This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A graphical password is aÂ password authentication scheme that prompts the user to set password from images in a predefined order which the user might have stored. This image sequence will be selected from the given image and user selects and saves in an order to be identified as password. This methodology of using images as password is termed as Graphical User Authentication or in short graphical passwords
Graphical password approach is easier than text based passwords as humans can recollect images easier than alphabetical or alpha numerical passwords. This could be depicted in a real time scenario. If suppose a user in order to authorise or log into a network so instead of typing AWDRTLYY, a user if using graphical password scheme can select image of a flower, rose from a collective images of garden with lots of other flowers and in sequence honeybee, colour rose and other flower according to the pre-saved which will be very easy to remember and hard or not possible for any kind of known attack for text-based attack.
GUA methods offer better security than text-based passkeys because the user usually make plain text passwords to remember easily and if not jumbled up words and numerals will be used which the user has to write it down somewhere to memorize it later and which could be possibly accessed by another person willing to gain access using the password. GUA methods are highly effective against dictionary attacks and brute force attacks. This could be depicted by example
Suppose the password is plain passkey which any hacker could crack in seconds by dictionary attack but in the same scenario if the user has to select a series of images randomly in few pages in order to gain access there could be possibly thousand or even million possibilities and which is hard or not possible to be cracked by dictionary or brute force attack.
Recognition Based Technique
In this kind of technique the user is prompted to select his password image sequence form a set of given images which the user must have saved during the registration phase. Here the authentication is done by selecting the correct images which he saved. This kind of technique would be suitable for authentication rather than key generation. There are various schemes based on this recognition based technique.
Dhamija and Perrig Scheme
This scheme is based on the hash visualisation technique. In this scheme the user select different pictures from a variety of pictures given and later asked to recognise them during authentication.
Figure 1 Example of random images used in Dhamija and perig scheme 
Program generates random pictures and the user has to select pictures from these randomly generated pictures and later recognise in order to authenticate. The drawback of this system when compared to the common text based approach is login time. As the user has to select multiple pictures it requires more time when compared to authentication by plain text passwords. Major drawback of this approach is the server need to store the random pictures generated for the user which will consumer real good space in the server and the process of selecting would time consuming.
Sobrado and Birget scheme
To avoid shoulder surfing issues sobrado and bigret came up with this GUA technique scheme where the user in first step is asked to select the object which user saved before. The pass keys would form a hull and the user in second step should click in the hull. By adding up thousands of small objects the screen appears to be crowded and it would be hard for the shoulder surfers to guess.one of the disadvantage of using this technique is login process might be very slow due to random selection of objects.
Figure 2 Example of sobrado and bigret scheme 
Pass face scheme
This was developed by Real User cooperation. In this type of graphical password scheme the user is asked to choose four images of human faces which are stored in the database as their future password. During the authentication the user is welcomed with 9 images, one which the user has chosen and other 8 decoy faces, the user should recognise and select the face which he had chosen to authenticate. Human brain recognises faces of humans other than any picture and this technique is followed in this scheme.
Figure 3 An example of pass faces 
Graphical theme by jansen
This graphical password scheme proposed by jansen for mobile devices prompts the user to select a graphical theme during the registration process which comprised of thumbnail photos making a sequence of images as password. During the authentication phase the user must identify and select the images which he chose during the registration phase to authenticate. The password formed will be generated a numerical value as every thumbnail is assigned with a numerical value. The size of this kind of passwords were find with length smaller than alpha passwords so to overcome this two pictures could be combined to form a new alphabetical element to increase the size.
Figure 4 Graphical theme proposed by jansen 
Recall based Technique
Graphical password which implements this technique needs the user to reproduce something that the user created during the registration phase.so to authenticate same picture should be drawn again.
Draw-A-Secret (DAS) scheme
In this theme propsed by Jermyn the user is asked to draw an image on a 2d grid during the initial registration phase. The coordinates of this grid is stored in the order of drawing. During the authentication phase the user is promoted to draw the picture again and the user is only authenticated. If the user draws in the same grid with the same sequence. A 5X5 grid DAS password will be more than full text based passwords. This kind of passwords is less susceptible to dictionary attack than the text based passwords.
Figure 5 DAS technique 
Further study by Thorpe and van oorchot showed the impact of stroke count on DAS passkey phrase. With lesser strokes short password keys are formed, to overcome this grid selection method was proposed by Thorpe and van oorchot. Here the selection grid is large and the user has to select a drawing grid out of this selection grid to enter their password which will increase the password space.
Figure 6 
Pass point Scheme
Blonder designed this scheme in which during registration phase the user has to click different location in an image.to create a password. A tolerance around each click is calculated and to authenticate the user must click the same picture in the same sequence.
Figure 7 pass point 
As this is based on clicks on the given image this helps the user to recall their passwords easily. This method seems to be more convenient to text based password schemes. Pass point scheme eliminates predefined boundaries which enables the user to click on any place in the image contrary to schemes with predefined areas.
Strength of Graphical passwords
Ease of Access:
Graphical passwords or pictures are easy to remember. People are better in remembering pictures than remembering alpha numerical passwords which are complex and hard to remember. People remember faces more than random pictures. If pass face schemes are implemented one could easily identify the faces which they saved as password as humans ability to recognise face is higher when compared to other images.
