International Journal of Engineering Research & Technology (IJERT)

ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

A Secured Graphical Password Authentication System

M. Mathuri Pandi Dr. A. Valarmathi,

PG Student,Department of computer Applications, AP,Dapartment Of Computer Applications,
Bharathidasan Institute Of Technolog, Bharathidasan Institute Of Technology,
Anna University Regional Center, Anna University Regional Center,
Trichy. Trichy.

Abstract
Graphical passwords can be created during user
Information and computer security is supported largely by registration or after registration (for users registered before Two
passwords which are the principle part of the authentication Step was implemented), and be changed any time after creation.
process. The most common computer authentication method is to A graphical password policy, which may be set by the site
use alphanumerical username and password which has operator or the user, influences its presentation and security.
significant drawbacks. Authentication is one of the essential Example policy attributes are: number of rounds of verification;
security features in network communication. Authentication display layout, e.g., 6×6, defining how images are presented to
process ascertains the legitimacy of the communicating partners the user, and the total number of images displayed in each round;
in communication. In authentication process, the originator of the number of images to be selected in each round; and ordered or
RT
communication and the respondent transacts some identification unordered image selection, defining whether order of image
codes of each other prior to start of the message transaction. selection matters.
Several methods have been proposed regarding the
IJE

authentication process from time to time. Though traditional After a graphical password policy is defined, users
login/password based schemes are easy to implement, they have choose images as their graphical passwords. For each round of
been subjected to several attacks. As an alternative, token and verification, the specified numbers of images are randomly
biometric based authentication systems were introduced. selected by the system from a database to form an image
However, they have not improved substantially to justify the portfolio. A user then chooses a specified number of images from
investment. In this paper, we introduce a framework of our the portfolio as her graphical password components. This process
proposed (SGPAS) Secured Graphical Password Authentication repeats for the specified number of rounds. If the user does not
System, which is immune to the common attacks suffered by other like a particular image portfolio, she may request a new one or
authentication schemes. upload her own images to be included in a portfolio. An accepted
image portfolio remains unchanged until the user changes her
graphical password. To facilitate recognition, images within a
Keywords-- Graphical Password; Security; Passwords; portfolio are assembled to be sufficiently distinguishable.
Graphical Authentication. Network Security. There are several authentication schemes available in the
literature. They can be broadly classified as follows:
1. Introduction
_ What you know
Authentication is a process of determining whether a _ What you have and
particular individual or a device should be allowed to access a _ What you are
system or an application or merely an object running in a device.
This is an important process which assures the basic security The traditional username/password or PIN based
goals, viz. confidentiality and integrity. authentication scheme is an example of the “what you know
type”. Smartcards or electronic tokens are examples of “what you
have type of authentication” and finally biometric based
Also, adequate authentication is the first line of defense authentication schemes are examples of the “what you are” type
for protecting any resource. It is important that the same of authentication. Some authentication systems may use a
authentication technique may not be used in every scenario.

www.ijert.org 1013
 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

combination of the above schemes. In this paper, we focus only

on “what you know” types of authentication. to a specific resource for a time period - to the remote site[6].
Many token based authentication systems also use knowledge
Although traditional alphanumeric passwords are used based techniques to enhance security [7].
widely, they have problems such as being hard to remember,
vulnerable to guessing, dictionary attack, key-logger, shoulder- 2.2. Biometric Based Authentication
surfing and social engineering [1].
Biometrics (ancient Greek: bios ="life", metron ="measure")
In addition to these types of attacks, a user may tend to is the study of automated methods for uniquely recognizing
choose a weak password or record his password. This may further humans based upon one or more intrinsic physical or behavioral
weaken the authentication schemes. As an alternative to the traits [9]. It is based on “Something You Are” [8]. It uses
traditional password based scheme, the biometric system was physiological or behavioral characteristics like fingerprint or
introduced. This relies upon unique features unchanged during facial scans and iris or voice recognition to identify users. A
the life time of a human, such as finger prints, iris etc. The major biometric scanning device takes a user's biometric data, such as
problem of biometric as an authentication scheme is the high cost an iris pattern or fingerprint scan, and converts it into digital
of additional devices needed for identification process [2]. information a computer can interpret and verify. The
classification of authentication will be shown in figure 1.
The false-positive and false negative rate may also be
high if the devices are not robust. Biometric systems are AUTHENTICATION METHODS
vulnerable to replay attack (by the use of sticky residue left by
finger on the devices), which reduces the security and usability
levels. Thus, recent developments have attempted to overcome
biometric shortcomings by introducing token-based
authentication schemes.

