VISVESVARAYA TECHNOLOGICAL UNIVERSITY,

BELAGAVI - 590018

Seminar Report
On

Graphical Password Authentication

Under the Guidance of
Prof. S S Yendigeri
Assistant Professor

Submitted by:
Aditi Singri
2BA18CS004

2021-2022

DEPARTMENT OF COMPUTERSCIENCE AND

ENGINEERING
(NBA Accredited, Recognised Research Centre of VTU Belagavi)
BASAVESHWAR ENGINEERING COLLEGE
(AUTONOMOUS)
(Govt. Aided, AICTE Recognized, Accredited NBA/NAAC Permanent Affiliation to
VTU)
BAGALKOT- 587102.

i
 BASAVESHWAR ENGINEERING COLLEGE (AUTONOMOUS),
BAGALKOT-587 102

Department of Computer Science & Engineering

CERTIFICATE

This is to certify that Ms. Aditi Singri (2BA18CS004), has satisfactorily

completed the Seminar on the topic entitled “Graphical Password
Authentication”, in partial fulfillment for the award of the degree of Bachelor
of Engineering in Computer Science and Engineering of Visvesvaraya
Technological University, Belagavi, during the academic year 2021-2022.

Guide Seminar Coordinator Head of the Department

Prof. S S Yendigeri Dr. Vilas Naik Dr. V. B. Pagi

Name of Examiners Signature of Examiner

1…………………… 1………………………

2………………….... 2…………………............

ii
 ABSTRACT

The most common computer authentication method is to use alphanumerical usernames

and passwords. This method has been shown to have significant drawbacks. For example,
users tend to pick passwords that can be easily guessed. On the other hand, if a password
is hard to guess, then it is often hard to remember.
Graphical password authentication is an alternate and yet evolving type of authentication
in this current era, it is either recall or recognition based. User will either reproduce the
image or recognize the images which was used or produced during the registration phase.
Passwords guard the resources and information by allowing only designated person to
access. Graphical password is new, trending and seems to be very promising method of
authentication. This technique showed to have some of its advantages over simple text
password but also with some cons too. With the graphical password, user will keep images
or points-of-interest of images as password. Therefore, graphical password which is less
expensive, secure and easy to be used by all can be considered as a possible alternative to
text-based schemes, by the fact that humans can remember pictures better than text.

iii
 ACKNOWLEDGEMENT

It is with greatest pleasure and pride that I present this report before you. At this moment of
triumph, it would be unfair to neglect all those who helped me in the successful completion
of this seminar work. Many people supported my work both within and outside and hereby I
wish to express my sincere thanks to one and all.

First, I would like to thank my Guide Prof. S S Yendigeri for her guidance and whole
hearted support and very valued constructive criticism that has driven to complete the
seminar work successfully. The hard-working natures, constant perseverance, commitment
to task and ignition to talent have impressed me a lot.

I would also like to remember our beloved Principal, Dr.S.S.Injaganeri for his constant
encouragement and support during the project work. I wish to express my sincere thanks to
our head of the department, Dr. V B Pagi for his involvement, timely suggestions
throughout the course of my seminar work.

I also express my heartiest gratitude to all the Faculty members and supporting staff of
Computer Science and Engineering department for all the suggestions and support provided
during this project work. The good wishes of our Father and Mother are also greatly
remembered. I would take this opportunity to thank my friends.

I feel words are not adequate to express gratitude to all my teachers, friends and family
members. Lastly, I thank all those who directly or indirectly helped me to successfully
complete this seminar work.

iv
 CONTENTS
Page No.

1. INTRODUCTION 1

2. LITERATURE REVIEW 2

3. METHODS USED IN GRAPHICAL PASSWORD 3

AUTHENTICATION

RECOGNITION BASED TECHNIQUE 4

RECALL BASED 7

CUED RECALL 9

4. COMPARATIVE ANALYSIS OF THE AUTHENTICATION 10

METHODS

5. MAJOR DESIGN & IMPLEMENTATION ISSUES OF 11

GRAPHICAL PASSWORDS

6. ADVANTAGES & DISADVANTAGES OF GFRAPHICAL 12

PASSWORD AUTHENTICATION

7. CONCLUSION 13

8. REFERENCES 14

v
 List of Figures

Sl.no Figure name Page No.

1. Random images used by Dhamija & Perrig 4

2. A shoulder-surfing resistant graphical password scheme 4

3. An example of pass faces 5

4. A graphical password scheme proposed by Jansen, et al 6

5. Draw-a-Secret (DAS) technique proposed by Jermyn, 7

et al

6. An image used in the Passpoint Sytem, Wiedenbeck,

et al 8

vi
 1 . INTRODUCTION

Human factors are often considered the weakest link in a computer security
system. Point out that there are three major areas where human-computer interaction is
important: authentication, security operations, and developing secure systems. Here we
focus on the authentication problem. On the other hand, passwords that are hard to guess
or break are often hard to remember. Studies showed that since user can only remember a
limited number of passwords, they tend to write them down or will use the same
passwords for different accounts. To address the problems with traditional
username password authentication, alternative authentication methods, such as
biometrics, have been used. In this paper, however, we will focus on another alternative:
using pictures as passwords.

