Dynamic Passwords Using Graphics Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Textual Passwords are the most common method used for authentication. But textual passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shoulder surfing. Graphical passwords are introduced as an alternative technique to textual passwords. Most of the graphical schemes are vulnerable to shoulder surfing. To address this problem, text can be combined with images or colors to generate session passwords for authentication. Session passwords can be used only once and every time, a new password is generated. In this paper, two techniques have been proposed to generate session passwords using text and colors which are resistant to shoulder surfing. These techniques can be used separately as well. But using them combined enhances the security. These two techniques when used together prove to be twice as much secure as compared to the other methods. They can not only be used in banking sectors, but also can be used by various social networking sites, other sites like rediff, gmail and also in defence sectors etc. This method authenticates the user twice before the user gets successfully logged on to his account.

1. Introduction

The most common method used for authentication nowadays is by using textual passwords. The vulnerabilities of this method like eves dropping, dictionary attack, social engineering and shoulder surfing are well known. Random and lengthy passwords can make the system secure. But the main problem is the difficulty in remembering those passwords. Studies have shown that users tend to pick short passwords or passwords that are easy to remember. Unfortunately, these passwords can be easily cracked or guessed. The alternative to these textual passwords are graphical passwords and biometrics. But these two techniques have their own disadvantages. Biometrics such as finger print, iris scan or face recognition have been introduced but not widely adopted. The major drawbacks of these methods are that they are expensive and the identification process can be slow. Most of the graphical passwords schemes suffer from shoulder surfing which becomes a problem.

There are graphical passwords schemes that have been proposed which are resistant to shoulder surfing but have their own drawbacks like usability issues or taking more time for user to login or having tolerance levels. Personal Digital Assistants (PDAs) are used by users to store passwords and pins. Authentication should be provided for the usage of these devices.

In this paper, two new authentication schemes have been proposed. These schemes authenticate the user by session passwords. Session passwords are passwords that can be used by the user only once. A session is the duration between the login phase and the logout phase. As the user logs out of his account, the session passwords expires. For every session, the user is provided with a new session password. These passwords provide better security against dictionary and brute force attacks. The proposed schemes use text and colors for generating session passwords.

2. Related Work

Dhamija and Perrig [1] proposed a graphical authentication scheme where the user has to identify the pre-defined images to prove user's authenticity. In this system, the user selects a certain number of images from a set of random pictures during registration. Later, during login, the user has to identify the pre-defined images for authentication from the given set of images. This system is vulnerable to shoulder surfing.

Passface [2] is a technique where the user sees a grid of nine faces and selects one face previously chosen by the user. Here, the user chooses four images of human faces as their password and the users have to select their pass image from eight other decoy images. Since there are four user selected images, it is done four times.

Jermyn et al. [3] proposed a new technique called "Draw-a-Secret" (DAS) where the user is required to re-draw the pre-defined picture on a 2D grid. If the drawing touches the grid in the same sequence, the user is authenticated. This authentication scheme is vulnerable to shoulder surfing.

Syukri [4] developed a technique where authentication is done by drawing user signature using a mouse. This technique includes two stages: registration and verification. At the time of registration, user draws his signature with a mouse, after that the system extracts his signature area. In the verification stage, it takes the user signature as input and does the normalization and then extracts the parameters of the signature. The disadvantage of this method is the forgery of signatures. Drawing with mouse is not familiar to many people; it is difficult to draw the signature in the same perimeters at the time of registration.

Blonder [5] designed a graphical password scheme where the user must click on the approximate areas of pre-defined locations. Passlogix [6] extended this scheme by allowing the user to click on various items in correct sequence to prove their authenticity.

Haichang et al [7] proposed a new shoulder surfing resistant scheme where the user is required to draw a curve across their password images orderly rather than clicking on them directly. This graphical scheme combines DAS and Story schemes to provide authenticity to the user.

Wiedenbeck et al [8] describes a graphical password scheme entry scheme using convex hull method towards. A user needs to recognize pass-objects and click inside the convex hull formed by all the pass-objects. In order to make the password hard to guess, large number of objects can be used, but it will make the display very crowded and the objects almost indistinguishable, but using fewer may lead to a smaller password space, since the resulting convex hull can be large.

Jansen [9][10] proposed a graphical password scheme for mobile devices. During password creation, a user selects a theme consisting of photos in thumbnail size and set a sequence of pictures as a password. During authentication, user must recognize the images in the correct order. Each thumbnail image is assigned a numerical value, thus the sequence of the chosen images will create a numerical password. As the number of images is limited to 30, the password space of the scheme is not large.