Token based systems rely on the use of a physical device Token Biometric Knowledge
RT
such as smartcards or electronic-key for authentication purpose. Based
This may also be used in conjunction with the traditional Based Based
password based system. Token based systems are vulnerable to
IJE

man-in-the middle attacks where an intruder intercepts the user‟s

session and records the credentials by acting as a proxy between Password Contact Contactless Recognition
the user and the authentication device without the knowledge of
the user [3]. Thus as an alternative, graphical based passwords Pin no Biometric Biometric Basedsystem
are introduced to resolve security and usability limitations
mentioned in the above schemes.

2. Classification of Current Authentication Fingerprint Facial Recall

Methods recognition Basedsystem

Due to recent events of thefts and terrorism, Voice

authentication has become more important for an organization to Hand/Fingerprint Recognition CuedRecall
provide an accurate and reliable means of authentication [4].
Currently the authentication methods can be broadly divided into Dynamic Signature Iris Scan Basedsystem
three main areas. Token based (two factor), Biometric based Verification
(three factor), and Knowledge based (single factor) authentication
[5], also shown in the Figure 1. Keystroke Retinal Scan
Dynamics
Figure 1.
2.1. Token Based Authentication
It is based on “Something You Possess”. For example A biometric-based authentication system may deploy
Smart Cards, a driver‟s license, credit card, a university ID card one or more of the biometric technologies: voice recognition,
etc. It allows users to enter their username and password in order fingerprints, face recognition, iris scan, infrared facial and hand
to obtain a token which allows them to fetch a specific resource - vein thermo grams, retinal scan, hand and finger geometry,
without using their username and password. Once their token has signature, gait, and keystroke dynamics [10]. Biometric
been obtained, the user can offer the token - which offers access identification depends on computer algorithms to make a yes/no

www.ijert.org 1014
 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

decision. It enhances user service by providing quick and easy · Déjà vu (Dhamija 2000)
identification [11]. · PassFace (Realusr 2011, Passfaces 2011)
· VIP (Angeli 2005, Moncur 2007)
2.3. Knowledge Based Authentication · Photographic authentication (Pering 2003)
· Convex Hull Click (Wiedenbeck 2006)
Knowledge based techniques are the most extensively · GPI/GPS (Bicakci 2009)
used authentication techniques and include both text based and · Picture Password (Jasen 2003)
picture based passwords [12]. Knowledge-based authentication Some examples of recognition-based system are Awase-E system
(KBA) is based on “Something You Know” to identify you For ,AuthentiGraph , and Passfaces system.
Example a Personal Identification Number (PIN), password or
pass phrase. It is an authentication scheme in which the user is An image password called Awase-E is a new system which
asked to answer at least one "secret" question [13]. KBA is often enables users to use their favorite image instead of a text
used as a component in multifactor authentication (MFA) and for password for authentication purpose. Even though Awase-E
self-service password retrieval. Knowledge based authentication system has a higher usability, it is difficult to implement due to
(KBA) offers several advantages to traditional (conventional) the storage space needed for images and also the system cannot
forms of e-authentication like passwords, PKI and biometrics tolerate replay attack. Adding to this, a user may always tend to
[14]. choose a well-known (or associated with the user through some
relation, like son, wife or a place visited etc.) image which may
3. Classification of Graphical Password Based be prone to guessing attacks.
Systems
3.2. Pure Recall based systems
Graphical-based password techniques have been
proposed as a potential alternative to text-based techniques, which are also known as Drawn metric Systems. In pure
supported partially by the fact that humans can remember images recall-based methods the user has to reproduce something that he
better than text. or she created or selected earlier during the registration stage.
Few works are given below:
RT
Graphical based passwords schemes can be broadly classified
into four main categories: First is Recognition based Systems · Android screen unlock (Tafasa 2011)
which are also known as Cognometric Systems or Search metric · GrIDsure (Grid sure 2011)
IJE

