FACULTY OF SCIENCE

DEPARTMENT OF MATHEMATICS AND COMPUTER SCIENCE

NIGERIA POLICE ACADEMY, WUDIL

KANO, NIGERIA

DEVELOPMENT OF A WEB BASED GRAPHICAL PASSWORD SYSTEM

FINAL YEAR PROJECT

BY

ISAH YAKUBU MUSA

(NPA NO: NPA/03/03/00371)

SUPERVISOR:
MR. EDWARD PHILEMON
DATE: 16th October, 2018.

1
 DECLARATION
I (Isah Yakubu Musa), hereby declare that this project titled (Development of a Web Based
Graphical Password System) has been carried out by me under the supervision of (Mr. Edward
Philemon). It has not been presented for award of any degree in any Institution. All sources of
information are specifically acknowledged by means of reference.

__________________________ ____________________
Isah Yakubu Musa Date
NPA/03/03/00371

i
 CERTIFICATION
This project titled “Development of a web based Graphical Password System” by Isah Yakubu
Musa with matriculation number NPA/03/03/00371 meets the requirements governing the award
of the degree of Bachelor of Science in Computer Science and is approved for its contribution to
knowledge and literacy representation.

___________________________ _____________________
Mr. Edward Philemon Date
(Project Supervisor)

____________________________ _____________________
Dr. O. T. Olorunpomi Date
(Head of Department)

____________________________ _____________________
Prof. A. A. Obiniyi Date
(External Supervisor)

ii
 DEDICATION
This project work is dedicated to Almighty Allah, the founder of knowledge who thought man
what he knew not, and to my late Father Mal. Isah Musa Katali.

iii
 ACKNOWLEDEGEMENTS
I would like to express my profound gratitude to quite a number of persons that inspired,
encouraged, guided and supported me in the journey of this dissertation.
I would want to gratefully appreciate my project supervisor, Mr. Edward Philemon for giving me
the inspiration to take up this project. The project appeared somewhat impossible to take at the
beginning, but with his assistance, support and patience amidst his tight schedules; he successfully
guided and supervised me throughout the project work.
I would like to thank my guardian (Q.S Yakubu Musa Amleku), my grandparents, my uncles and
siblings so much for their love, care and support through calls, prayers and advice.
My sincere appreciation goes to the Head of Department, Dr. O. T. Olorunpomi for his elderly
advice and encouragement throughout the period of my study.
I thank other members of staff from both police and Academic wing that supported me directly or
indirectly to realize the completion of this project.
Finally, I appreciate all my colleagues and friends. In one way or the other, you guys assisted me
in the completion of this project.

iv
 Table of Contents
DECLARATION ............................................................................................................................. i
CERTIFICATION .................................................................................................................................. ii
DEDICATION..................................................................................................................................... iii
LIST OF TABLES ................................................................................................................................viii
LIST OF FIGURES ................................................................................................................................ix
ABSTRACT ..........................................................................................................................................x
CHAPTER ONE ....................................................................................................................................1
INTRODUCTION ..................................................................................................................................1
1.1 BACKGROUND OF THE STUDY ....................................................................................................1
1.2 SIGNIFICANCE OF THE STUDY .....................................................................................................2
1.3 PROJECT MOTIVATION...............................................................................................................3
1.4 AIMS AND OBJECTIVES...............................................................................................................3
1.5 SCOPE AND LIMITATIONS OF THE STUDY ....................................................................................3
1.6 PROJECT METHODOLOGY ..........................................................................................................4
1.7 PROJECT ORGANIZATION ...........................................................................................................4
1.8 DEFINITION OF TERMS...............................................................................................................4
1.8.1 Shoulder Surfing .................................................................................................................4
1.8.2 Tolerance Region ................................................................................................................5
1.8.3 GRAPHICAL PASSWORDS .....................................................................................................5
1.8.4 AUTHENTICATION ...............................................................................................................5
1.8.5 PASSPOINTS........................................................................................................................5
Passpoints...................................................................................................................................5
1.8.6 PASSWORD STRENGTH ........................................................................................................5
CHAPTER TWO ...................................................................................................................................6
LITERATURE REVIEW ...........................................................................................................................6
2.1 WHY WE NEED MORE SECURE AUTHENTICATION SYSTEM FOR THE WEB......................................6
2.2 THE CONCEPT OF AUTHENTICATION...........................................................................................7
2.2.1 BASIC STEPS FOR AUTHENTICATION .....................................................................................8
2.3 ALPHANUMERIC PASSWORD......................................................................................................9
2.3.1 PASSWORD ATTRIBUTES......................................................................................................9
2.3.2 PASSWORD STANDARDS.................................................................................................... 10
2.3.3 END USER SECURITY .......................................................................................................... 12