Graphical password schemes have been proposed as a possible alternative to

text based schemes, motivated partially by the fact that humans can remember pictures
better than text; psychological studies supports such assumption. Pictures are generally
easier to be remembered or recognized than text. In addition, if the number of possible
pictures is sufficiently large, the possible password space of a graphical password scheme
may exceed that of text-based schemes and thus presumably offer better resistance to
dictionary attacks. Because of these advantages, there is a growing interest in Graphical
password. In addition to workstation and web log-in applications, graphical passwords
have also been applied to ATM machines and mobile devices.

In this paper, we conduct comprehensive survey of the existing graphical password

techniques. We will discuss the strengths and limitations of each method and also point out
future research directions in this area. In this paper, we want to answer the following
questions:
 Are graphical passwords as secure as text passwords?
 What are the major design and implementation issues for graphical password

1|Page
 2 . Literature Review

S. Patrick, A. C. Long, and S. Flinn, "HCI and Security Systems," presented at CHI,
Extended Abstracts (Workshops). Ft. Lauderdale, Florida, USA. 2003 summarizes that
there are many open issues in Authentication. The most common authentication procedure
is for the user to provide a user ID and a shared secret password that they have chosen.
Users have been described as the weakest link in security systems because of their behavior
when using user ID/password systems. Many studies have shown, for example, that users
tend to choose short and/or guessable passwords

A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise computer
security mechanisms and how to take remedial measures," Communications of the ACM,
vol. 42, pp. 41-46, 1999.
In this paper, a comprehensive study of the existing graphical password techniques is
conducted. They have proposed the first taxonomy for graphical passwords methods and
discussed the important elements in designing them. It presents a mathematical analysis
of the graphical password space. Finally presents a new graphical password scheme.

K. Gilhooly, "Biometrics: Getting Back to Business," in Computerworld, May 09, 2000

summarizzes that Textual passwords are string of characters (which may include numbers
or special characters). These textual passwords are widely and mostly used. But they are
not totally or fully secured. Therefore, we face security issues by using this scheme of
textual passwords. In this paper, a security Analysis of Graphical Passwords over the
Textual Passwords through various schemes of graphical user authentication is analyzed.
Here proposed graphical authentication scheme is implemented as an alternate text-based
authentication systems, various analyses are made and also several challenges in graphical
authentication are discussed.

2|Page
 3. Methods used in Graphical password authentication

In a graphical password authentication system, the user has to select from

images, in a specific order, presented to them in a graphical user interface (GUI).
According to a study, the human brain has a greater capability of remembering what they
see(pictures) rather than alphanumeric characters. Therefore, graphical passwords
overcome the disadvantage of alphanumeric passwords. Graphical Password
Authentication has three major categories based on the activity they use for
authentication of the password:

 Recognition based Authentication: A user is given a set of images and he has to identify
the image he selected during registration.
For example, Passfaces is a graphical password scheme based on recognizing human
faces. During password creation, users are given a large set of images to select from. To
log in, users have to identify the pre-selected image from the several images presented to
him.

 Recall based Authentication: A user is asked to reproduce something that he created or

selected at the registration stage. For example, in the Passpoint scheme, a user can click
any point in an image to create the password and a tolerance around each pixel is
calculated. During authentication, the user has to select the points within the tolerance in
the correct sequence to login.

 Cued Recall: Cued Click Points (CCP) is an alternative to the PassPoints technique. In
CCP, users click one point on each image rather than on five points on one image (unlike
PassPoints). It offers cued-recall and instantly alerts the users if they make a mistake while
entering their latest click-point

3|Page
 RECOGNITION BASED TECHNIQUES
Dhamija and Perrig proposed a graphical authentication scheme based on the
HashVisualization technique. In their system, the user is asked to select a certain number
of images from a set of random pictures generated by a program. Later, the user will be
required to identify the pre selected images in order to be authenticated. The results
showed that 90% of all participants succeeded in the authentication using this technique,
while only 70% succeeded using text-based passwords and PINS. The average log-in
time, however, is longer than the traditional approach. A weakness of this system is that
the server needs to store the seeds of the portfolio images of each user in plain text. Also,
the process of selecting a set of pictures from the picture database can be tedious and time
consuming for the user.