Systems. Recognition based techniques involve identifying · Pass Shapes (Weiss 2008)
whether one has seen an image before. The user must only be · DAS (Jermyn 1999)
able to recognize previously seen images, not generate them · BDAS (Dunphy 2007)
unaided from memory. Second is Pure Recall based systems · PassGo (Tao 2006)
which are also known as Drawn metric Systems. In pure recall- · YAGP (Gao 2008)
based methods the user has to reproduce something that he or she · Haptic Password (Orozco 2006)
created or selected earlier during the registration stage. Third is · Pass doodle (Goldberg 2002, Varenhorst 2004)
Cued Recall based systems which are also called Icon metric
Systems. In cued recall-based methods, a user is provided with a
3.3. Cued Recall based systems
hint so that he or she can recall his his/her password. Fourth is
Hybrid systems which are typically the combination of two or
Which are also called Icon metric Systems. In cued
more schemes. Like recognition and recall based or textual with
recall-based methods, a user is provided with a hint so that he or
graphical password schemes.
she can recall his his/her password. Several works are as below:
3.1. Recognition-Based Systems · Jiminy‟s scheme (Renaud 2004, 2001)
· Suo‟s scheme (Suo 2006)
. Recognition based systems which are also known as · PassPoints (Wiedenbeck 2005, 2005, 2005)
Cognometric Systems or Search metric Systems. Recognition · PassFace (Realusr 2011, Passfaces 2011)
based techniques involve identifying whether one has seen an · CCP (Chiasson 2007)
image before. The user must only be able to recognize previously · PCCP (Chaisson 2008)
seen images, not generate them unaided from memory. The · Inkblot authentication (Stubblefield 2004)
proposed works in this regards are summarized as below: · 3D scheme (Alsulaiman 2006)
· Passlogix (Passlogix 2011)
· Cognitive authentication (Weinshall 2006)
· Use your illusion (Hayashi 2008)
· Story (Davis 2004)

www.ijert.org 1015
 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

3.4. Hybrid systems the user and the authentication device without the knowledge of
the user.
Which are typically the combinations of two or more
schemes. Like recognition and recall based or textual with 5.PROPOSED SYSTEM
graphical password schemes. The scheme is studied by researches
as below: The proposed system overcomes the problems of the
above mentioned systems by means of a graphical but implicit
· CDS (Gao 2010)
authentication mechanism that is safe from the shoulder surfing,
· Two Step Authentication (Oorschot 2009)
· GP based systems for small mobile devices (Khan 2011) screen capture or man in the middle attacks.
· My proposed system: Ray‟s Scheme
Here authentication is based on several questions instead
4. PROBLEMS WITH THE EXISTING of a single question so the question used for authentication of the
user will not be repeated any sooner. Also the images associated
SCHEMES
with the user‟s authentication space will also be chosen randomly
Traditional alphanumeric passwords are always and thus the probability of the attacker guessing the password
vulnerable to guessing and dictionary attack. There may even be a image is almost Zero.This mechanism does not involve the
rogue program that may record the key strokes and publish it on a requirement of robust hardware like that of the bio-metric
remote website. In order to overcome the key logger based systems.
attacks, newer systems may show a graphical keyboard and the
user has to press the correct password using “mouse clicks”.
6. SECURED GRAPHICAL PASSWORD
Traditional alphanumeric passwords are used widely, AUTHENTICATION SYSTEM
they have problems such as being hard to remember, vulnerable
to guessing, dictionary attack, key-logger, shoulder-surfing and In this section, we propose our Secured Graphical
Password Authentication System. SGPAS is similar to the Pass
RT
social engineering.
Point scheme with some finer differences. In every “what you
In addition to these types of attacks, a user may tend to know type” authentication scheme we are aware of, the server
choose a weak password or record his password. This may further requests the user to reproduce the fact given to the server at the
IJE

