Anale. Seria Informática. Vol. VII fase.

2 - 2009
Annals. Computer Science Series, l"' Tome 2"'' Fase. - 2009

Password Authentication Scheme

with Secured Login Interface

A.T. Akinwale and F.T. Ibharalu

Department of Computer Science, University of Agriculture,
Abeokuta, Nigeria
[email protected]

ABSTRACT. This paper presents a novel solution to the age long

problem of password security at input level. In our solution, each of
the various characters from which a password could be composed is
encoded with a random single digit integer and presented to the user
via an input interface form. A legitimate user entering his password
only needs to carefully study the sequence of code that describe his
password, and then enter these code in place of his actual password
characters. This approach does not require the input code to be hidden
from anyone or converted to placeholder characters for security
reasons. Our solution engine regenerates new code for each character
each time the carriage return key is struck, producing a hardened
password that is convincingly more secure than conventional
password entry system against both online and offline attackers. Using
empirical data and a prototype implementation of our scheme, we give
evidence that our approach is viable in practice, in terms of ease of
use, improved security, and performance.
KEYWORDS: Alphanumeric, Password authentication. Algorithm
and Combination

Introduction

A password is a secret word or phrase that gives a user access to computer

resources such as programs, files, messages, printers, internet, etc. The
password assists in ensuring that unauthorized user do not access a restricted
resource. Ideally, the password should be something that nobody could
guess. In practice, most people choose a password that is easy to remember

77
 Anale. Seria Informática. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7"' Tome 2"** Fase. - 2009

such as their names or their initials. This is one reason it is relative easy to
break into most computer systems [HasO5].
The main drawback in the design of many password mechanisms
arises from the fact that password lengths are usually small or short. This
makes it easy to spy and memorize passwords through the monitoring of
computer keystrokes physically or through eavesdropping. For example, in a
university environment each student may be assigned a password to protect
his resources within the school computer system. Using the password during
lecture time may endanger the security of his password because of the
presence of other students around him. Similarly, login page of Yahoo!
requires each user to enter his/her password online. Such 'online password'
can also be compromised by a hacker who monitors online keystroke
sequence programmatically.
In a big corporation, each personnel accesses computer resources
through password. If the password is very short, as this is usually the
practice, the secretary to the manager may spy her boss password and
thereby have access to her boss corporate resources.
Personal identification number (PIN) is always used by various banks to
allow their customers access to their online bank accounts. For the
customers' convenience, PINS are often short and in many cases only
numeric of up to eight digits (ATM uses only four numeric digits). This is
why many banks issue warnings to their customers to study the automated
teller machine (ATM) surroundings properly before approaching it for use
to protect their PINS. The implication of this is that PINs are not safe since
they can be subject to attack (spying) by third parties.
The advantage of short length characters for PINs and password is
that it is easy to be remembered by the user. This advantage is a problem
since it makes it easier for attacker to memorize short keystroke of PIN and
password. In this paper, an algorithm is developed to provide a strong
security support for both short and long character-password at input level.

1. The Structure of the System

The structure of the secured password authentication scheme, as depicts in

figure 1, consists of four parts, namely - the input characters, algorithms,
legitimate users password database and form interface,.

78
 Anale. Seria Informaticä. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7^ Tome 2"' Fase. - 2009

Input Users' Form

Character Algorithm Password Interface
Database

Figure 1 : Structure of secured password authentication scheme

1.1. Input Characters

The system accepts all printable ASCII characters, which may consist of
lower and upper case (A-Z, a-z), numeric digits (0-9), and special characters
(+ - _ ^ , # % etc).

1.2. The Algorithms

1.2.1. Definitions

Let the user input code be denoted by In = C1C2C3.. .c«, and its length be defined as
« = L (C1C2 C3...Cn. Let X be the list of all the password characters i.e. A,.. .,Z,
a,...,z, 0-9, symbols} and Y the set of the corresponding randomly generated
numbers such that each value of X is assigned a random value from Y.

