarily be considered strong authentication.

1. Single Factor Authentication:-

Basic user name/password authentication for example is based on something you know. In single factor authentication user can use only one factor for authentication from above given factors. Usually user uses knowledge factor (i.e. Password or PIN). This case password may be textual or the graphical password or the PIN.

2. Multi Factor Authentication:-

In multi factor authentication user consist with more than one factors for security purpose the multifactor consist combination of what the user knows (i.e. PIN or password) and what the user has (i.e. smart card) and what the user is (i.e. biometric authentication).

Multifactor authentication also consist of more than once the same factor also means the user can use more than once any one of the above factor (i.e. what the user knows, what the user has, what the user is)

These methods have varying levels of security and impose different levels of inconvenience to the end user. An example is an ATM card. The card represents something you have, the PIN represents something you know, and hence it is a two factor authentication.

Another is user enters his user name and connect the USB token the identification USB token is first factor and enter the one time password generated by that token is second factor.

In 2nd section I described the survey of textual and graphical password authentication with their problems and solutions with their password spaces in 3rd section I explained my proposed scheme and 4th section conclusion and future work.


Literature survey

Textual password :

Text passwords are easy and inexpensive to implement, and are familiar to most users. Passwords allow users to authenticate themselves without violating their privacy, as biometrics could, since users can select passwords that do not contain personal information. And finally, passwords are portable since users simply have to recall them, as opposed to tokens which must be carried. However, text passwords also have a number of the inadequacies from both security and usability viewpoints, such as being difficult to remember and being predictable if user-choice is allowed.

Passwords are only secure if they are difficult for attackers to guess, yet are only usable if users can remember them. In current situation many passwords are either weak-and-memorable or secure but difficult to remember, despite the need for secure and memorable passwords.

To build the secure password certain guidelines are given by authentication system provider.

Guidelines "

1. Password must not contain your personal information.

Password should have maximum length more than 8 characters.

Password should contain all types characters (1-9 and a-z) must be in combination with uppercase and lower case letters.

Password must not be dictionary word or the owners keyword.

Password also contains special symbols to make it more complex to guess.

Password should be easy to remember.

By using these guidelines password becomes stronger which cant be easily guessed but its not easy to remember such type password.


This password is very difficult to guess but cant remember so user write that password anywhere which can be read by outsider and get stolen.

User reuses the same password on different sites and sometimes on insecure sites. and it get open.

Sometimes the users feel that they are login on trusted site but it make foolish to user by phishing attack by entering details on insecure site who is having same environment like secure site. Called phishing attacks.

Solution "

Password manager are some programmed plug in which work as trusty in between the user and service provider. Some plug-in like pwd-hash, password multiplier in browser. The password entered by user is simple and easy to remember. To make it complex by providing that password to password manager. Password manager convert it to complex and send to service provider. User not needs to write that complex password or to remember that password.

But current situation this technique is also not secure it is also vulnerable to various security attacks such like shoulder surfing, man in middle, and social engineering .

Encryption is another technique which work with private and public key or secret key.

Definition of various Security attacks.

Dictionary attacks- In a dictionary attack; a list of likely passwords is compiled based on knowledge or assumptions of typical user behavior. Entries in the dictionary can be further prioritized to test passwords with higher probability of success first (if these probabilities can somehow be calculated or predicted), increasing chances of quickly finding a match. Dictionary attacks can lead to efficient password guessing because users are likely to select from a relatively small and predictable password space. Recent research suggests that dictionary attacks remain a serious on-going threat, although exact statistics are not widely available since most organizations do not reveal such breeches in security.

Shoulder-surfing: Shoulder-surfing refers to attackers acquiring knowledge of a particular user's credentials through direct observation, or through external recording devices such as video cameras, while the legitimate user enters the information. Availability of high-resolution cameras with telephoto lenses and surveillance equipment make shoulder-surfing a real concern if attackers are targeting specific users and have access to the same geographic location as these users. This is especially problematic in public environments, but may not be as serious a threat in other more private environments.