v
 2.3.4 USING PASSWORD MULTIPLE TIMES .................................................................................. 12
2.3.3 SOCIAL PROBLEMS ............................................................................................................ 13
2.3.5 USERS PROBLEMS WITH PASSWORD .................................................................................. 13
2.4 GRAPHICAL PASSWORDS ......................................................................................................... 14
2.4.1 GRAPHICAL PASSWORDS SYSTEMS..................................................................................... 14
2.4.2 WHY GRAPHICAL PASSWORDS MAY BE BETTER .................................................................. 16
2.4.3 GRAPHICAL AUTHENTICATION METHODS ........................................................................... 17
CHAPTER THREE ............................................................................................................................... 19
SYSTEM ANALYSIS AND DESIGN ......................................................................................................... 19
3.0 INTRODUCTION....................................................................................................................... 19
3.1 SYSTEM ANALYSIS ................................................................................................................... 19
3.1.1 DETAILED ANALYSIS OF THE EXISTING SYSTEM.................................................................... 20
3.1.2 OUR PROPOSED SYSTEM ................................................................................................... 20
3.1.3 FUNCTIONAL AND NON-FUNCTIONAL REQUIREMENTS ....................................................... 21
3.2 SYSTEM DESIGN ...................................................................................................................... 22
CHAPTER FOUR................................................................................................................................. 30
4.1 INTRODUCTION ....................................................................................................................... 30
4.2 SOFTWARE DEVELOPMENT ...................................................................................................... 30
4.3 SOFTWARE TESTING AND DEBUGGING ..................................................................................... 30
4.4 SOFTWARE IMPLEMENTATION ................................................................................................. 31
4.4.1 Home Page ....................................................................................................................... 32
4.4.2 Registration page .............................................................................................................. 33
4.4.3 Login Page ........................................................................................................................ 34
4.4.4 Password Recovery/reset. ................................................................................................. 35
CHAPTER FIVE .................................................................................................................................. 36
SUMMARY CONCLUSIONS AND RECOMMENDATIONS ........................................................................ 36
5.1 SUMMARY .............................................................................................................................. 36
5.2 CONCLUSION .......................................................................................................................... 36
5.3 RECOMMENDATIONS .............................................................................................................. 36
References ....................................................................................................................................... 37
APPENDIX ........................................................................................................................................ 39

vi
vii
 LIST OF TABLES
Table 3. 1 Database Deign ........................................................................................................... 23

viii
 LIST OF FIGURES
Figure 3. 1 User Registration Flowchart ..................................................................................... 24
Figure 3. 2 Login User Login Flowchart..................................................................................... 25
Figure 3. 3 Application Use Case Diagram ................................................................................. 26
Figure 3. 4 Site Map ..................................................................................................................... 27
Figure 3. 5 User registration form Design ................................................................................... 27
Figure 3. 6 Login Form 1 Interface Design.................................................................................. 28
Figure 3. 7 Login Form 2 user Interface Design .......................................................................... 29
Figure 4. 1: Home Page................................................................................................................ 32
Figure 4. 2: User registration Page ............................................................................................. 33
Figure 4. 3 : Login Page 1 ............................................................................................................ 34
Figure 4. 4: Login Page 2 ............................................................................................................. 35

ix
 ABSTRACT
Since the inception of the internet and world wide web, the internet has received many varieties of
web services and an ever-growing number of audience subscribing to these services. This, no
doubt is a clear indication that there is an urgent need for security and enhanced privacy of users’
data. As the most widely deployed authentication technique for the web, Alphanumeric password
has failed to address these two important issues (security and privacy) due to its significant
drawbacks: strong Alphanumeric passwords are difficult to memorize and remember while weak
ones are susceptible to common password attacks. As an alternative, different authentication
techniques were introduced, with graphical password been the most simple, robust and affordable
technique. It is against this background that the need for further research on the subject matter
arise, and hence the purpose of this project. The project looks into the development procedures
for building a web based graphical password system and its possible outcome. This was
accomplished through reviewing various literatures on the subject matter, designing and
implementing a web based graphical password system using popular web development tools such
as PHP, MySQL and JavaScript. The project find out that the development and implementation of
graphical password system on the web is feasible, viable and accomplishable as demonstrated
clearly in this project.

x
 CHAPTER ONE

INTRODUCTION

1.1 BACKGROUND OF THE STUDY

Because of increasing threats to computer systems, there is great need for security

innovations. Security practitioners and researchers have made strides in protecting systems and

correspondingly, individual users’ digital assets. However, the problem arises that, until recently,

security was treated wholly as a technical problem – the system user was not factored into the

equation. Users interact with security technologies either passively or actively. For passive use,

understandability may be sufficient for users. For active use people need much more from their

security solutions: ease of use, memorability, efficiency, effectiveness and satisfaction (Birget et

al, 2005).

Authentication is the process of determining whether a user should be allowed access to a

particular system or resource. It is a critical area of security research and practice. Alphanume r ic

passwords are used widely for authentication, but other methods are also available today, includ ing

biometrics and smart cards (Coventry, 2003).