1.2.2. Constraint

The set of randomly generated numbers S = (r : 0 < r < 9,r E Z} is such that
n( y\
n(X) is evenly divisible by n(S), i.e. — ~ ^ "^ust be an integer. Also,
n[S)
the frequency of each /, = d V;

1.2.3. Algorithm for generating all characters corresponding to each of

the user input code

Computation of G(c¡), the set of characters corresponding to each c¡ of

user input where C, G /„ and i =1, 2,.. .,n.
79
 Anale. Seria Informática. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7* Tome 2"'' Fase. - 2009

Input: User input code, Ci,C2,C3,..., Cn

Method: Let n = Z, (ciC2C3...c„)
Compute G (c¡) = {L/st(/¡)},/ = l,2,3,...,n

where Usf(y.) = j ^ ' ' ^^^'^^'' and Lisf = [jx- -^ y,

[nuil, otherwise.
Output: The set of password characters corresponding to eachc¡,

1.2.4. Algorithm for password authentication

Definition:
Password database D[p] is a sorted list of p legitimate users-passwords that
are allowed access to the system.
Input: D[p]
n = L (C1C2C3.. .Cn) i. e. user password length
G(c¡), the set of password characters of each input code
Method:

Dim index[n] as integer

Switch (k)
Begin
case 1:
For index [0] = 0 to L ( G (CQ )) - 1 ;
tempPassword = stmcpy (tempPassword, G(Co) + ;ndex[O], 1);
if (search (D, tempPassword)) == true)
begin
login 0; exit Password Authentication;
end
next /ndex[O] ;
write "password not found"
case 2:
For index [0] = 0 to L ( G (CQ )) - 1 ;
For index [1] = 0 to L ( G ( C , ) ) - Í;
tempPassword = stmcpy (tempPassword,
G(Co) + /nc/ex[O], 1)
+ stmcpy (tempPassword, G(c^) + ;ndex[l], 1)
80
 Anale. Seria Informática. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7^ Tome 2"'' Fase. - 2009

if (search (D, tempPassword)) = true)

begin
login 0; exit Password Authentication;
end
next /ndex[l];
next /ndex[O] ;
write "password not found"

case n:
For index [0] = 0 to L ( G (Cg )) - 1 ;
For index [1] = 0 to L(G(C,)) -1 ;
For index [2] = 0 to L ( G (Cj )) - 1 ;
• • •
For index [n-1] = 0 to L ( G ( C „ _ , ) ) - 1 ;
tempPassword =
stmcpy (tempPassword,
G(Co) + index[ö], l)
+ stmcpy (tempPassword, G(C^] + index[\], 1)
+ stmcpy (tempPassword,G(C2) + index[2], 1

+ stmcpy
(tempPassword, G{c^_^ ) + index[n -1], 1)
if (search (D, tempPassword)) = tme)
begin
exit Password Authentication;
login 0;
end
next index[n-]];

next ;ndex[2] ;
next ;hdex[l];
next /ndex[O] ;
write "password not found"

81
 Anale. Seria Informatieä. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7"' Tome 2"" Fase. - 2009

2. Database

The database, D, contains all the passwords of valid users. The database has
been designed to accept passwords of length up to 255 characters without
spaces but the implementer must restrict size of users' passwords to a
reasonable length, for example twelve characters, for easy computation.

3. Form interface

Visual Basic 6.0 (VB) was used for the implementation of the algorithm.
From the algorithm, a form interface was generated as shown in figure 2.
The form shows the password characters (in black) with their corresponding
numeric code (in red).

A[îr B(7~ • • • • • • • • •BU• • • • «F; • 'F

••••••••••i
JF
:^^F,.
tflô" oir ,
: * • .
.^^ ^ VF . VF
«F ir 2rr 3F .r 5F .F
"^
«F

»F T - »F ' F »F HF •F •F K|5" I [s*

"F »r r <w »F <r «F vF HT «F vF •r

F *rr "F; ' F [F îF IF )F iF

»F ^r' -F IF c 'F iF .r
1127318081174

n«45e enter digits ciirieg<mimgto yov password characters

Cancd
i
Figure 2: Form interface

The interface contains alphanumeric (A-Z, a-z, 0-9) and special

characters (+, -, *, /, etc) each of which is labeled with a single numeric

82
 Anale. Seria Informática. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7'^ Tome 2"'' Fase. - 2009

digit code between O and 9. The single digit labels are generated randomly
and are equally distributed.
An user must study the interface form carefully, and then enter the
numeric digits corresponding to his actual password characters. Upon
completion of the input the user hits the enter key. This triggers the
algorithm to regenerate a new input form followed by authentication of the
last input password. The input interface form regeneration is necessary to
harden the password entry system and make it extremely difficult, if not
impossible, for attackers to spy.