Phishing : Phishing attacks involve tricking users into entering their credentials

(Username, password, credit card numbers, etc.) At a fraudulent website that is masquerading as a legitimate site. Users normally reach these phishing websites through spam email enticing users to click on an embedded link that directs them to a website designed to look like a site for which they have a legitimate account. When users attempt to log in, attackers record the user's credentials and subsequently use them for fraudulent purposes.

Social Engineering: Social engineering includes any technique used to trick people into divulging their credentials or private information to untrustworthy parties. Phishing is an example of social engineering using email and websites, but social engineering can also be done using other means, such through as phone calls claiming to be from the user's bank, credit card Company, or tech support. It is often easier to obtain a password or credentials from the legitimate user than trying to break into a system by other means.

Password space- dictionary attacks is successful when the user choice is allowed in password creation. User selects most predictable passwords that are easily cracked by dictionary attacks. So the solution that to make password space more effective machine generated password is used. And to make it more effective against stealing the password from the storage use encryption before to storing the password in storage.

Uses different passwords at different sites. And password should contain the combination of digits, alphabets and special symbols so its hard to guess and crack.

Study of Graphical passwords-

Text passwords are a type of knowledge-based authentication, where users must prove knowledge of some secret. Graphical passwords are an alternative type of knowledge-based authentication. In graphical passwords, images or visual representations are used instead of alphanumeric characters. The premise behind graphical passwords is that humans have better memory for images than text.

The graphical passwords are divided in two parts.

Recognition based

Recall based

Cued recall

Pure recall

Recognition based technique-

In recognition-based graphical password systems, users typically memorize a portfolio of images during password creation and then must recognize their images from among decoys to log in.

De j a Vu[1] :

In D ej_a Vu [1], users select and memorize a subset of images from a larger sample to create their portfolio. To log in, users must recognize images belonging to their pre-defined portfolio from a set of decoy images; in the test system, a panel of 25 images is displayed, 5 of which belong to the user's portfolio. Users must identify all of images from their portfolio and only one panel is displayed. Images of random art" are used to make it more difficult for users to write down their password or share it with others by describing the images from their portfolio. The authors report that a fixed set of 10000 images is sufficient, but that attractive" images should be hand-selected to increase the likelihood that images have similar probabilities of being selected by users.


a. This method of password creation is resistant to dictionary attack because user cant write his image password anywhere or the image password having large space so it cant be written in any dictionary.

b. It resistant to Phishing attack because insecure site is not having any idea about the users image portfolio of the legitimate site.

c. Resistant to Social engineering Attack because it very difficult to express the image for the user.

Drawbacks -

It requires more password creation time and large storage space as compared to textual password.

It requires more number of images and sketches (suggested 1000 images).

Shoulder surfing attack is possible by mouse click on image.

Possibility of man-in-middle-attack because password is not encrypted during storage

Pass faces[2]

In Pass Faces[2], users pre-select a set of images of human faces. During login, they are presented with a panel of candidate faces and have to select the face belonging to their set from among decoys. This process is repeated several times with different panels, and users must perform each round correctly in order to successfully authenticate themselves. In the test systems, a panel consisted of 9 images, one of which belonged to the user's portfolio, and a user completed 4 rounds to login.

Advantages- user can remember their pass faces password over long period of time.

And it should resistant to the shoulder surfing attack if the password is entered by keyboard rather than mouse click.

Drawbacks -This method is vulnerable to dictionary attack and easy to guess because most of the time user chooses the beautiful faces as a password from the image portfolio. There should be the possibility of shoulder surfing attack by hearing the description of human faces from the user and if decoy of the images is not properly selected. If Pass Faces uses a keyboard for password entry, then malware attacks would need both a key-logger and screen scraping software to gain enough knowledge for password entry; with regular mouse entry, only a screen scraper is necessary.


Story was proposed by Davis et al.[3] A comparison system for Pass Faces. In Story, users first select a sequence of images for their portfolio. To log in, users are presented with one panel of images and must identify their portfolio images from among decoys. The images contained everyday objects, places, or people.

Story also introduced a sequential component by requiring that users select their images in the correct order. To help with memorability, users were instructed to mentally construct a story to connect the images in their set. In the test system, a panel contained 9 images and a user's password consisted of a sequence of 4 images selected from within this panel.

Advantages- its having more theoretical password space than the textual password ant quite easy to remember.