Traditional methods are ineffective. Brute force attacks are common for text based passwords and the only defence against brute force is to have more space. The larger the password space the smaller is the risk of brute forcing. While text based passwords has space of 94^N, where N is length of the password and 94 is total number of characters. Recall based password schemes have larger password space when compared to recognition based password. Likewise social engineering, Dictionary attacks are also ineffective against graphical passwords.
Users can create passwords of their favourite pictures or interested places.one can create an even in any beach or one could create a click even in a forest scheme. When using pass face scheme one could select their favourite faces as their passwords. Psychology study reveals humans can remember graphics easily than text.so they can create complex passwords at the same they can remember it also unlike text based where one has to write it down or save in another file in order to use it later.
Limitation of Graphical passwords
Password registration and login process takes too long. In recognition based schemes user has to select pictures from a set of given images and this makes the prices very long. This is same for the authentication process also, while authenticating one has to scan many pictures to recognise password images. This process may find tedious and time consuming.
Graphical passwords need more storage space than text based password. Hundreds and thousands of images may have to be saved and accessed in a centralised database. In a network atmosphere this might cause delay in the network if there are many users accessing the network. This makes it hard to implement for authentication. For a company with hundreds of employees and if this system is implemented each and every user created password could be in Mb's and it would cause more storage space and money.
Users tend to create certain graphical passwords based on gender and race which is easily broken or guessed. When users were tested with pass faces scheme many people tend to select faces of their race. This makes it easy to guess. For example a dog owner might be selecting dog's pictures or the attacker could guess according to the human nature and interest one would select images based on their interest. This could be rectified by not selecting common interest pictures and selecting something which would be hard to guess by the attacker.
Graphical passwords are more vulnerable to shoulder surfing than text based password scheme. Few recognition schemes are resistant while almost all recall based password schemes are prone to shoulder surfing. In a text based approach shoulder surfing is less when compared to graphical pictures as pictures are easily identified from a favourable distance than text based passwords. This could be avoided by using schemes which will implement 1000's of objects to the panel making it a complex collection of pictures.
As the need for a more secured password authentication is needed for the fast growing world where text based passwords are considered not more secure and prone to almost all kind of attacks graphical passwords seems to be an alternative. The current technique only involves two techniques, recall and recognition based methods. In a short research conducted now it's proven that graphical passwords are highly secured when compared to text based passwords and the vulnerabilities and exploits of graphical passwords are not still fully discovered or exploited.
Zero day exploit
A zero-day exploit is newly discovered threat or vulnerability of software without the patch. This exploit could be used by attackers to exploit system where the software is running. The exploit is usually found by hackers rather than the vendors themself and is widely distributed in certain cases. This exploits are available from the internet and possibly used by other attackers to target systems running this without patch. This attack is also known as zero hour attack.
Zero day term is used if the attacker/white hat hackers find the exploit in the software before the vendor and if the vendor finds the exploit mostly it's hidden before the patch is developed. Mostly software companies provide patches after the exploits are found and the user has to download. A zero-day exploit rarely results in mass spread of computers with malware.
In most cases, a zero day exploit will take advantage of the exploit present in the software that neither the vendor nor users are aware of. In fact, this is incisively what black hat hackers try to find. By finding vulnerabilities in the application/software before the vendor is aware or other security experts team finds it these hackers can create malware or trojanars based on those zero day exploits.
Not every zero day attacks don't occur all the time before the application vendors are aware of the vulnerability. This is due to time taken to learn about the vulnerability and also to develop a patch. Alternatively, application vendors at times delay the release of patch because they do not want the customers to be bombarded with tonnes of patches so rather the vendors wait and develops patch for many vulnerabilities and release the patch which is better than releasing number of patches for every exploits. But this approach could be potentially vulnerable when an attacker find the exploit before the developer updates the patch and the attacker exploits this to spread his malicious code.in both the cases users are left with risk of getting hacked or their system being compromised. There is always a risk until the vulnerability stays without patch. A zero day attack can be catastrophic to computers long after a patch has been released and the software vulnerability has been closed. This happens mainly due to the lack of system updates with regular patches. System users have to update the software regularly so they can avoid form these kinds of attacks.
Two preventive methods
1 - Heuristic virus scanning:
Antivirus software's detects viruses by detecting the signature which they are updated form the anti-virus database. But nowadays as the viruses are using polymorphism and mutation to self-replicate and change signature it becomes hard to detect viruses. As zero day exploits are those which is not yet discovered by vendors and if discovered by hackers it could be used for attacking. Such exploits signature will also be unavailable in the database.to overcome this AV's came up with heuristic scanning. This detects viruses or vulnerable application by detecting virus like behaviour. Because viruses perform particular actions which are not performed by normal users. This is a way to prevent Zero day exploits.
2- Using firewall
Using firewall one could prevent or at least minimise the intrusion. User will be notified when an unauthorised attack or scanning of port is done or user can monitor all incoming and outgoing connections.
In my opinion it would be better to update software regularly. This can prevent from getting attacked with unpatched exploits. It is also advisable to use the legal software's rather than going for pirated version which prevents the software updates. In case of any Zero day attack disclosure and with still widely available without any patch it would be better to avoid performing that particular task which can trigger the attack.