4. Analysis of the scheme

Assuming an user password is 'Lagos(2006)', and that the current input

interface form generated by our algorithm is as shown in figure 2, then the
sequence of digits corresponding to this password that the user must enter is
27318081174. Looking at figure 2, there would be many characters that
would correspond to each of the numeric code. However, the algorithm has
been constrained (see 2.2.2) to distribute the numeric digits (0, 1, 2... 9)
equally amongst the permissible password characters.
Table 1 gives all the characters corresponding to each of the user
input code 27318081174. Algorithm 2.2.4 computes each password
combination (LBVTAHATTBI, LBVTAHATTBP, ..., ^/wp_C_pp/! )
derivable from table 1 and validates it with the password database. If the
current combination is validated successfully, the process terminates and the
user is logged in, otherwise the next password combination is tried for
validation. If all combinations are tried with failures, then the user is denied
access.
The total password combination from the scheme is d" which could
be a very large value for a carefully planned password system. This will
make it extremely difficult for any attacker to spy physically or eavesdrop
electronically because the user keystrokes are not directly related to the
actual password.

83
 Anale. Seria Informática. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7*^ Tome 2"" Fase. - 2009

User password
(unknown)
L a g o s ( 2 0 0 6 )
User input code 2 7 3 1 8 0 8 1 1 7 4
(asfig.2)
L B V T A H A T T B I
Y C 4 W F M F W W C P
H E 7 0 2 N 2 0 0 E Z
T 6 9 1 3 e 3 1 1 6 +
Characters
corresponding { 8 c B n u n b b 8 )
to each of the
user input code
} a g D s z s d d a %
- V i O y [ y 0 0 V =
\ A
/ w P _ ( P P /

Table 1 : Characters corresponding to the user input code 27318081174

Conclusion

Randomly generated digits corresponding to password characters on input

interface form that makes it impossible for user password to be spied at
input level have been proposed.
The scheme evenly distributes randomly generated numeric digits
among the password characters so that it can produce many possible
password combinations that are difficult for attackers to spy or
electronically eavesdrop. Integrating the modules into existing systems
where password authentications are required will improve the security and
integrity of the password systems.

References

[A+96] D. Atkins, P, Buis, C. Hare, R. Kelley, C. Nachenberg, A.B.

Nelson, P. Philip, T. Ritchey and W. Steen - Internet
Security Professional Reference. New Riders Publishing,
1996

[BESOl] C. Brent, D.Z. Elizabeth and CD. Simon - Building Internet

Firewalls, 2nd Edition O' Reilly Media Inc., 2001
84
 Anale. Seria Informática. Vol. VII fase. 2 - 2009
Annals. Computer Science Series. 7^ Tome 2"'' Fase. - 2009

[HasO5] A. A. Hassan - Database Security and Auditing, Protecting

Data Integrity and Accessibility. 1st Edition, Course
Technology, 2005

[HFS98] S.A. Hofheyr, S. Forest and A. Somayaji - Intrusion

detection using sequences of system calls. Journal of
Computer Security, 1998

[MarO5] S. Mark - Information Security, Principles and Practice,

Wiley Interscience, 2005

[MSJ99] K.W. Mok, W. Lee, and S.J. - A data mining framework for
building intrusion detection model. Proceeding IEEE
Symposium on Security and Privacy, Columbia, 1999

[NigO7] Nigerian Mathematical Centre - Advanced Course on

Algorithm and Cryptography Abuja, Nigeria, 2007

[SimOl] G. Simson - Web Security, Privacy and Commerce, 2nd

Edition, O' Reilly Media Inc. 2001

[UniO6] University of Agriculture, Abeokuta - International

conference on Sciences and Technologies, Abeokuta,
Nigeria, 2006

85
Copyright of Annals. Computer Science Series is the property of "Tibiscus" University - Faculty of Computers
& Applied Computer Sciences and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print, download, or
email articles for individual use.
Copyright of Annals. Computer Science Series is the property of Tibiscus University -
Faculty of Computers & Applied Computer Sciences and its content may not be copied or
emailed to multiple sites or posted to a listserv without the copyright holder's express written
permission. However, users may print, download, or email articles for individual use.