However, there are problems associated with these alternative technologies. Biometrics raise

privacy concerns and smart cards usually need a PIN because cards can be lost. As a result,

passwords are still dominant and are expected to continue to remain so for some time (Brostoff et

al, 2000).

Yet traditional alphanumeric passwords have drawbacks from a usability standpoint, and

these usability problems tend to translate directly into security problems. That is, users who fail to

choose good passwords and handle them securely open holes that attackers can exploit. The

1
“password problem,” as formulated by ( Wiedenbeck, Jean-Camille , Alex, Nasir , & Jim , 2018),

arises because passwords are expected to comply with two conflicting requirements, namely: 1.

Memorability and 2. Security.

However, Meeting the conflicting requirements of a secure password is almost impossib le

for humans due to long-term memory limitations. Users have difficulty remembering complex,

pseudo-random passwords over time, with the result that users compensate by creating weak

passwords or handling them in an insecure way.

In this project, we present a graphical password scheme that uses multiple clicks on a single image

as proposed by Blonder (Greg, 1996). Blonder describe graphical password as an image that would

appear on the screen, and the user would click on a few chosen regions within the image. Given

that the correct regions were clicked on, the user would be authenticated. However, this project

overcomes some of the limitations of his scheme: There are no artificial predefined boundaries

around areas of the image within which the user can click, the user will be the one to provide the

password image, encryption of the password and lastly a password reset feature.

1.2 SIGNIFICANCE OF THE STUDY

In view of the rapid development of computer technology virtually in all fields of operation and

its use in relation to information management (generatio n and storage) coupled with the rapid

increase in computer attacks in recent times, which occur mostly due to the drawbacks of

Alphanumeric password systems, it has become important to look into the development of a web

based graphical password system to achieve the following:

1. Ensure that the data/information being generated and stored by users are safe and highly

secured (provide data security), and free from any malicious act that might temper with its

integrity.

2
 2. Reduce the stress of users having to memorize long and complex pseudorandom passwords

3. Develop a graphical password scheme for the web that is less susceptible to shoulder surfing

attack.

1.3 PROJECT MOTIVATION

The choice of this project topic was motivated by the lingering security threats to computer

systems posed by some limitations of traditional alphanumeric passwords and the desire to find

solution to them.

1.4 AIMS AND OBJECTIVES

The aim of this project is to develop a secured web based graphical password system and the

specific objectives of this project are:

1. To review the existing literature on graphical password.

2. To design a new graphical password scheme that is robust against shoulder-surfing and

brute-force attack.

3. To implement the new design on a web platform.

4. To validate the system to ensure that only eligible users are allowed access to their account.

1.5 SCOPE AND LIMITATIONS OF THE STUDY

This study focuses on the development of a secure graphical password system with the following

major subsystem components:

1. Registration system

2. Log in system

3. Log out system

4. Password reset system

3
 The major limitation of the system is that it is not optimized for mobile phone use.

1.6 PROJECT METHODOLOGY

1. we will review related literature on graphical password.

2. The software that is developed will provide on the client-side a user interface and a

database on the back-end for storing username and password record of multiple users.

3. The application will be implemented using PHP and MYSQL at the back-end for server

scripting and database design respectively. The front-end will however be impleme nted

using HTML 5, JQuery (a JavaScript API) and CSS 3.

4. The software will now be tested by a group of random participants using computers running

on Windows 10 Operating System with a screen size of at least 15-inches.

1.7 PROJECT ORGANIZATION

The rest of this project is structured as follows:

Chapter Two: discuses several basic information in relation to graphical passwords. Review past

researches which explore issues, theories found in scholarly writings and provides explanatio ns,

summary and critical evaluation on related works done.

Chapter Three: discusses methodology and detailed investigation and analysis of the proposed

system.

Chapter Four: discusses the system design and implementation.

Chapter Five: gives the summary and conclusion of the project work and suggest useful

recommendations.

1.8 DEFINITION OF TERMS

1.8.1 Shoulder Surfing: It is the process by which the person standing behind the person

entering the password observes the password. It is a type of capture attack. This attack occurs

4
when attackers directly obtain the passwords (or parts thereof) by intercepting the user entered

data or by tricking users into revealing their passwords.

1.8.2 Tolerance Region: The area around an original click point accepted as correct since it is

unrealistic to expect user to accurately target an exact pixel. Tolerance value however is the value

which indicates the degree of closeness to the actual click point. ( Iranna and Pankaja, 2013).

1.8.3 GRAPHICAL PASSWORDS

Graphical password is an authentication system that works by having the user select from
images, in a specific order or drawing symbols, presented in a graphical user interface. The
graphical password approach is sometimes called graphical user authentication (GUA).
1.8.4 AUTHENTICATION
Authentication is the process of verifying the identity of a user. It is based on one or a

combination of something the user knows (password, PIN, etc.), something the user has (a key, a

card, etc.) or some physical trait of the user (a retina scan, fingerprint, etc.).