Disadvantages- users had more difficulties in remembering their story password and most frequently made ordering errors. The patterns of user choice existed in story indicates that it likely to be dictionary attack and user chooses the patterns they like. Story is vulnerable to shoulder surfing attack especially when the mouse is used as input device. Social engineering attack is also possible if attackers heard when user verbalizes their story password. It is also vulnerable to malware attack by using screen scrapping software.

Weinshall Cognitive Authentication Scheme[4]

Weinshall [4] proposed a graphical password scheme where login requires that users recognize images from their portfolio. The login task involves computing a path through a panel of images based on whether particular images belong to the user's portfolio. The rules are to compute a path starting from the top-left corner of the panel of images: move down if you stand on a picture from your portfolio, move right otherwise. When the right or bottom edge of the panel is reached, identify the corresponding label for that row or column. A multiple-choice question is presented, which includes the label for the correct end-point of the path. Users perform several rounds, presented with a different panel each time. After each round, the system computes the cumulative probability that the correct answer was not entered by chance. When the probability passes a certain threshold, then the user is authenticated. This allows for some user error, but if the threshold is not passed within a certain number of rounds, the user is rejected.

The keyboard is used for input, rather than a mouse, to help reduce shoulder- surfing. Users receive system-assigned portfolios of images and receive extensive training to initially memorize their portfolio since it includes a large number of images (approximately 100), but no times were reported for this initial training phase.

Advantages - The main advantage reported by Weinshall [4] is resistance to observation (shoulder-surfing) attacks. Dictionary attacks and targeted attacks have no advantage over exhaustive attacks for this scheme because portfolio images are randomly assigned so all images are equally likely.

It would be nearly impossible to verbalize enough information for an attacker (or a friend, if trying to share the password) to be able to log in successfully so this type of social engineering attack is not viable.

As demonstrated by Golle and Wagner [5], an attack based on shoulder surfing can be successful if a few logins are observed. Similar to the other schemes in this section, portfolio images must be stored in a manner accessible to the system, and phishing can be done using a MITM strategy. Multiple logins would need to be captured by screen scraping software for the attacker to gain sufficient knowledge for independent login.

5. Shoulder surfing problem solving scheme

Sobrado and Birget [6] developed a graphical password technique that deals with the shoulder surfing problem. In the first scheme, the system will display a number of pass-objects (pre-selected by user) among many other objects. To be authenticated, a user needs to recognize pass-objects and click inside the convex hull formed by all the pass-objects. In order to make the password hard to guess, Sobrado and Birget[6] suggested using 1000 objects, which makes the display very crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller password space, since the resulting convex hull can be large.

Drawbacks- the users recognition task is difficult due to crowd screen of images. It requires large storage space to store thousands of images.

Man, et al.[7] proposed another shoulder-surfing resistant algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass-object has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each scene contains several pass-objects (each in the form of a randomly chosen variant) and many decoy-objects. The user has to type in a string with the unique codes corresponding to the pass-object variants present in the scene as well as a code indicating the relative location of the pass objects in reference to a pair of eyes. Advantages-The argument is that it is very hard to crack this kind of password even if the whole authentication process is recorded on video because where is no mouse click to give away the pass-object information.

Disadvantage-this method still requires users to memorize the alphanumeric code for each pass-object variant. It is suffered from man-in-middle attack.


Graphical passwords requiring pure recall are most similar to text passwords because users must remember their password and reproduce it without any cues from the system. This is a difficult memory task and users sometimes devise ways of using the interface as a cue even though it is not intended as such. For example, we have evidence that users often include the name of the system as part of their text passwords.

Pure recall

DAS(Draw a Secret)

Jermyn, et al.[8] proposed a technique, called Draw - a - secret (DAS), which allows the user to draw their unique password. A user is asked to draw a simple picture on a 2D grid. The coordinates of the grids occupied by the picture are stored in the order of the drawing. During authentication, the user is asked to re-draw the picture. If the drawing touches the same grids in the same sequence, then the user is authenticated.

