You are on page 1of 16


02:23:00 / Benjamin Ohepo / No comments











Supervised by: Mrs. Adanma C.E.







Chapter one: Introduction

1.1 Background of study------------------------------------------------------------------------------------8

1.2 Problem statement---------------------------------------------------------------------------------------8

1.3 Aims and Objectives------------------------------------------------------------------------------------9

1.4 Scope of study-------------------------------------------------------------------------------------------9

1.5 Justification of study-----------------------------------------------------------------------------------10

1.6 Limitations----------------------------------------------------------------------------------------------10

1.7 Glossary-------------------------------------------------------------------------------------------------10

1.8 Organization of chapters------------------------------------------------------------------------------11

Chapter two: Literature review---------------------------------------------------------------------------12

Chapter three: Findings

3.1 Why graphical passwords----------------------------------------------------------------------------14

3.2 Classification of current authentication methods-------------------------------------------------14

3.2.1 Token based authentication------------------------------------------------------------------------14

3.2.2 Biometric based authentication--------------------------------------------------------------------14

3.2.3 Knowledge based authentication------------------------------------------------------------------15 Recognition based---------------------------------------------------------------------------------15 Recall based----------------------------------------------------------------------------------------15

3.2.4 Hybrid systems---------------------------------------------------------------------------------------16

3.3 Traditional authentication methods------------------------------------------------------------------16

3.4 Locimetric passwords----------------------------------------------------------------------------------17

3.4.1 Passpoints----------------------------------------------------------------------------------------------17

3.4.2 Cued click points-------------------------------------------------------------------------------------18

3.5 Other graphical password authentication schemes-------------------------------------------------19

3.5.1 Hash visualization technique------------------------------------------------------------------------19

3.5.2 Draw A Secret-----------------------------------------------------------------------------------------19

3.5.3 Passfaces-----------------------------------------------------------------------------------------------20
3.6 Is a graphical password as secure as text based password? ---------------------------------------21

3.6.1 Brute force search-------------------------------------------------------------------------------------22

3.6.2 Dictionary attacks-------------------------------------------------------------------------------------22

3.6.3 Guessing-----------------------------------------------------------------------------------------------22

3.6.4 Spyware-----------------------------------------------------------------------------------------------22

3.6.5 Shoulder surfing--------------------------------------------------------------------------------------23

3.6.6 Social engineering-----------------------------------------------------------------------------------23

3.7 Advantages---------------------------------------------------------------------------------------------23

3.8 Disadvantages------------------------------------------------------------------------------------------23

Chapter four: Conclusion and recommendation

4.1 Summary-----------------------------------------------------------------------------------------------24

4.2 Recommendation-------------------------------------------------------------------------------------24

4.3 Conclusion---------------------------------------------------------------------------------------------24



I, ABALI LEYAZIBA VICTOR, hereby declare that this Seminar report on GRAPHICAL
PASSWORD AUTHENTICATION was been documented and presented by me, and it is a record
of my research work. This particular piece of work has never been presented in any previous
application for a degree program. All sources of data in this research are duly acknowledged.

(Student) Signature Date


............ ......

MRS EBERENDU-OGU ...... ......

(Supervisor) Signature Date

MRS EBERENDU-OGU ...... .......

(Head of Department) Signature Date


This report is dedicated to all those who have helped me in one way or another to get to where I
am in my educational career and also the almighty God who gives me strength in all my


This Seminar report was completed as a result of support from many people, although not all of
them can be mentioned.

I wish to express my sincere gratitude to God for his protection, providence, guidance and above
all, for sustaining me.

I am greatly indebted to my good supervisor Mrs. Adanma C.E. for her useful and necessary
observation, suggestions, contribution and corrections. I would not have been able to achieve
anything in this research without your supervision. May God enrich you greatly in every area of

Finally i wish to express my appreciation to my parents for their love and support.