1.8.5 PASSPOINTS
Passpoints is a graphical password scheme in which a password consists of a sequence of
PassPoints on a single image. Users may select a predefined number of pixels in an image as
click points and create their own password. To login they select their click points again within a
system defined tolerance square of the original click points.
1.8.6 PASSWORD STRENGTH
Password strength is the measure of the effectiveness of a password to withstand guessing or

brute-force attacks. It is the estimate of how many trials an attacker without direct access to the

password would need, on average, to guess it correctly. Password strength is the function of length,

complexity and unpredictability.

5
 CHAPTER TWO

LITERATURE REVIEW

2.1 WHY WE NEED MORE SECURE AUTHENTICATION SYSTEM FOR THE WEB

For the past two decades, computer networks have grown at an explosive rate. In a wide

range of environments, such networks have become a mission critical tool. Organizations are

building networks with larger scales than ever before, and the connectivity with the global Internet

has become indispensable. Along with this trend has come an explosion in the use of computer

networks as a means of illicit access to computer systems (Goyal et al., 2005).

Internet is known as a very powerful platform that changes the way we communicate and

perform business transactions in current technology (Idrus, Cherrier, Rosenberger, &

Schwartzmann, 2013). It has now touches every aspect of our lives along with emerging of newer

security threats, ready to embark towards the journey of destructions. According to the Internet

World Stats, as of June 30, 2012, over 2.4 billion users are using the Internet, and hence the

numbers no doubt will keep on increasing. Thus, the advent of information securities has

revolutionized our life particularly with the information that are available, whereby data can easily

be accessed and manipulated (Syed Idrus et al., 2009).

Transmitted information level is becoming more important especially as interactions that

used to only be carried out offline, such as bank and commercial exchanges are now being carried

out online in the form of Internet banking and electronic commercial exchanges, and damages due

to such attacks will be greater (Cha and Kim, 2008). As increasing amounts of personal

information are surfacing on the Web, it is essential to remain wary of the risks surrounding the

ease in which our private details can be accessed. Social networking and online profiles contribute

6
to this: giving potential intruders a plethora of sensitive information. Insafe reports that more than

a quarter of children in Europe have online networking profiles which can be exposed, and with

over 900 million people on Facebook alone the danger is widespread (Parris-Long, 2012).

2.2 THE CONCEPT OF AUTHENTICATION

‘Identification’, ‘authentication’ and ‘authorization’ are three interrelated concepts, which

form the core of a security system. Identification is the communication of an identity to an

information system. In authentication, the claimant typically provides the information system with

an identity anyway (for example, a login or an email address), and the monitor asserts the identity

by authentication (for example, using a password). An authentication is a proof given by a claima nt

to assert a monitor that he/she really corresponds to the identity he/she provided. The monitor then

asserts the information system of the identity of the user. Finally, the authorization is the granted

privileges given to the user. (Idrus, Cherrier, Rosenberger, & Schwartzmann, 2013).

Authentication systems provide the answers to the following questions: (i) who is the user?

and (ii) is the user really who he/she represents himself/herself to be? Hence, authentica tio n

represents one of the most promising way concerning trust and security enhancement for

commercial applications. It also denotes a property of ensuring the identity of the previo usly

mentioned entities (Kotzanikolaou and Douligeris, 2007). Besides, authorization is a process of

giving individuals an access to the system objects based on their identity. Authorization systems

provide the answers to the three questions: (i) is user U authorized to access resource R?; (ii) is

user U authorized to perform operation O?; and (iii) is user U authorized to perform operation O

on resource R? (Idrus, Cherrier, Rosenberger, & Schwartzmann, 2013).

7
 There is often a confusion between ‘identification’, ‘authentication’ and ‘authorizatio n’.

These words/terms do not have the same meaning at all. Each of these concepts requires an

enrolment step. Enrolment is the ‘registration’ of a new user, including the emission of tokens and

credentials. Enrolment is a major concern and should also be carefully handled.

Having said that, we then need to have a link between both the claimant and the monitor.

This link is denoted channel. A channel is a support of communication between the claimant and

the monitor. It can either be considered as confidential, authentic, secure or as insecure. A

confidential channel is resistant to interception; an authentic channel is resistant to tampering; a

secure channel is resistant to both; and an insecure channel is none. The authentication goal is to

assert an identity, but the scope of authentication methods is very large and it can vary in many

ways. (Idrus, Cherrier, Rosenberger, & Schwartzmann, 2013)

2.2.1 BASIC STEPS FOR AUTHENTICATION

The common basic steps for authentication as proposed by (Idrus, Cherrier, Rosenberger, &

Schwartzmann, 2013) are:

1. Initial step: the claimant is unauthenticated.

2. Connection step: the claimant requires to the IS the use of a function that requires an

authentication. The IS asks the monitor to authenticate the claimant.

3. Authenticated step: the claimant is authenticated and a session is opened. The IS provides

the user the required functions.

