You are on page 1of 4


Enhancement of Knowledge Based Authentication Mechanism using Graphical Password via Persuasion
Ms. Uma D. Yadav and Mr. P. S. Mohod
Abstract The existing authentication system such as text based password, biometrics and tokens based system has several
disadvantages for that reason graphical passwords are most preferable authentication system where users clicks on images to authenticate themselves. The usability goal of an authentication system is to support users for selecting the better password. User creates memorable password which is easy to guess by an attacker and strong system assigned passwords are difficult to remember. So researchers of modern days gone through different alternative techniques and conclude that graphical pas swords are most preferable authentication system by most of the users. The proposed system combines the existing cued click point technique with the persuasive technique to influence user choice such that it enhances the users knowledge and encourages the user to select more random click point which is difficult to deduce. Index Terms Authentication, Graphical Password, images, security.


he authentication is used for security purposes. Most of the user uses text based password system for security. But the problem of Knowledge based authentication mechanism (KBAM) typically text based password are well known. The purpose of an authentication system is to support users to select the better password. Modern days researchers went through the different technology and found that human brains easily recognize pictures than the text. So they conclude that an alternative to alphanumeric password is the graphical password. Graphical password uses images or representation of an image as a password. Most of the time user create memorable password which is easy to guess but strong system assigned password are difficult to remember. [1] An authentication system should allow user choice while influencing user towards stronger passwords. An important usability goal of Knowledge based authentication system is to support users for selecting the password of higher security with larger password space. Basically persuasion is used to enhance the user choice in click based graphical password, encouraging user to select more random click point which is difficult to guess. In the proposed system, the task of selecting weak password which is easy for an attacker to guess is more tedious, discouraging users from making such choices. In consequence, this approach chooses the more secure password the path of least resistance. Instead of increasing the burden on users its easier to track the system

suggestions for a secure password which is the feature lacking in most of the schemes.So, Graphical Password is the most preferable technique. Paper is structured as follows: the various existing password scheme is defined in the section 2, the various graphical password scheme is introduced in the section 3, section 4 explains the proposed methodology, section 5 explains the experimental results or work completed till now, section 6 explains the security analysis of graphical password scheme and section 7 conclude the remarks.

The following fig. 1 shows the representation of current authentication methods. Previous Text based password system has various desadvantages such as sometimes it is difficult to remember and it has fixed length. Biometric based authentication techniques are somewhat expensive, slow and unreliable and so generally it is not preferred by many [3]. Token based authentication system has high security and usability and accessibility then the others. Also the system uses the knowledge based techniques to enhance the security of token based system. But the problem with token based system is that if token get lost, the security get also lost [2]. So the Knowledge based authentication techniques are most preferable technique to improve the security. Graphical Password is one of the knowledge based technique and it is categorized into Recognition based and Recall based. Recognition system has certain drawbacks. Thus most of the people preffering recall based techniques. Recall based techniques are also categorized into pure recall based and cued recall based system [11].

Uma Yadav is student of Mtech IInd Year in Computer Science & Engineering department of G. H. R. I. E. T. W, Nagpur, Maharashtra, India. Mr. P. S. Mohod is Asst. Professor of Department of Computer Science & Engineering, in G. H. R. I. E. T. W, Nagpur, Maharashtra, India.

2013 JCSE


Fig. 1. Categorization of Password Authentication Techniques


Previously various Graphical Password techniques were introduced. Some of the techniques are given below,

pattern formation attacks are easily possible.Thus the pass-point system suffers from this two major disadvantages. To overcome this disadvantages next technique is to be implemented.

3.1 Blonder Scheme G. E. Blonder [4] proposed graphical password scheme which is the one of the most preferable graphical password scheme. In this scheme user click on several different predefined locations on a predetermined image and during login, the user has to click on the approximate area of those locations. Basically the image helps the user to recollect their passwords and therefore this method is considered more suitable than unassisted recall. The
Fig 3: Pass-Point

Fig 2: Blonders Scheme

problem with this system is that boundaries are predefined which results various attacks are easily possible.

3.2 Pass-point Scheme S. Wiedenbeck et al. [5][6][7] proposed pass-point graphical password scheme in which password consists of a sequence of 5 different click point on a given image. During password creation user has to select any pixel in the image as a click-points and during authentication the user has to reiterate the same series of clicks in correct pattern within a system defined tolerance square of original clickpoints. The existing system used the robust discreatization technique. The hitch with this scheme is that HOTSPOT (the area of an image where user more likely to select the click-point) and also user forms certain patterns in order to remember the secret code which results

3.3 Cued Click-point Scheme S. Chaisson et al. [8] proposed cued click-point which was proposed to reduce the pattern formation and HOTSPOT attack. CCP uses single click point on five different images as compared to five click-points on one image. The deterministic function is used to display the next image which is depending upon previous click-point and the user specific random value. Here the secret code entry becomes the accurate cued recall scenario wherein each image triggers the remembrance of corresponding clickpoint. For valid users it provides implicit feedback such that during login if the user is not able to identify the image then it involuntarily alters the user that their earlier click-point is incorrect and user can again start the password entry but in case of unvalid user it provides the explicit indication after the final click point. The CCP also used the robust descreatization technique. In case of robust descreatization technique three invible grids are overloaded in the image when user select the particular click point, the technique then identify which grid to be choose for authentication of user. But the problem with this technique is that false accept i.e. the incorrect click-


point can be accept by the system and false reject i.e. the click-point which is to be correct can be reject by the system.Thus the technique used here has two drawbacks. In this system pattern formation attack is reduced but HOTSPOT remains since users are selecting their own click-point.

attack (it is an area of an image where most of the user is selecting it as the click-point).Also the proposed system somewhat removes the shoulder surfing attack.