weaken the authentication schemes. As an alternative to the time of registration. This is also true in graphical passwords such
traditional password based scheme, the biometric system was as Pass Point. In IPAS, we consider the password as a piece of
introduced. information known to the server at the time of registration and at
the time of authentication, the user give this information in an
This relies upon unique features unchanged during the implicit form that can be understood only by the server.
life time of a human, such as finger prints, iris etc. The major
problem of biometric as an authentication scheme is the high cost SGPAS may also be implemented in any client-server
of additional devices needed for identification process. environment, where we need to authenticate a human as a client
(SGPAS will not work in machine-to-machine authentication).
The false-positive and false-negative rate may also be We also assume that the server has enough hardware resources
high if the devices are not robust. Biometric systems are like RAM and CPU. This is not un-realistic as high-end servers
vulnerable to replay attack (by the use of sticky residue left by are becoming cheaper day-by-day. Our System may have a
finger on the devices), which reduces the security and usability database of 100 to 200 standard questions. During the time of
levels. registration, a user should pick 10-20 questions from the database
(depending upon the level of security required) and provide
Thus, recent developments have attempted to overcome answers to the selected questions. For example, the user may
biometric shortcomings by introducing token-based choose the following questions:
authentication schemes. Token based systems rely on the use of a
physical device such as smartcards or electronic-key for Who is your favorite leader?
authentication purpose. The city you love to visit or visited?
Date of birth?
This may also be used in conjunction with the traditional What is your favorite country?
password based system. Token based systems are vulnerable to
man-in-the middle attacks where an intruder intercepts the user‟s For each question, the server may create an intelligent
session and records the credentials by acting as a proxy between authentication space using images, where the answers to the
particular question for various users are implicitly embedded into

www.ijert.org 1016
 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

the images. During the time of authentication, the server may pick
one or more questions selected by the users at the time of
registration randomly (the number of questions depends on the
level of service requested). For each chosen question, the server
may choose an image randomly from the authentication space and
present IT to the user as a challenge. Using the stylus or the
mouse, the user needs to navigate the image and click the right
answer. For example, the server may present the user with the
picture of the Globe. The user should correlate to Question 2. If
Sydney is the city the user loves to visit or has visited, he needs to
click on to Australia. It will then enlarge Australia. Then in the
map, the user needs to click Sydney as shown in Figure2.

Figure 3.
The proposed system has a field security level. In this
field has a security questions for user. Based on the security level
the questions will be shown to the user. One security level have
two security questions the register user will answer the questions.

If the user answers the security questions the different

type of images will be shown depends upon the user answer. The
RT
user will see the images and remember the images for future use.
Figure 2. After the security level questions are answered by user then the
user will enter login module. The security question level will be
IJE

Next time, if the same question is chosen by the server, the same shown in figure 4.
scenario may not be presented. For the next time, the server may
show an image containing all famous buildings and monuments.
The user needs to click on the “Sydney Opera house” to
implicitly convey his answer. Since every time the server uses a
different scenario and the answers are given implicitly, our
proposed system is immune to screen capture attack. Also, except
for the server and the legitimate user, for others, the answers may
look fuzzy. For example, if the user click “Opera house”, it may
even mean the “type of music user is interested to listen”, or may
represent his “place of birth”, or “current residency” and so on.

7. SYSTEM IMPLEMENTATION
In this part, we will explain how the system is works.
System is divided in to Registration module i.e user is require to
register first of all. That is it requires filling all the necessary
personal information such as full name, address, state, MobileNo.
EmailID. And for as Proposed scheme the confidential details are
as Username, Accountnumber, security level .The
Accountnumber field is most important the user will remember
the accountnumber after registration for future use. The
Registration process is shown in Figure 3.
Figure 4.

www.ijert.org 1017
 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

The next module is Login. In this module it Require to fill the Control (ICICIC), 2009 Fourth International Conference on Graphical
necessary information such as account number, After user click Passwords.
the show images button there are random color images are
displayed the user will select the image that is the user had seen at [3] L.Sobrado and J.C. Birget, “Graphical Passwords”, The Rutgers
Schloar, An Electronic Bulletin for Undergraduate
the time of registration, if the selected color images at the login Research,vol4,2002,Http://rutgersscholar.rutgers.edu/volume04/sobrbirg/
time is equal to the selected images at the time of registration then sobrbirg.htm.
and then only the authentication is valid otherwise authentication
is failed. The Login process is shown in fig5. [4] Patric Elftmann, Diploma Thesis, “Secure Alternatives to Password-
Based Authentication Mechanisms” Aachen, Germany October 2006

[5] Hai tao, “Pass-Go, a New Graphical Password Scheme”, Master

Thesis, University of Ottawa Canada, June 2006.