4. Disconnection step: the user disconnects or is disconnected from the monitor and the state

returns to the initial step. This step can be initiated on a time out or by an action of the user.

8
 An information system may require different levels of authentication, for example, a level for

the administrators and a level for the users. In such a system, the level of authentication is

graduated on a scale: level 0 for an unauthenticated user with the lowest rights in the system; level

N for the administrator with full rights; and one or multiple levels between 0 and N. Here, the

scheme is that an authentication could be required to switch to a higher level of trust in the claima nt

by the information system. The provided security of an authentication method depends on usability

and acceptability. If the usability is bad, the users will rapidly find ways to bypass the

authentication steps for a convenient use. This will lead inevitably to a failure of the system, so it

should be considered as a critic.

The authentication process can be based on a combination of one or more authentica tio n

factors. The four (widely recognized) factors to authenticate humans are:

1. Something the user knows: a password, a passphrase, a PIN code, the mother’s maiden

name.

2. Something the user owns: a USB token, a phone, a smartcard, a software token, a navigator

cookie.

3. Something that qualifies the user: a fingerprint, DNA fragment, voice pattern, hand

geometry.

4. Something the user can do: a signature, a gesture.

2.3 ALPHANUMERIC PASSWORD

2.3.1 PASSWORD ATTRIBUTES

(Zviran & Haga, 1999) conducted a survey on computer users at a Department of Defense

installation in California. Questionnaires were returned by 997 participants. (Zviran & Haga, 1999)

9
observed that 24.9% of the respondents had 6 characters in their passwords. They also observed

that 80.1% of the respondents’ passwords consisted of only alphabetic characters. And that most

user-selected passwords are derived from the characteristics of personal details meaningful to the

individual, are fairly short, are made up of alphanumeric characters, are seldom changed, and are

frequently written down. In other words, passwords remain easy to memorize and simple in

structure and construction. They also observed the following:

1. Password selection methods affect password memorability.

2. The increased frequency of changing a password, even though it increases the level of

security, hinders memorability

3. The more frequently a password is used, the less often it is written down.

4. The more a password is used, the less difficult it is to remember.

5. Changing passwords frequently, although necessary to reduce password predictability,

hinders recall.

6. Difficulty recalling a password is related to a user's tendency to write it down.

7. Difficulty recalling a password or writing it down is not related to a password's length.

8. Whether a password was chosen to make it easy to remember has no bearing on whether it

is written down.

2.3.2 PASSWORD STANDARDS

The following sections describe the characteristics of strong and weak passwords according

to

the Sans Institute Password Policy (Sans.org, 2013).

Characteristics of Weak Passwords

1. The password has less than fifteen characters.

10
 2. The password is a word that can be found in a dictionary (English or foreign).

3. The password is an ordinary word such as

a. Names of family, pets, friends, co-workers, fantasy characters, etc.

b. Computer terms or names, commands, sites, companies, hardware, software.

c. The words "<Company Name>", "sanjose", "sanfran" or any similar derivation.

d. Birthdays and other personal information such as addresses and phone numbers.

e. Word or number patterns such as aaabbb, qwerty, zyxwvuts, 123321, etc.

f. Any of the above spelled backwards.

g. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

A Strong Passwords has the Following Characteristics:

1. Contains both upper and lower case characters (e.g., a-z, A-Z)

2. Contains numbers and symbols as well as letters, for example, 0-9,!@#$%^&*()_+|~

=\‘{}[]:";’<>?,./)

3. Contains at least fifteen alphanumeric characters.

4. Is not a word in any language, slang, dialect, jargon, etc.

5. Is not based on personal, meaningful information such as names of family, telephone

number, SSN, etc.

6. Is never be written down or stored on-line.

In sum, a good password should be complex but nevertheless easy to remember (Burnett, 2002).

A good password should also be long and consist of letters, numbers, and symbols. It should let

the user type quickly with few errors (Burnett, 2002). Most importantly, a good password should

appear random yet be familiar and meaningful to the user (Burnett, 2002). The best password

policy is the one that enables the user to create these passwords (Burnett, 2002). However, the

11
recommendations of most password policies are not always practiced by users or enforced

(B.DawnMedlin & Cazier, 2005).

2.3.3 END USER SECURITY

When users are allowed to select their own passwords, they tend to select passwords that

are easy to remember but also easy to crack (Adams & Sasse, 1999). End users prefer passwords

that are short, simple, and derived from meaningful details (Adams & Sasse, 1999). Like (Zviran

& Haga, 1999), (Adams & Sasse, 1999) observed that some users create their passwords based on

details meaningful to them. This potentially includes variations of their own or a relative’s name,

a pet’s name, street address, birth date, social security number, etc. They also observed that user

knowledge regarding secure password content is not sufficient. Most end users do not know how

to create a secure password, and they do not know how serious it can be if their passwords are

compromised (Adams & Sasse, 1999).