Graphical password authentication is a form of authentication that requires the recall and selection
of an image or points in an image inputted during the registration stage in a graphical user interface.
Passwords provide security mechanism for authentication and protection of services against
unwanted access to resources. A graphical based password is one promising alternatives of
textual passwords. The most common computer authentication method in use today is
alphanumerical usernames and passwords. This method has been shown to have significant
drawbacks. Users tend to choose memorable passwords that are easy for attackers to guess, but
strong system assigned passwords are difficult for users to remember. Using a graphical
password, users click on images rather than type alphanumeric characters. Today, the most
secure form of authentication is biometric based but the problem with biometric is that they are
very expensive to use but an alternative which is less expensive and more secure is the use of
graphical passwords.



1.1 Background Of The Study:

Computer systems and the information they store and process are valuable resources which need
to be protected. Computer security systems must also consider the human factors such as ease
of a use and accessibility. Current secure systems suffer because they mostly ignore the
importance of human factors in security (Rachna Dhamija and Adrian Perrig., 2000). A key area in
security research is authentication, the determination of whether a user should be allowed access
to a given system or resource. Traditionally, alphanumeric passwords are used for authentication
but they are known to have usability and security problems. A password authentication system
should encourage strong and less predictable passwords while maintaining memorability and
security. A password is a secret that is shared by the verifier and the user, they are simply secrets
that are provided by the user upon request by a recipient and are often stored on a server in an
encrypted form so that a penetration of the file system does not reveal password lists
(, 2011).

Graphical passwords (GP) use pictures (Parkinson, 2005) instead of texts and are partially
motivated by the fact that humans can remember pictures more easily than a string of characters.
The idea of graphical passwords was originally described by Greg Blonder in 1996 and since then
several researchers have proposed different graphical password authentication schemes, in
Blonders description of the concept an image would appear on the screen, and the user would
click on a few chosen regions of it. If the correct regions were clicked in, the user would be
authenticated. An important advantage of GP is that they are easier to remember than textual
passwords. Human beings have the ability to remember faces of people, places they visit and
things they have seen for a longer duration. An important advantage of Graphical Passwords is
that they are easier to remember compared to textual passwords. Thus, graphical passwords
provide a means for making more user-friendly passwords while increasing the level of security.

1.2 Problem Statement:

Graphical passwords introduce us to a whole new form of authentication. The most common form
of authentication used today is the used of alphanumeric texts and this form of authentication has
been proven to be prone to several forms of attacks such as guessing, social engineering,
spywares, dictionary attacks, shoulder surfing and even hidden cameras. It can be frustrating to
keep up with all the passwords since it is not a recommended that someone uses one password
for more than one account or computer program or device. One of the main problems graphical
passwords tend to solve is the problem of a user using a weak password so that he/she wont
forget it and at times when users are encouraged to use strong passwords, they tend to use it for
all their accounts and also users keep their passwords where attackers can access because of the
fact that they dont want to memorize it. Since it is easier to remember pictures than text, graphical
passwords tend to enhance security and at thesame time make it easier for the user to use.
1.3 Aims and objectives:

One of the major issues in this modern day is security. The process of authentication tries to
enhance security but the common means of authentication (use of alphanumeric passwords) today
are known to have significant disadvantages. Attackers now have different means of accessing a
particular system or account and because of this, other means of authentication are now becoming
rampant. Biometric based authentication is regarded to be the most secure means of
authentication but unlike the text based forms of authentication which are relatively inexpensive,
biometric based are very expensive to use. This is where the concept of graphical password
authentication come in, they are cheap, easy to use, offer more security (than text based
passwords) and also take into consideration, the user factor. The aim of this report is to create
awareness that there is an alternative to using text based passwords and this alternative is secure,
cheap and relatively easy to use.

1.4 Scope of the study:

This report focuses on graphical password authentication and the different forms commonly used
today. It also highlights the advantages graphical passwords have over text based passwords and
the forms of attack you can be prone to while using graphical passwords. This report does not
delve deep into the traditional form of authentication (text based) and biometric form of

1.5 Justification Of Study:

I selected this research topic because Im interested in finding a more secure alternative to text
based passwords. The topic opens my eye to a totally different form of authentication that is easy
to use and also more secure compared to text based passwords.

1.6 Limitations Of Study:

The main limitation of using a graphical password is that they are more vulnerable to shoulder
surfing than the traditional text based passwords. An attacker can capture a password by direct
observation or by recording the individuals authentication session while inserting passwords in
public. This is referred to as shoulder-surfing. Another limitation is that the login process is slow
when graphical passwords are used and this can sometimes annoy the user.