[6] Di Lin, Paul Dunphy, Patrick Olivier, Jeff Yan, 2007, „Graphical
passwords& qualitative spatial relations‟,Proceedings of the 3 rd
symposium on Usable privacy and security, ACM.

[7] Manu Kumar, Tal Garfinkel, Dan Boneh, Terry Winograd, 2007,
„Reducing shoulder-surfing by using gaze-based password
entry‟,Proceedings of the 3rd symposium on Usable privacy and security,
ACM.

[8] HAFIZ, M. D., ABDULLAH, A. H., ITHNIN, N. & MAMMI, H. K.,

2008, „Towards Identifying Usability and Security Features of Graphical
Password in Knowledge Based Authentication Technique‟ , Second
Asia International Conference on Modeling & Simulation (AICMS).
RT
[9] HAICHANG, G., XUEWU, G., XIAOPING, C., LIMING, W. &
XIYANG, L., 2008, „YAGP: Yet Another Graphical Password
Strategy‟ , Annual Computer Security Applications Conference.
IJE

[10] HUANYU, Z. & XIAOLIN, L., 2007, „S3PAS: A Scalable

Shoulder-Surfing Resistant Textual-Graphical Password Authentication
Scheme‟ , 21st International Conference on Advanced Information
Figure 5.
Networking and Applications Workshops (AINAW).

8. CONCLUSION AND FUTURE DIRECTIONS [11] P. Golle and D. Wagner. Cryptanalysis of a Cognitive
Authentication Schemes (Extended Abstract). In Proc. of the 2007 IEEE
In this paper, we have proposed a new Implicit Password Symposium on Security and Privacy, May 2007.
Authentication System where the authentication information is
implicitly presented to the user. If the user “clicks” the same grid- [12] I. Jermyn, A. Mayer, F. Monrose, M.K. Reiter, and A. Rubin. The
Design and Analysis of Graphical Passwords. In Proc. of the 8th
of-interest compared with the server, the user is implicitly
USENIX Security Symposium, August 23-26 1999.
authenticated. The strength of IPAS lies in creating a good
authentication space with a sufficiently large collection of images [13] M. Kumar, Tal Garfinkel, D. Boneh, and T. Winograd. Reducing
to avoid short repeating cycles. Compared to other methods Shoulder-surfing by Using Gaze-based Password Entry. In Proc. of
reviewed in our paper, IPAS may require human-interaction and SOUPS‟07, July 2007.
careful selection of images and “click” regions.
[14] A. Rabkin. Personal Knowledge Questions for Fallback
Authentication. In Proc. of the 2008 Symposium On Usable Privacy and
9. REFERENCES Security (SOUPS), July 23-25 2008.
[1] Sabzevar, A.P. & Stavros, A., 2008,” Universal Multi-Factor [15] D. Weinshall. Cognitive Authentication Schemes Safe Against
Authentication Using Graphical Passwords”, IEEE International Spyware (Short Paper). In Proc. of the 2006 IEEE Symposium on
Conference on Signal Image Technology and Internet Based Systems Security and Privacy, May 2006.
(SITIS).
[16] Sigmund N. Porter. A password extension for improved
[2] Haichang, G., L. Xiyang, et al. (2009). “Design and Analysis of a human factors. Computers & Security, 1(1):54
Graphical Password Scheme”, Innovative Computing, Information and
– 56, 1982.

www.ijert.org 1018
 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 2 Issue 5, May - 2013

[17] Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. Graphical

passwords: A survey. In Proceedings of Annual
Computer Security Applications Conference, pages
463–472, 2005.

[18] Antonella De Angeli, Lynne Coventry, Graham Johnson,

and Karen Renaud. Is a picture really worth a
thousand words? exploring the feasibility of graphical
authentication systems. International Journal of
Human-Computer Studies, 63:128–152, July 2005.

[19] G. E. Blonder. Graphical password. U.S. Patent

5559961, Lucent Technologies, Inc. (Murray Hill,
NJ), August 1995.

RT
IJE

www.ijert.org 1019