(Adams & Sasse, 1999) posit that, without instruction from IT experts, end users often create their

own rules for inventing passwords, which are thus often not secure. Passwords that can be derived

from the dictionary (real words) are extremely easy to crack from a hacker’s perspective and that

most users do not know how password cracking works.

2.3.4 USING PASSWORD MULTIPLE TIMES

Although password theft is a danger to the information system in which a password is

compromised, password theft can also threaten other information systems (Ives, Walsh, &

Schneider, 2004). Because many people have multiple password-protected accounts and they often

reuse identical passwords repeatedly, hackers can more easily gain access to other accounts (Ives,

Walsh, & Schneider, 2004). For example, if a hacker gains access to a poorly protected

departmental file server and the passwords are compromised, those passwords can be used to gain

12
access to a more securely protected corporate system. This is referred to as a “domino effect” (Ives,

Walsh, & Schneider, 2004). A domino effect is the result of one site’s password file being

compromised by a hacker who then uses it to penetrate other information systems (Ives, Walsh, &

Schneider, 2004).

2.3.3 SOCIAL PROBLEMS

(Sasse et al 2001) observed that sharing passwords is considered a sign of trust among

colleagues and friends. People who are not willing to share passwords with colleagues are regarded

as “untrusting”. Users who practice safe computing by having strong passwords are often

described as “paranoid” or “antisocial” (Sasse, Brostoff, & Weirich, 2001).

2.3.5 USERS PROBLEMS WITH PASSWORD

Users’ propensity to handle alphanumeric passwords insecurely arises largely from long-

term memory (LTM) limitations. Users have difficulty remembering complex, pseudo-random

passwords over time. The Power Law of Forgetting (Bahrick, 1984) describes rapid forgetting

soon after learning, followed by very slow decay over the long-term. Psychological theories have

identified decay over time and interference with other information in LTM as underlying reasons

for forgetting (Wixted, 2004). A user is likely to forget a password that is not used regularly, as

the memory is not “refreshed” or “activated” sufficiently often. When users have multip le

passwords, today practically a universal condition, interference becomes a possibility. The user

may either jumble the elements of the different passwords or remember the password but confuse

which system it corresponds to.

Users normally cope with password memory problems by decreasing the complexity and number

of passwords, thereby reducing password security. A secure password should be 8 characters or

longer, random, with upper-case characters, lowercase characters, digits, and special characters.

13
Such passwords lack meaningful content and can be learned only by rote memorization, a weak

way of remembering (Rundus, 1971). Generally, users ignore such password recommendatio ns,

using instead short, simple passwords that are relatively easy to discover using dictionary attacks

or attacks based on knowledge of the user.

Recent surveys have shown that users often choose, short, alphabetic-only passwords

consisting of personal names of family or friends, names of pets, and even the word “password”

(Sasse, Brostoff, & Weirich, 2001). Users typically write down their passwords, share passwords

with others, and use the same password for multiple systems, sometimes with a single digit added

on the end (Sasse, Brostoff, & Weirich, 2001). While poor password practices may be largely

attributed to memory problems, there are other factors as well. Some users are ignorant of the

power of a modern dictionary attack or about the scope of the damage that may occur if their

computer is breached. Even if users are somewhat knowledgeable about security, their motivatio ns

may get in the way of good practices; they want to get real work done and therefore view

authentication as an enabling task that should be gotten over with as quickly as possible (Adams

& Sasse, 1999). A single- minded focus on immediate work goals, at the expense of security, places

users at risk of widespread damage to their digital assets.

2.4 GRAPHICAL PASSWORDS

2.4.1 GRAPHICAL PASSWORDS SYSTEMS

There are several graphical password systems based on recognition. For example,

Passfaces worked as follows in Brostoff and Sasse’s empiricial study (Sasse, Brostoff, & Weirich,

2001). To create a password the user chooses four images of human faces from a large portfolio

of faces. When logging in, the user sees a 3x3 grid with nine faces, consisting of one face

14
previously chosen by the user and eight decoy faces. The user must recognize and click anywhere

on the previously chosen face. This procedure is repeated with different target and decoy faces,

for a total of four rounds. Only if the user chooses all four correct faces, will he or she successfully

log in. Empirical evidence from a field trial (Sasse, Brostoff, & Weirich, 2001) shows that

Passfaces may be more memorable than alphanumeric passwords. Evidence from another similar

system, Déjà Vu (Dhamija & Perrig, 2000), suggests that initially choosing the images from the

portfolio is a rather slow process, but the images are easier to remember over time. However, the

drawback of all such passwords based on image recognition is that only a small number of images

can be displayed, e.g., nine images, one of which is a chosen image. Therefore, an attacker has a

1-in-9 chance of guessing the image. To reduce that chance the login process uses several rounds

of recognition. To obtain security similar to that of 8-character alphanumeric password (over an

alphabet of 64 characters), 15 or 16 rounds with 9 faces each would be required. This could make

the login slow and tedious. Also, using faces as the images has been shown to lead to passwords

with very low entropy because people choose faces in predictable ways (Davis, Monrose, & and

Reiter, 2004).