Thorpe and van Oorschot [9] analyzed the memorable password space of the graphical password scheme by Jermyn et al. They introduced the concept of graphical dictionaries and studied the possibility of a brute-force attack using such dictionaries. They defined a length parameter for the DAS type graphical passwords and showed that DAS passwords of length 8 or larger on a 5 x 5 grid may be less susceptible to dictionary attack than textual passwords. They also showed that the space of mirror symmetric graphical passwords is significantly smaller than the full DAS password space. Since people recall symmetric images better than asymmetric images, it is expected that a significant fraction of users will choose mirror symmetric passwords. If so, then the security of the DAS scheme may be substantially lower than originally believed. This problem can be resolved by using longer passwords. Thorpe and van Oorschot [9] showed that the size of the space of mirror symmetric passwords of length about L + 5 exceeds that of the full password space for corresponding length L <= 14 on a 5 x 5 grid.

Pass doodle

Goldberg et al.[10] did a user study in which they used a technique called Passdoodle. This is a graphical password comprised of handwritten designs or text, usually drawn with a stylus onto a touch sensitive screen. Their study concluded that users were able to remember complete doodle images as accurately as alphanumeric passwords. The user studies also showed that people are less likely to recall the order in which they drew a DAS password.

Drawbacks- made mistakes in recalling the number, order, or direction of the pen strokes. During password creation, however, Passdoodles would likely require training of the recognition algorithm to build an accurate model of the password. Shoulder-surfing would be possible with Passdoodle and accurately observing one login would be sufficient to learn the password.

Reproduce a drawing is very difficult and success depends on recognition algorithm. It would likely be difficult to accurately describe a Passdoodle[9] password since there is no visible grid to act as a guide, although it may be possible to sketch and share such passwords.

Pass Go

Tao's Pass-Go [11] was named for the Chinese board game of Go which consisted of strategically placing tokens on the intersections of a grid. In Pass-Go, users draw their password on a grid, except that the intersections are used instead of grid squares. Visually, the user's movements are snapped to grid-lines and intersections so that the drawing is not impacted by small variations in the trace. Users can choose pen colors to increase the complexity of their drawing.


The theoretical password space of Pass-Go [11] is larger than for DAS, in part because of a finer grid (more squares), and also because Pass-Go allows for diagonal movement while DAS only permits horizontal and vertical movements. Pen color was used as an additional parameter and the authors suggest using a finer grid to further increase the theoretical password space. Dictionary attacks may be less effective than DAS since it is reported that users selected longer passwords and used color; both add variability to passwords. Interpreting other aspects of security, Pass-Go is similar to DAS in terms of shoulder-surfing, phishing, social engineering, and personalization.

A similar scheme was proposed by Orozco et al[12]. It uses a haptic input device that measures pen pressure while users draw their password. They suggest that this may help protect against shoulder surfing since an observer would have difficulty distinguishing variances in pen pressure. Results of their user study, however, show that users applied very little pen pressure and hardly lifted the pen while drawing, so the use of haptics did not increase the difficulty of guessing passwords.

Syukri, et al. [13]proposes a system where authentication is conducted by having the user drawing their signature using a mouse. Their technique included two stages, registration and verification. During the registration stage: the user will first be asked to draw their signature with a mouse, and then the system will extract the signature area and either enlarge or scale-down the signature, and rotates if needed, (also known as normalizing). The information will later be saved into the database. The verification stage first takes the user input, and does the normalization again, and then extracts the parameters of the signature. After that, the system conducts verification using geometric average means and a dynamic update of the database. According to the paper the rate of successful verification was satisfying. The biggest advantage of this approach is that there is no need to memorize ones signature and signatures are hard to fake. However, not everybody is familiar with using a mouse as a writing device; the signature can therefore be hard to draw. One possible solution to this problem would be to use a pen-like input device, but such devices are not widely used, and adding new hardware to the current system can be expensive. We believe such a technique is more useful for small devices such as a PDA, which may already have a stylus.

Cued Recall.

In cued-recall systems, the system provides a cue to help trigger the user's memory of the password (or portion thereof). This feature is intended to reduce the memory load on users and is an easier memory recall task than pure recall. Tulving and Pearl- stone[14] explain that items in human memory may be available but not accessible for retrieval. Their results show that previously inaccessible information in a pure recall situation can be retrieved with the aid of a retrieval cue. Ideally, the cue in an authentication system will be helpful only to legitimate users and not to attackers trying to crack a given password.