Basically proposed scheme consist of four modules. First module is used to set the seed value and using the same seed value first image is generated. In the second module I am going to implement the centred discreatization technique [12] which is used such that approximate correct click-point to be accepted by the system. In the third module I will implement cued-click point technique and finally in the fourth module I will implement persuasion which basically provides the system suggestion to the user. Till now first module is implemented and further work in this scheme is going on. First module is described as follows,

Fig 3: Cued Click-point

3.4 Persuasive Text Password Scheme A. Forget et al. [10] proposed persuasive text password (PTP) scheme which uses the persuasive technology to influence users in creating more secure passwords. During password creation, the user select his own secret code, the PTP recover its security by inserting the arbitrary chosen characters at random positions into the secret code. Users can mix up the random characters until they find the combination to be unforgettable. For helping the user PTP uses the user chosen text secret code system which makes the password more secure.

5.1 Module I Module I is mainly used to create the seed value or unique value for the given user. This seed value plays a very important role for selection of an images and also first image is selected using the seed value. The seed value is generated on the basis of user name. Both the user name and seed value will decide the First image. Here for

The proposed scheme is based on click based graphical password system that not only guides and helps the user for password selection but also encourages the user to select more random distributed password. The proposed system is based on Persuasive Technology which motivates and influence people to behave in a desired manner [9]. The proposed system combines the Persuasive features with the cued click-point to make authentication system more secure. Basically during password creation the portion of an image which is less guessable is highlighted and user has to select the click-point within the highlighted portion. The highlighted portion of an image basically guides users to select more random click-points that are less likely to include hotspots. Therefore this mechanism encourages users to select more random distribued, and complex passwords to guess. During Login process, images are displayed normally and user has to select the click-point as chosen at the time of password creation but this time highlighted portion is not present as it only provides the system suggestion. The goal of proposed system is to sustain users in selecting password of higher security with larger password space. The proposed system removes the pattern formation attack and Hotspot

Fig 5: Module I: Seed value generation and First Image Generation.

example below fig: 5 shows the first module result such that user name is for this user name the seed value generated is 82220 and correspondingly first image is retrieve on the basis of user name and seed value.


6.1 Dictionary Attack In graphical password scheme dictionary attack is not possible because input to the system is provided by the mouse whereas in case of text based password scheme input is provided with the help of keyboard which results dictionary attack is easily possible on text based system. Graphical system is free from Dictionary attack.


6.2 Guessing Attack The most powerfull guessing attack is Bruite-force attack. Some Graphical password scheme is susceptible to guessing attack. 6.3 Shoulder Surffing attack Text based password scheme as well as graphical password scheme is also susceptible to Shoulder-Surfing attack. 6.4 Spyware Key logging or key listening spyware cannot break the graphical password system. Mouse motion alone is not enough to break the graphical password. 6.5 Social Engineering Attack It is very difficult for a user to discuss regarding the graphical password as compare to text password. So Graphical Password Systems are free from Social Engineering attack.

Sept. 2007. B. Fogg, Persuasive Technologies: Using Computers to Change What We Think and Do. Morgan Kaufmann Publishers, 2003. [10] Forget, S. Chiasson, P. van Oorschot, and R. Biddle, I mproving Text Passwords through Persuasion, Proc. Fourth Symp. Usable Privacy and Security (SOUPS) , July 2008. [11] R. Biddle, S. Chiasson, and P. van Oorschot, Graphical Pas swords: Learning from the First Twelve Years, to be published in ACM Computing Surveys, vol. 44, no. 4, 2012. [12] S. Chiasson, J. Srinivasan, R. Biddle, and P.C. van Oorschot Centered Discretization with Application to Graphical Pas swords, Proc. USENIX Workshop Usability, Psychology, and Security (UPSEC), Apr. 2008. [9]


The major advantage of proposed scheme is that it provides larger password space then the textual passwords. For Graphical passwords there is a rising interest is that they are better than the Text based passwords, while the important argument for graphical passwords are that people are better at memorizing graphical passwords than text-based passwords. The proposed system guides the user for password selection which results it removes the pattern formation and hotspot attack. The shoulder surfing attack is also removed by the proposed system.

[1] J. Yan, A. Blackwell, R. Anderson, and A. Grant, The Mem orability and Security of Passwords, Security and Usability: Designing Secure Systems That People Can Use , L. Cranor and S. Garfinkel, eds., ch. 7, pp. 129-142, OReilly Media, 2005. L. OGorman, Comparing Passwords, Tokens, and Bi ometrics for User Authentication, Proc. IEEE, vol. 91, no. 12, pp. 2019 2020, Dec. 2003. Jain, A. Ross, and S. Pankanti, Biometrics: A Tool for Information Security, IEEE Trans. Information Forensics and Security (TIFS), vol. 1, no. 2, pp. 125-143, June 2006. G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996. S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, PassPoints: Design and Longitudinal Evaluation of a Grap hical Password System, Intl J. Human-Computer Studies, vol. 63, nos. 1/2, pp. 102-127, 2005. S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, Authentication Using Graphical Passwords: Effects of Tole rance and Image Choice, Proc. First Symp. Usable Privacy and Security (SOUPS), July 2005. Dirik, N. Menon, and J. Birget, Modeling User Choice in the Passpoints Graphical Password Scheme, Proc. Third ACM Symp. Usable Privacy and Security (SOUPS) , July 2007. S. Chiasson, P. van Oorschot, and R. Biddle, Graphical Pas sword Authentication Using Cued Click Points, Proc. European Symp. Research in Computer Security (ESORICS) , pp. 359-374,



[4] [5]