Figure 1 . Random images used by Dhamija and Perri

Sobrado and Birget developed a graphical password technique that deals with the
shoulder-surfing problem. In the first scheme, the system will display a number of pass-
objects (pre-selected by user) among many other objects. To be authenticated, a user
needs to recognize pass-objects and click inside the convex hull formed by all the pass-
objects.In order to make the password hard to guess, Sobrado and Birget suggested using
1000 objects, which makes the display very crowded and the objects almost
indistinguishable, but using fewer objects may lead to a smaller password space, since the
resulting convex hull can be large. In their second algorithm, a user moves a frame (and
the objects within it) until the pass object on the frame lines up with the other two pass-
objects. The authors also suggest repeating the process a few more times to minimize the

4|Page
likelihood of logging in by randomly clicking or rotating. The main drawback of these
algorithms is that the log in process can be slow.

Figure 2 : A shoulder-surfing resistant graphical password

scheme

Man, et al. proposed another shoulder-surfing resistant algorithm. In this

algorithm, a user selects a number of pictures as pass-objects. Each pass-object has
several variants and each variant is assigned a unique code. During authentication, the
user is challenged with several scenes. Each scene contains several pass-objects (each in
the form of a randomly chosen variant) and many decoy-objects. The user has to type in a
string with the unique codes corresponding to the pass-object variants present in the
scene as well as a code indicating the relative location of the pass-objects in reference to
a pair of eyes. The argument is that it is very hard to crack this kind of password even if
the whole authentication process is recorded on video because where is no mouse click to
give away the pass-object information. However, this method still requires users to
memorize the alphanumeric code for each pass-object variant. Hong, et al. later extended
this approach to allow the user to assign their own codes to pass-object variants.
However, this method still forces the user to memorize many text strings and therefore
suffer from the many drawbacks of text-based passwords.

Figure 3 . An example of Pass faces

5|Page
 Jansen et al proposed a graphical password mechanism for mobile device. During
the enrollment stage, a user selects a theme (e.g. sea, cat, etc.) which consists of
thumbnail photos and then registers a sequence of images as a password .During the
authentication, the user must enter the registered images in the correct sequence. One
drawback of this technique is that since the number of thumb nail images is limited to 30,
the password space is small. Each thumbnail image is assigned a numerical value, and the
sequence of selection will generate a numerical password. The result showed that the
image sequence length was generally shorter than the textural password length. To address
this problem, two pictures can be combined to compose a new alphabet element, thus
expanding the image alphabet size.

Reproduce a drawing:

Figure 4 . A graphical password scheme proposed by Jansen, et

al

6|Page
 RECALL BASED

Jermyn, et al. proposed a technique, called “Draw - a - secret (DAS)”, which allows
the user to draw their unique password .A user is asked to draw a simple picture on a 2D
grid. The coordinates of the grids occupied by the picture are stored in the order of the
drawing. During authentication, the user is asked to re-draw the picture. If the drawing
touches the same grids in the same sequence, then the user is authenticated. Jermyn, et al.
Suggested that given reasonable-length passwords in a 5 X 5 grid, the full password space of
DAS is larger than that of the full text password space.

Figure 5 . Draw-a-Secret (DAS) technique proposed by Jermyn, et al

Nali and Thorpe conducted further analysis of the “Draw-A-Secret (DAS)” scheme. In their study,
users were asked to draw a DAS password on paper in order to determine if there are predictable
characteristics in the graphical passwords that people choose. The study did not find any
predictability in the start and end points for DAS password strokes, but found that certain
symmetries (e.g. crosses and rectangles), letters, and numbers were common. The “PassPoint”
system by Wiedenbeck, et al. Extended Blonder’s idea by eliminating the predefined boundaries and
allowing arbitrary images to be used. As a result, a user can click on any place on an image (as
opposed to some pre- defined areas) to create a password. A tolerance around each chosen pixel is
calculated. In order to be authenticated, the user must click within the tolerance of their chosen
pixels and also in the correct sequence . This technique is based on the discretization method
proposed by Birget, et al. . Because any picture can be used and because a picture

7|Page
may contain hundreds to thousands of memorable points, the possible password space is
quite large.

Figure 6. An image used in the Passpoint Sytem, Wiedenbeck, et

al

8|Page
 CUED RECALL
Cued recall is when a person is given a list of items to remember and is then tested with cues
to remember material. Researchers have used this procedure to test memory. Participants are
given pairs, usually of words, A1-B1, A2-B2...An-Bn (n is the number of pairs in a list) to
study. Then the experimenter gives the participant a word to cue the participant to recall the
word with which it was originally paired. The word presentation can either be visual or
auditory.