3D Graphical password

Alsulaiman and El Saddik [15] proposed a 3D scheme where users navigate a 3D world and perform a sequence of actions interpreted as their password the 3D environment acts as a cue to prompt users to perform their actions. The authors envision that users could perform various actions such as clicking on certain areas, typing or drawing on a virtual surface, entering a biometric, interacting with certain parts of the virtual world (like turning on a light switch), and so on. Their prototype system implements only a small portion of the scheme and provides no details about the other proposed components, so it is difficult to make any usability or security evaluations. The prototype allows users to walk through a virtual art gallery and enter textual passwords at virtual computers or select pictures as part of a graphical password, but no user testing or security results are reported. This appears more of a conceptual proposal at this stage.


There would likely be some predictability and opportunity for dictionary attacks as well as targeted attacks. We expect that shoulder-surfing is likely to be a problem since observers will at minimum see the user location within the 3D world, although the extent of the threat would depend on the types of interactions defined in the world. Social engineering attacks where attackers get users to verbalize their password may be possible, but again this depends on the types of interactions allowed (e.g., it would be easy to tell someone to turn on the light switch in the living room, but difficult to describe some types of graphical passwords used within the world). We expect that this scheme would be vulnerable to attacks using both screen scraping and mouse logging. Phishing is, therefore, only possible if the fake system has this information.

Blonders cued recall scheme [16]

Blonder [16] designed a graphical password scheme in which a password is created by having the user click on several locations on an image. During authentication, the user must click on the approximate areas of those locations. The image can assist users to recall their passwords and therefore this method is considered more convenient than unassisted recall (as with a text-based password).

Drawbacks- the technique depends on the image tolerance if it is small then it is difficult to succeed. So the tolerance is well managed. We expect it vulnerable to dictionary attack because the user chooses most attractive area in the image as password. Shoulder surfing attack is possible due to mouse click on screen and also faces attack of malware by using screen scrappers.


Passlogix [17] has developed a graphical password system in which users must click on various items in the image in the correct sequence in order to be authenticated. Invisible boundaries are defined for each item in order to detect whether an item is clicked by mouse.

A similar technique has been developed by sfr [26]. It was reported that Microsoft had also developed a similar graphical password technique where users are required to click on pre-selected areas of an image in a designated sequence.

Drawbacks- the user need to remember the sequence of click on single image or series of different images. We expect it to vulnerable to dictionary attack. Shoulder surfing as well as the malware due to mouse click on the screen.


The PassPoint system by Wiedenbeck, et al.[18-20] extended Blonders idea by eliminating the predefined boundaries and allowing arbitrary images to be used.

As a result, a user can click on any place on an image (as opposed to some pre-defined areas) to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, the user must click within the tolerance of their chosen pixels and also in the correct sequence. This technique is based on the discretization method proposed by Birget, et al.[6] Because any picture can be used and because a picture may contain hundreds to thousands of memorable points, the possible password space is quite large.


Passlogix[17] has also developed several graphical password techniques, v-Go includes a graphical password scheme where users can mix up a virtual cocktail and use the combination of ingredients as a password. Other password options include picking a hand at cards or putting together a meal in the virtual kitchen. However, this technique only provides a limited password space and there is no easy way to prevent people from picking poor passwords (for example, a full house in cards).


GP based systems for small mobile devices Khan [21] proposed a scheme for small mobile devices which takes drawing as input in authentication phase. The input is given by mouse or stylus according to the objects (pictures) selected by user priori in registration phase.

Gao [22] proposed and evaluated a new shoulder-surfing resistant scheme called Come from DAS and Story (CDS) which has a desirable usability for PDAs. It requires users to draw a curve across their password images (pass-images) orderly rather than click directly on them. This scheme adopts a similar drawing input method in DAS and inherits the association mnemonics in Story for sequence retrieval. It requires users to draw a curve across their password images (pass-images) orderly rather than click directly on them. The drawing method seems to be more compatible with peoples writing habit, which may shorten the login time. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shoulder surfing.