1.7 Glossary:

i. Password Hardening: Password hardening is any one of a variety of measures taken to make
it more difficult for an intruder to circumvent the authentication process. Password hardening may
take the form of multifactor authentication, by adding some component to the username/password
combination, or may be policy-based.

ii. PassPhrase: A passphrase is a string of characters longer than the usual password (which is
typically from four to 16 characters long) that is used in creating a digital signature or in an
encryption or a decryption of a message. Passphrases are often up to 100 characters in length.

iii. ShoulderSurfing: This can be said to be the process of an attacker capturing a users
password by direct observation (such as looking over ones shoulder) or by recording the users
authentication session.

iv. Attacker: This can be anyone who tries to gain access to someones account without the
knowledge of the user either with a good or a bad motive.
v. Tolerance value: It is the value which indicates the degree of closeness to the actual click

Vi. Tolerance region: The area around an original click point accepted as correct since it is
unrealistic to expect user to accurately target an exact pixel.

vii. Success rate: It is the rate which gives the number of successful trails for a certain number of
trials. The success rates are calculated as the number of trails completed without errors or restarts.

1.8 Organization of chapters:

Chapter one introduces the concept of graphical password authentication. It contains a brief history
on the concept of graphical password authentication, a background study on the study (graphical
password authentication), the areas of graphical password authentication this research covers,
what this research is aimed at achieving and also some of the limitations of using graphical

Chapter two highlights some of the researchers who have made a big impact in order to make
graphical passwords reach the heights it has reached today. This chapter contains different expert
views on the concept of graphical password authentication.

Chapter three contains all my findings during the course of the research. This chapter tries to
explain what graphical password is all about and also some of the different forms of authentication
used today. It also highlights the advantages graphical passwords have over text based passwords
and also the security problems one is likely to face with the use of graphical passwords.

Chapter four contains a brief summary on the key points in this research and it also contains a
recommendation for future researchers on the concept of graphical password authentication.



For over a century, psychology studies have recognized the human brains apparently superior
memory for recognizing and recalling visual information as opposed to verbal or textual
information. The most widely accepted theory explaining this difference is the dual-coding theory
(Pavio, 2006), suggesting that verbal and non-verbal memory (respectively, word-based and
image-based) are processed and represented differently in the mind. Images are mentally
represented in a way that retains the perceptual features being observed and are assigned
perceived meaning based on what is being directly observed. Text is represented symbolically,
where symbols are given a meaning cognitively associated with the text, as opposed to a perceived
meaning based on the form of the text.

A generally accepted fact in graphical password authentication is that graphical passwords are
prone to shoulder surfing attacks. Because of this, several researchers have studied the graphical
password scheme and come up with techniques that reduce the shoulder surfing problem. Another
drawback graphical passwords have is that they can be guessed if the attacker is persistent to try
all possible inputs. In order to make the password hard to guess;

(Sobrado.L and Birget.J.C, 2002) suggested using 1000 objects, which makes the display very
crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller
password space, since the resulting convex hull can be large. In their second algorithm, a user
moves a frame (and the objects within it) until the passobject on the frame lines up with the other
two pass-objects.

The authors also suggest repeating the process a few more times to minimize the likelihood of
logging in by randomly clicking or rotating. The main drawback of this algorithm is that the log in
process can be slow.

Figure 2.1 A shoulder-surfing resistant graphical password scheme (Sobrado.L and Birget.J.C,

(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) proposed another shoulder-surfing resistant
algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass-object
has several variants and each variant is assigned a unique code. During authentication, the user
is challenged with several scenes. Each scene contains several pass-objects (each in the form of
a randomly chosen variant) and many decoy-objects. The user has to type in a string with the
unique codes corresponding to the pass-object variants present in the scene as well as a code
indicating the relative location of the passobjects in reference to a pair of eyes. The argument is

that it is very hard to crack this kind of password even if the whole authentication process is
recorded on video because where is no mouse click to give away the pass-object information.
However, this method still requires users to memorize the alphanumeric code for each pass-object

(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) later extended this approach to allow the user
to assign their own codes to pass-object variants. Figure 2.2 shows the log-in screen of this
graphical password scheme. However, this method still forces the user to memorize many text
strings and therefore suffer from the many drawbacks of text-based passwords.