Graphical passwords based on cued recall were first discussed by Blonder. In such a

scheme the user chooses several locations in an image to create a password. To log in the user

must click on or close to those locations. There are no multiple rounds of images, just a single

image. In an implementation of this scheme the image had predefined click objects or regions that

were outlined by thick boundaries. The users chose the password from these objects and logged in

using them (although thick boundaries were not visible when logging in). A click anywhere within

the boundary was considered correct. A problem with this scheme was that the number of

15
predefined click regions was relatively small so the password had to be quite long to be secure

(e.g., 12 clicks). Also, the use of pre-defined click objects or regions required simple, artific ia l

images, for example cartoon-like images, instead of complex, real-world scenes.

2.4.2 WHY GRAPHICAL PASSWORDS MAY BE BETTER

Most graphical password systems are based on either recognition or cued recall. In

recognition-based systems the user must recognize previously chosen images from a larger group

of distractor images. The decision is binary: either the image is known (recognized) or not known.

In cued recall password, system users must click on several previously chosen areas in an image,

cued by viewing the image. Both types of systems may have memory advantages over

alphanumeric passwords. Alphanumeric passwords are based on pure recall (presuming the user

has not written the password down). It is known that recognition memory is better than unaided

recall (Norman, 1988). Furthermore, psychological studies show that images are recognized with

very high accuracy (up to 98 percent) after a two-hour delay, which is much higher than accuracy

for words and sentences (Shepard, 2000). In addition, it has been found that error in recognitio n

of images is only 17 percent after viewing 10,000 pictures (Standing, 2001). Studies of recall also

confirm that pictures are recalled better than words (Paivio, Rogers, & Smythe, 1976) and this has

led to the tag “picture superiority effect” (Nelson, Reed, & Walling, 1977).

Cued recall, as used in graphical password systems, seems to be intermediate between

recognition and pure recall. The decision is not binary based on recognition of the image as a

whole. The user has to recall his or her click areas within the image. But scanning the image helps

the user identify the correct areas.

16
 Other psychological research on images has shown that people can remember detailed

visual information in natural scenes (Hollingsworth & Henderson, 2002) and that the content,

effect, and organization of images influence the ability to remember an image (Bradley, Grenwald,

Petry, & and Lang, 1992). In terms of choice of memorable images, psychologists have found that

coherent images are more memorable than jumbled ones (Biederman, Glass, & Stacy, 1973). Also,

Long Term Memory (LTM) stores the meaning of an image, not a replica of it; therefore, concrete

scenes are likely to be remembered well because of their semantically meaningful content, as

opposed to abstract images.

2.4.3 GRAPHICAL AUTHENTICATION METHODS

graphical password techniques are categorized into two main techniques: Recall-based

technique and Recognition based technique.

1. Recognition-Based Technique: For this technique, a user is presented with a collection of

images from which they are able to select pictures, icons or symbols. During the

authentication process, the user is required to recognize their registration choice from

among a set of candidates. Research shows that it is possible for the majority (90%) of

users to remember their password after one or two months (Saranga and Dugald, 2008).

2. Pure Recall-Based Technique: For this technique, a user is required to reproduce their

password without being given any reminder, hints or gestures. With the ease and

convenience of this method one would expect that users would remember their password

but just like the drawing of a secret (DAS) and Qualitative DAS (Gao, Guo, Chen, Wang,

& Liu., 2008), most users could barely remember their passwords.

3. Cued Recall-Based Technique: This technique is based on a framework of reminders,

hints and gestures that are meant to assist the user to reproduce their password or to make

17
 a reproduction more accurate. This technique is comparable to the Blonder Algorithm

and the Passpoint algorithm.

However, our proposed scheme is not an entirely new algorithm, it is a web based variant of

Passpoint with slight improvement. PassPoint is a graphical password scheme created in 2005 in

other to improve upon the shortcomings of Blonder’s Algorithm. Passpoint was able to fill in the

gaps left by blonder. In this case the image could be any natural picture or painting as well as

rich enough so as to have several possible click-points. Apart from these, the image is not secret

and has no other role other than that of assisting the user to remember the click point.

Furthermore, it is not as rigid as the blonder algorithm which requires the setting of artificial

predefined click regions with well-marked boundaries.

18
 CHAPTER THREE

SYSTEM ANALYSIS AND DESIGN

3.0 INTRODUCTION

System analysis and designed is a classified phase of development that gives the full

description of the existing systems. This phase also involves a series of task that include the

designing specification of a new system and its control test plan.

The appropriate design of a system requires that it is critically analyzed in order to fully understand

the goals and objectives of the system. The quality of system analysis can have a big effect on the

speed of system design, the programming and testing because a significant percentage of the faults

in a system originate from shortcomings during analysis. A methodology is a systematic way of

accomplishing certain tasks and may be defined as a collection of procedures, techniques, tools

and documentation aids that can help to speed up and simplify tasks (Pressman, 2005). This chapter

describes the development methodology and the evaluation methodology used to develop A web-

based Graphical Password System.