Oorshot [23] proposed a hybrid authentication approach called Two-Step. In this scheme users continue to use text passwords as a first step but then must also enter a graphical password. In step one, a user is asked for her user name and text password. After supplying this, and independent of whether or not it is correct, in step two, the user is presented with an image portfolio. The user must correctly select all images (one or more) pre-registered for this account in each round of graphical password verification. Otherwise, account access is denied despite a valid text password. Using text passwords in step one preserves the existing user sign-in experience. If the users text password or graphical password is correct, the image portfolios presented are those as defined during password creation. Otherwise, the image portfolios (including their layout dimensions) presented in first and a next round are random but respectively a deterministic function of the user name and text password string entered, and the images selected in the previous round.

RAYS SCHEME [24] proposed a 3steps, step1 and 2 for registration and step 3 for authentication. In step 1 user need to enter textual username and password(password should belongs to above criteria) and 2nd step user need to choose the objects from the screen and assign them numbers from(1-9)and 3rd step of authentication user need to draw that objects in correct sequence as they entered in step2 on touch sensitive screen.



In our proposed scheme we are using multifactor password authentication by considering knowledge base factors. We are considering 3 factors one textual and other two are graphical.

Factor1- in which I considered text password like the other text password schemes (combination of numbers, upper and lower case letters and special symbol.

Advancement " we encrypted that password before storing in database.

Factor2- I suggested recognition based technique and made some advancement in currently existing man scheme. To make it shoulder surfing resistant as well as man in middle attack and malware software and difficult to guess or dictionary attack.

Man et al. given a unique number to every object on the screen and at the time of registration user select the images from the screen and remember the unique number associated with that image at the of authentication user need to enter that unique number associated with registered object. This system is resistant to shoulder surfing but vulnerable to man in middle attack. So we had made some changes.

Our scheme- without giving a unique number to every image on the screen and create old problem of remembrance. We suggest assigning random number to images on the screen at the time of registration user need to enter the currently associated number to the image and that get stored at back end storage. When user is going to authentication it seen his images but with different number so the user enters current associated number and it get mapped at the backend and performs the task of authentication.

Factor3- in this term we suggested cued click recall authentication with integration of sound signature. As this technique Is already suggested by Saurabh Singh [25] this technique suggest that user need click on more than one images rather than giving multiple click on single image so this technique is very difficult to guess and sound signature allows user to easily remember the password. it also resistant to phishing by including the sound signature. It generates the different sounds after every correct or wrong click. The user already gets introduced by particular sound.

The flow of scheme at the time of authentication -

Firstly user enters username and password, we are using password encryption scheme. If the textual password entered by user is correctly authenticated then in 2nd step we give him the images that he selected during registration otherwise we allow user to go for next step but cant show him his password image we show a random images. And to onwards that we are not performs any authentication. And finally it get authentication fail message.

If the user entered correct text password and wrong image recognition password then we also allowing the user to for next cued recall system but cant show him correct images he selected at registration and generate a random sound.

If user entered textual as well as recognition based password correct and wrong cued recall password then also he get authentication fail message at the end.

If user entered all passwords correct then only he allows getting the access.

Advantages- this system provides strongest authentication by passing through three steps of authentication. It is resistant to shoulder surfing, dictionary attack as well as man in middle attacks and resistant to malware because we uses keyboard to enter the password .so it recovers all the drawbacks of textual as well as graphical password schemes. And easy to operate and remember.

Disadvantages- it requires more time for authentication due to three stages. And it requires more memory to store large number of images.


The main element of computational trust is user identity. Currently lots of authentication methods and techniques are available but each of these has its own advantages and shortcomings. There is a growing interest in using pictures as passwords rather than text passwords but very little research has been done on graphical based passwords so far. In view of the above, we have proposed authentication system which is based on multifactor image based authentication. Although my system aims to reduce the problems with existing GP schemes but it has also some limitations and issues like all other graphical based password. We have proposed an authentication system which takes digits as password as selected for the pictures (objects) priori. Currently we are heading on implementation of my proposed system. In future, we will investigate the performance issues and user adaptability.

Article name: Graphical Password Security Attacks Computer Science essay, research paper, dissertation