Figure 2.2 Another shoulder surfing resistant scheme developed by (Hong.D, Man.S, Hawes.B,
and Mathews.M, 2002).

A challenge for designers is to identify memory aids for legitimate users, that cannot be leveraged
by attackers to guess passwords. Furthermore, systems allowing some degree of user choice
should encourage randomization of user-chosen sequences as well as individual items, to avoid
divide and conquer guessing attacks. It remains an open question whether systems can be
designed such that user choice does not significantly weaken security, or whether a successful
combination of system suggestion and user choice can be devised.


3.1 Why Graphical Passwords?

Graphical password authentication is a means of authentication that requires the recall and
selection of images or sections of an image inputted during the registration phase in a graphical
user interface. Today, access to computer systems is most often based on the use of alphanumeric
passwords. Though, users have difficulty remembering a password that is long and random-
appearing. Instead, they create short, simple, and insecure passwords. Graphical passwords have
been designed to try to make passwords more memorable and easier for people to use and,
therefore, more secure. Using a graphical password, users click on images rather than type
alphanumeric characters.

3.2 Classification of Current Authentication Methods

Due to recent events of thefts and terrorism, authentication has become more important for an
organization to provide an accurate and reliable means of authentication. Currently the
authentication methods can be broadly divided into three main areas. Token based, Biometric
based, and Knowledge based authentication.

3.2.1 Token Based Authentication:

It is based on What You Possess. For example Smart Cards, a drivers license, credit card, a
university ID card etc. It allows users to enter their username and password in order to obtain a
token which allows them to fetch a specific resource - without using their username and password.
Once their token has been obtained, the user can offer the token (which offers access to a specific
resource for a time period) to the remote site. Many token based authentication systems also use
knowledge based techniques to enhance security. Token based techniques, such as key cards,
bank cards and smart cards are widely used. Many token-based authentication systems also use
knowledge based techniques to enhance security. For example, ATM cards are generally used
together with a PIN number.

3.2.2 Biometric Based Authentication:

Biometrics (ancient Greek: bios ="life", Merton ="measure") is the study of automated methods for
uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. It is
based on What You Are. It uses physiological or behavioral characteristics like fingerprint or facial
scans and iris or voice recognition to identify users. A biometric scanning device takes a user's
biometric data, such as an iris pattern or fingerprint scan, and converts it into digital information a
computer can interpret and verify. Biometric based authentication techniques, such as fingerprints,
iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is
that such systems can be expensive, and the identification process can be slow and often
unreliable. However, this type of technique provides the highest level of security.

A biometric-based authentication system may deploy one or more of the biometric technologies:
voice recognition, fingerprints, face recognition, iris scan, infrared facial and hand vein thermo
grams, retinal scan, hand and finger geometry, signature, gait, and keystroke dynamics. Biometric
identification depends on computer algorithms to make a yes/no decision. It enhances user service
by providing quick and easy identification.

3.2.3 Knowledge Based Authentication:

Knowledge Based Authentication (KBA) is based on using What You Know to identify you. For
example; a Personal Identification Number (PIN), password or pass phrase. It is an authentication
scheme in which the user is asked to answer at least one "secret" question. Knowledge Based
Authentication is often used as a component in multifactor authentication and for self-service
password retrieval. Knowledge based techniques are the most widely used authentication
techniques and include both text-based and picture-based passwords. The picture-based
techniques can be further divided into two categories: Recognition Based Graphical Techniques: With recognition-based techniques, a user

is presented with a set of images and the user passes the authentication stage by recognizing and
identifying the Images he or she selected during the registration stage. Recognition-based
systems, also known as cognometric systems or locimetric systems, generally require that users
memorize a portfolio of images during password creation, and then to log in, must recognize their
images from among decoys. Humans have exceptional ability to recognize images previously
seen, even those viewed very briefly. Recall Based Graphical Techniques: With recall-based techniques, a user is asked to
reproduce something that he or she created or selected earlier during the registration stage.Recall-
based graphical password systems are occasionally referred to as drawmetric system because
users recall and reproduce a secret drawing. In these systems, users typically draw their password
either on a blank canvas or on a grid (which may arguably act as a mild memory cue). Recall is a
difficult memory task because retrieval is done without memory prompts or cues.