3. New Authentication Schemes

Authentication techniques consist of 3 phases: registration phase, login phase and verification phase. During registration, user enters his password i.e. the secret pass and rated the colors in the second method. During login phase, the user has to enter the password based on the interface displayed on the screen. The system verifies the password entered by comparing with content of the password generated during registration.

A. Pair Based Authentication Scheme

During registration, user submits the secret pass. Minimum length of the password is 8. The secret pass should contain an even number of characters. Session passwords are generated based on this secret pass. During the login phase, when the user enters his username, an interface consisting of a grid is displayed. The grid is of size 6x6 and it consists of alphabets and numbers. These are randomly arranges on the grid and the grid changes every time the page is refreshed or the user tries to log-in. User has to select the characters from the grid based on his secret pass. User has to consider his secret pass in terms of pairs; the session password will contain letters and digits.

Fig. 1 Login interface

Fig 2 Intersection letter for the pair AN

The first letter in the pair is used to select the row and the second letter is for selecting the column. The intersection of the row and the column is a part of the session password. This is repeated for all the other pairs of the secret pass. Fig 2 shows that L is the intersection symbol for the pair "AN". The password entered by the user is verified by the server to authenticate the user. If the password is correct, the user is allowed to enter in to the second phase. The grid size can be increased to improve the security by adding special characters.

B. Hybrid Textual Authentication Scheme

During registration, user should rate colors. The user can rate the colors from 1 to 4 and he can remember it as "RGBY". Same rating can be given to different colors. During login, when the user enters his username, an interface is displayed based on the colors selected by the user. The login interface consists of a grid of size 4x4. This grid contains digits 1-4 placed randomly in the grid cells. The interface also contains strips of colors. Each pair of color represents the row and column of the grid.

Figure 5 shows the login interface having the color grid and number grid of 4x4 having numbers 1 to 4 randomly placed. Depending on the ratings given to the colors, we get the session password.

1

4

2

3

Fig. 3 rating of colors by user

Fig 4: Random pairing of colors

1

2

3

4

1

1

2

3

1

2

3

4

2

4

3

2

1

4

3

4

4

3

1

2

Figure 5: Login Interface

As discussed above, the first color of every pair in color grid represents row and the second color represents the column. The number in the intersection of the row and column of the grid is a part of the session password. Consider figure 3 and figure 4 for ratings and login interfaces as demonstration. The first pair has red and yellow colors. Red color is given rating as 1 and yellow is rated 3. So the first letter of session password is 1st row and 3rd column. The intersection of the two points is 3 which are to be clicked by the user. The same method is followed for the other pairs. For figure 4, the password is "1 3 4 2". Instead of digits, alphabets too can be used. For every login, both, the number grid and the color grid randomize. So the session password changes.

4. Security Analysis

As the interface changes every time, so does the session password. The technique is resistant to shoulder surfing. Due to dynamic passwords, dictionary attack is not possible. Hidden camera attacks are not applicable to PDAs because it is difficult to capture the interface in the PDAs.

A. Dictionary Attack: These are attacks directed towards textual passwords. Here, in this attack, hacker uses the set of dictionary words and authenticate by trying one word after another. The dictionary attack fails towards our authentication systems because session passwords are used for every login.

B. Shoulder Surfing: These techniques are shoulder surfing resistant. In pair based scheme, resistance is provided by the fact that secret pass created during registration phase remains hidden. So the session password can't be enough to find secret pass in one session. In hybrid textual scheme, the randomized colors hide the password. In this scheme, ratings decide the session password. But with session password, you can't find the ratings of colors.

C. Brute force attack: These techniques are particularly resistant to brute force due to use of the session passwords. The use of these will take out the traditional brute force attack out of the possibility.

D. Complexity: The complexity of Pair-Based Authentication Scheme is to be carried over the secret pass. For a secret pass of length 8, the complexity is 368. In the case of Hybrid Textual Authentication Scheme, the complexity depends on colors and ratings. The complexity is 8! If ratings are unique, otherwise it is 88.

5. Conclusion

In this paper, two authentication techniques based on text and colors are proposed. These techniques generate session passwords and are resistant to dictionary attack, brute force attack and shoulder surfing. Both the techniques use grid for session password generation. Pair based technique requires no special type of registration; during login time based on the grid displayed, a session password is generated. For hybrid textual scheme, ratings should be given to colors, based on these ratings and the grid displayed during login, session password is generated. However, these schemes are completely new to the users and the proposed authentication techniques should be verified extensively for usability and effectiveness.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.