There are two basic experimental methods used to conduct cued recall, the study-test method
and the anticipation method. In the study-test method participants study a list of word pairs
presented individually. Immediately after or after a time delay, participants are tested in the
study phase of the experiment on the word pairs just previously studied. One word of each
pair is presented in a random order and the participant is asked to recall the item with which
it was originally paired. The participant can be tested for either forward recall, Ai is presented
as a cue for Bi, or backward recall, Bi is presented as a cue for Ai. In the anticipation method,
participants are shown Ai and are asked to anticipate the word paired with it, Bi. If the
participant cannot recall the word, the answer is revealed. During an experiment using the
anticipation method, the list of words is repeated until a certain percentage of Bi words are
recalled.

9|Page
 4 . COMPARATIVE ANALYSIS OF THE AUTHENTICATION
METHODS

Current authentication methods can be divided into three main areas:

 Token based authentication
 Biometric based authentication
 Knowledge based authentication

Token based techniques, such as key cards, bank cards and smart cards are
widely used. Many token-based authentication systems also use knowledge based
techniques to enhance security. For example, ATM cards are generally used together
with a PIN number.

Biometric based authentication techniques, such as fingerprints, iris scan, or

facial recognition, are not yet widely adopted. The major drawback of this approach is
that such systems can be expensive, and the identification process can be slow and often
unreliable. However, this type of technique provides the highest level of security

Knowledge based techniques are the most widely used authentication

techniques and include both text-based and picture-based passwords. The picture-based
techniques can be further divided into two categories: recognition-based and recall-
based graphical techniques. Using recognition-based techniques, a user is presented
with a set of images and the user passes the authentication by recognizing and
identifying the images he or she selected during the registration stage. Using recall-
based techniques, a user is asked to reproduce something that he or she created or
selected earlier during the registration stage

10 | P a g e
 5. MAJOR DESIGN AND IMPLEMENTATION ISSUES
OF GRAPHICAL PASSWORDS
Security
In the above section, we have briefly examined the security issues with graphical
passwords.

Usability

One of the main arguments for graphical passwords is that pictures are easier to
remember than text strings. Preliminary user studies presented in some research papers
seem to support this. However, current user studies are still very limited, involving only a
small number of users. We still do not have convincing evidence demonstrating that
graphical passwords are easier to remember than text based passwords.
A major complaint among the users of graphical passwords is that the password
registration and log-in process take too long, especially in recognition-based approaches.
For example, during the registration stage, a user has to pick images from a large set of
selections. During authentication stage, a user has to scan many images to identify a few
pass-images.
Users may find this process long and tedious. Because of this and also because
most users are not familiar with the graphical passwords, they often find graphical
passwords less convenient than text based passwords.

Reliability
The major design issue for recall-based methods is the reliability and accuracy of
user input recognition. In this type of method, the error tolerances have to be set carefully
– overly high tolerances may lead to many false positives while overly low tolerances
may lead to many false negatives. In addition, the more error tolerant the program, the
more vulnerable it is to attacks.

Storage and communication

Graphical passwords require much more storage space than text based passwords.
Tens of thousands of pictures may have to be maintained in a centralized database.
Network transfer delay is also a concern for graphical passwords, especially for
recognition-based techniques in which a large number of pictures may need to be
displayed for each round of verification.

11 | P a g e
6. ADVANTAGES & DISADVANTAGES OF GRAPHICAL
PASSWORD AUTHENTICATION :

Advantages:
 It is user-friendly.
 It provides higher security than other traditional password schemes.
 Dictionary attacks are infeasible.
 CCP makes attacks based on hotspot analysis more challenging.

Disadvantages:
 Registration and login take too long.
 It requires more storage space because of images.
 Shoulder surfing(Watching over people’s shoulders as they process
information).

12 | P a g e
 7. CONCLUSION

The past decade has seen a growing interest in using graphical passwords as an
alternative to the traditional text-based passwords. In this paper, a comprehensive survey of
existing graphical password techniques is conducted. The current graphical password
techniques can be classified into three categories: recognition-based , recall- based
techniques & cued recall.

Although the main argument for graphical passwords is that people are better at
memorizing graphical passwords than text-based passwords, the existing user studies are
very limited and there is not yet convincing evidence to support this argument. The
preliminary analysis suggests that it is more difficult to break graphical passwords using the
traditional attack methods such as brute force search, dictionary attack, or spyware.
However, since there is not yet wide deployment of graphical password systems, the
vulnerabilities of graphical passwords are still not fully understood.

Overall, the current graphical password techniques are still immature. Much more
research and user studies are needed for graphical password techniques to achieve higher
levels of maturity and usefulness.

13 | P a g e
 8. REFERENCES

1. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security Systems," presented at CHI,
Extended Abstracts (Workshops). Ft. Lauderdale, Florida, USA. 2003.
2. A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise
computer security mechanisms and how to take remedial measures," Communications
of the ACM, vol. 42, pp. 41-46, 1999.
3. K. Gilhooly, "Biometrics: Getting Back to Business," in Computerworld, May 09,
2000.

14 | P a g e