3.2.4 Hybrid systems: These can be described as the combination of two or more schemes, i.e
the combination of recognition and recall based techniques or the combination of textual
passwords with graphical password schemes. The process of withdrawing money from a bank with
the use of an ATM is an example of a hybrid system. It combines knowledge based authentication
methods with token based authentication, the ATM card is the token (something you have) and
the PIN required is knowledge based (what you know).


Authentication has traditionally centered on what you know. This concept has, in the past, been
embodied in Personal Identification Numbers (PINs) and passwords. The fallibility of passwords
and PINs is exemplified in several well-known shortcomings implicit in their use. For example,
people share passwords; they have an inherent difficulty in remembering strong passwords (i.e.
those consisting of upper-and-lowercase letters, numbers, and non-alphanumeric characters) and,
as a consequence, often stick passwords to the desktop for everyone to see.

The password problem arises largely from limitations of humans long-term memory (LTM). Once
a password has been chosen and learned the user must be able to recall it to log in. But, people
regularly forget their passwords. Decay and interference explain why people forget their
passwords. Items in memory may compete with a password and prevent its accurate recall. A
password that is not used frequently will be even more susceptible to forgetting. A further
complication is that users have many passwords for computers, networks, and web sites. The large
number of passwords increases interference and is likely to lead to forgetting or confusing
passwords. Users typically cope with the password problem by decreasing their memory load at
the expense of security. First, users write down their passwords. Second, when they have multiple
passwords, they use one password for all systems or trivial variations of a single password. In
terms of security, a password should consist of a string of 8 or more random characters, including
upper and lower case alphabetic characters, digits, and special characters. A random password
does not have meaningful content and must be memorized by rote, but rote learning is a weak way
of remembering. As a result, users are known to ignore the recommendations on password choice.
A survey carried out in the Madonna University Miami boys hostel shows that users choose short,
simple passwords that are easily guessable. For example, password, personal names of family
members, names of pets, and dictionary words. To users the most important issue is having a
password that can be remembered reliably so they can get on with their real work.

3.4 Locimetric Passwords: In locimetric systems, users identify and select specific locations
within one or more images. The images act as memory cues to aid recall. Examples of such
systems include passpoints and cued click points.

3.4.1 PassPoints:

In PassPoints, a password consists of a sequence of five click-points on a given image (see

Figure3.2 ). Users may select any pixel(s) in the image as click-points for their password. To log
in, they repeat the sequence of clicks in the correct order, within a system-defined tolerance square
of the original click-points. The primary security problem is hotspots: different users tend to select
similar click-points as part of their passwords. Attackers who gain knowledge of these hotspots
through harvesting sample passwords or through automated image processing techniques can
build attack dictionaries and more successfully guess PassPoints passwords. A dictionary attack
consists of using a list of potential passwords (ideally in decreasing order of likelihood) and trying
each on the system in turn to see if it leads to a correct login for a given account. Attacks can target
a single account, or can try guessing passwords on a large number of accounts in hopes of
breaking into any of them.

fig 3.2 password consists of five(5) ordered clicks of an image.

3.4.2 Cued-Click Points:

They were designed to reduce patterns and to reduce the usefulness of hotspots for attackers.
Rather than five click-points on one image, CCP uses one click-point on five different images
shown in sequence. The next image displayed is based on the location of the previously entered
click-point (see Figure 3.3), creating a path through an image set. Users select their images only
to the extent that their click-point determines the next image. Creating a new password with
different click-points results in a different image sequence.

The claimed advantages are that password entry becomes a true cued-recall scenario, where each
image triggers the memory of a corresponding click-point. Remembering the order of the click-
points is no longer a requirement on users, as the system presents the images one at a time. Cued
Click Points also provides implicit feedback claimed to be useful only to legitimate users. When
logging on, seeing an image they do not recognize alerts users that their previous click-point was
incorrect and users may restart password entry. Explicit indication of authentication failure is only
provided after the final click-point, to protect against incremental guessing attacks. In cued click
points, pattern based attacks seem ineffective. Although attackers must perform proportionally
more work to exploit hotspots, results showed that hotspots remained a problem.

Fig 3.3 users select one click-point per image. The next image displayed is determined by the
current click-point.

3.5 Other Graphical Password Authentication Schemes :

3.5.1 Hash Visualization Technique:

This graphical password authentication scheme was based on the Hash Visualization. In this
system, the user is asked to select a certain number of images from a set of random pictures
generated by a program during the registration stage. Later, the user will be required to identify
the preselected images in order to be authenticated. The average log-in time, however, is longer
than the traditional approach of using alphanumeric passwords. A weakness of this system is that
the server needs to store the seeds of the portfolio images of each user in plain text. Also, the
process of selecting a set of pictures from the picture database can be tedious and time consuming
for the user.

3.5.2 Draw A Secret (DAS):

This is the first recall based graphical password authentication to be produced. It allows the user
to draw their unique password (figure 3.4). A user is asked to draw a simple picture on a 2D grid.
The coordinates of the grids occupied by the picture are stored in the order of the drawing. During
authentication, the user is asked to re-draw the picture. If the drawing touches the same grids in
the same sequence, then the user is authenticated. Jermyn, et al. suggested that given
reasonable-length passwords in a 5 X 5 grid, the full password space of DAS is larger than that of
the full text password space.
Fig 3.4 Draw-A-Secret technique.

3.5.3 Passface :

Passface is a technique developed by Real User Corporation (Real User Corperation, 2006). The
basic idea is as follows; the user will be asked to choose four images of human faces from a face
database as their future password during registration. In the authentication stage, the user sees a
grid of nine faces, consisting of one face previously chosen by the user and eight decoy faces
(figure 3.5). The user recognizes and clicks anywhere on the known face. This procedure is
repeated for several rounds. The user is authenticated if he/she correctly identifies the four faces.
The technique is based on the assumption that people can recall human faces easier than other
pictures. Studies have shown that Passfaces are very memorable over long intervals. With the use
of passfaces, there are four(4) different rounds of authentication. During registration, the user
selects four(4) faces as his/her password. At the authentication stage the user is presented with
nine(9) different faces in each round of authentication. The user is only authenticated after the final
round of selection. One significant drawback of using passface is the problem of shoulder surfing.

Fig 3.5 Examples of

3.6 Is a graphical password as secure as text based password?

Very little research has been done to study the difficulty of cracking graphical passwords. Because
graphical passwords are not widely used, in practice there is no report on real cases of breaking
graphical passwords. Here, some of the possible techniques for breaking graphical passwords are
examined and are compared with text-based passwords. These techniques include:

3.6.1. Brute force search

The main defense against brute force search is to have a sufficiently large password space. Text-
based passwords have a password space of 94^N, where N is the length of the password, 94 is
the number of printable characters excluding SPACE. Some graphical password techniques have
been shown to provide a password space similar to or larger than that of text-based passwords.
Recognition based graphical passwords tend to have smaller password spaces than the recall
based methods. It is more difficult to carry out a brute force attack against graphical passwords
than text-based passwords. The attack programs need to automatically generate accurate mouse
motion to imitate human input, which is particularly difficult for recall based graphical passwords.
Overall, we believe a graphical password is less vulnerable to brute force attacks compared to
text-based password.

3.6.2 Dictionary attacks

Since recognition based graphical passwords involve mouse input instead of keyboard input, it will
be impractical to carry out dictionary attacks against this type of graphical passwords. For some
recall based graphical passwords, it is possible to use a dictionary attack but an automated
dictionary attack will be much more complex than a text based dictionary attack. More research is
needed in this area. Overall, it is believed that graphical passwords are less vulnerable to dictionary
attacks compared to text-based passwords.

3.6.3 Guessing

Unfortunately, it seems that graphical passwords are often predictable, a serious problem typically
associated with text-based passwords. For example, studies on the Passface technique have
shown that people often choose weak and predictable graphical passwords. Studies revealed
similar predictability among the graphical passwords created with the DAS technique. More
research efforts are needed to understand the nature of graphical passwords created by real world

3.6.4 Spyware

Except for a few exceptions, key logging or key listening spyware cannot be used to break
graphical passwords. It is not clear whether mouse tracking spyware will be an effective tool
against graphical passwords. However, mouse motion alone is not enough to break graphical
passwords. Such information has to be correlated with application information, such as window
position and size, as well as timing information.

3.6.5 Shoulder surfing

Like text based passwords, most of the graphical passwords are vulnerable to shoulder surfing. At
this point, only a few recognition-based techniques are designed to resist shoulder-surfing. None
of the recall-based based techniques are considered should-surfing resistant.

3.6.6 Social engineering

Comparing to text based password, it is less convenient for a user to give away graphical
passwords to another person. For example, it is very difficult to give away graphical passwords
over the phone. Setting up a phishing web site to obtain graphical passwords would be more time

Overall, it is believed graphical passwords are more difficult to break down using the traditional
attack methods like brute force search, dictionary attack, and spyware. There is a need for more
in-depth research that investigates possible attack methods against graphical passwords.

3.7 Advantages
i. A graphical password authentication system is relatively inexpensive to implement.

ii. Graphical passwords provide a way of making user friendly passwords.

iii. Graphical passwords are not vulnerable to dictionary attacks.

iv. It is less convenient for a user to give away graphical passwords to another person.

3.8 Disadvantages

i. Password registration and login process takes too long login process is slow

ii. Most users are not familiar with the graphical passwords, they often find graphical passwords
less convenient and time consuming.

iii. Graphical passwords are prone to shoulder surfing. This is because of their graphic nature,
nearly all graphical password scheme are prone to shoulder surfing.



4.1 Summary:

The past decade has seen a growing interest in using graphical passwords as an alternative to the
traditional text-based passwords. In this report is a comprehensive research on existing graphical
password techniques. The current graphical password techniques can be classified into two
categories: recognition-based and recall-based techniques. Although the main argument for
graphical passwords is that people are better at memorizing graphical passwords than text-based
passwords, the existing user studies are very limited and there is not yet convincing evidence to
support this argument. My research suggests that it is more difficult to break graphical passwords
using the traditional attack methods such as brute force search, dictionary attack, or spyware.
However, since there is not yet wide deployment of graphical password systems, the vulnerabilities
of graphical passwords are still not fully understood.

4.2 Recommendation:

Although the use of graphical passwords is not as secure as other forms of authentication like the
use of biometric means of authentication (very expensive). Text-based passwords should be
replaced with graphical passwords because they are more secure. My recommendation to future
researchers is that other means of eliminating the shoulder surfing problem attached with the use
of graphical passwords.

4.3 Conclusion:

In conclusion, I would like to highlight two major drawbacks of graphical passwords; its vulnerability
to shouldersurfing and its slow login process. Although several researchers have tried to fix these
problems with graphical passwords. Despite those two major drawbacks, graphical passwords are
considered to be more secure and easy to remember than text based passwords.


Hong.D, Man.S, Hawes.B, and Mathews.M (2002)." A password scheme strongly resistant to
spyware". International conference on security and management. Las Vegas.

Hong.D, Man.S, Hawes.B and Mathews.M (2003)." A shoulder surfing resistant graphical
password scheme". International conference on security and management. Las Vegas.

Parkinson, M. (2005)." THE POWER OF VISUAL COMMUNICATION". 23-27.

Pavio, A. (2006). Mind and Its Evolution: A Dual Coding Theeoritical Approach.

Rachna Dhamija and Adrian Perrig. (2000). Deja vu: A User Study. Using images for

Real User Corperation. (2006). Retrieved October 3, 2015, from Realuser:

Sobrado.L and Birget.J (2002). Graphical Passwords, "An Electronic Bulletin for Undergraduate
Research", vol.4.

Saranga.K and Hutchings .R, 2008, "Order and entropy in picture passwords", Proceedings of
graphics interface, Canadian Information Processing Society.

(, 2013)

Xiaoyuan.S and Ying Zhu.G (2005) Graphical passwords: a survey, 21st Annual Computer
Security Applications Conference.