3.1 SYSTEM ANALYSIS

System analysis is a problem-solving technique that decomposes a system into its

component for the purpose of the studying how well those component parts work and interact to

accomplish their purpose.

19
3.1.1 DETAILED ANALYSIS OF THE EXISTING SYSTEM

Since the beginning of the internet boom, there has been a huge migration from standalone

applications to web applications. These applications come in different varieties managing almost

all aspects of our daily activities and storing tons of information about individuals and cooperation.

To exercise some form of access control, alphanumeric passwords were mostly deployed,

but they are not without their limitations. The total password space of an alphanumeric password

is calculated to be about 948 . Several studies have shown that good passwords are very difficult to

create and remember so users of such web-applications most of the time choose passwords that

are short and easy to remember but also very susceptible to several modes of attack. These and

other problems clearly indicate the need to provide a better alternative to Alphanumeric passwords.

3.1.2 OUR PROPOSED SYSTEM

In this project, we propose a web-based graphical password system in which the user

chooses several locations in an image to create a password instead of typing a string of numbers

and alphabets. There are no multiple rounds of images, just a single image. After a sequence of

click points (i.e., pixels) are chosen (a "password"), the system cryptographically hashes

("encrypts") the password and calculates a tolerance region around the chosen pixels. When

logging in, to make a valid click the user will have to click within this tolerance. The size of this

tolerance can be varied, but for the password space to be large the tolerance should not be too

large, e.g., 2 to 5 pixels around each chosen pixel. To log in the users must click within the

tolerance of their chosen click points. Their memory is cued by the image as they enter their

password. The image that will be used will be provided by the user. The main requirement is that

20
it be a complex image that is visually rich enough to have many potentially memorable click

places.

3.1.3 FUNCTIONAL AND NON-FUNCTIONAL REQUIREMENTS

FUNCTIONAL REQUIREMENTS

The system is required to perform the following functionalities at all times

1. Allow users to register and Create password

2. Login authentic users

3. Logout users

4. Reset user password on demand

NON-FUNCTIONAL REQUIREMENTS

1. Concurrency control: many users should be able to use the software concurrently without

any noticeable delay.

2. Performance: the processing time should be within very few seconds.

3. Fast response time: the system needs to have a much quicker response time than typical

web applications.

4. Availability: the system should never fail to deliver services when requested.

5. Usability: the system should be fit to use, or simply put, have a very user-friendly interface.

6. Memorability: passwords created using the system should be easily remembered by users

7. Reliability: the system should be able to behave consistently in a user-acceptable manner

when operating within the environment for which the system is intended.

8. Security: the proposed system should provide maximum security when it comes to

managing the database, in order to avoid unauthorized manipulation of the user’s data.

21
3.1.4 System Requirement

Since the system is a web-based system, The following required for proper functionality

1. A web server(Apache)

2. Internet connection

3. A PC (Desktop/Laptop)

4. A database Management System(MySQL)

5. A screen size of at least 10.1 inches

6. Web browser (JavaScript enabled)

7. PHP version 5.5 or above

8. HTML5

9. CSS3

10. JavaScript (JQuery)

3.2 SYSTEM DESIGN

The proposed system consists of three fundamental modules with 4 sub modules

1. User registration module

a. Biodata registration module

b. Image selection and password generation module

2. Login module

a. Password extraction module

b. Password match module

3. Password reset module

4. Logout module

22
 S/NO FIELD NAME TYPE

1 ID Int(11)

2 Username VarChar(50)

3 Email VarChar(50)

4 RecoveryCode Varchar(15)

5 Name VarChar(50)

6 X1 VarChar(35)

7 X2 VarChar(35)

8 X3 VarChar(35)

9 Y1 VarChar(35)

10 Y2 VarChar(35)

11 Y3 VarChar(35)

Table 3. 1 Database Deign

23
 start

Get Unique User ID

Select Image

Click on area of choice

If Num clicks < 4

Encrypt User password Vector

Save user profile vector

Stop

Figure 3. 1 User Registration Flowchart

24
 Start

Read User ID
Database

Fetch User Profile Vector

Display Password Image

Click on Password Area

If Num Clicks < 4

Compare Login Vector and Stored User

Vector

If login vector=stored user vector

LOG ON OR Imposter
Login Vector within Tolerance

Stop

Figure 3. 2 Login User Login Flowchart

25
 Web Based Graphical Password System

Register

Login

View Users

User
Reset Password Admin

Logout

Figure 3. 3 Application Use Case Diagram

26
 Page
Register Login
Reset
Home Page Password
REGISTER
Login

Logout

Logout

Figure 3. 4 Site Map

Register

Name

UserName

Email

Register Clear

Figure 3. 5 User registration form Design

27
 login1

Email or Username

Proceed

Figure 3. 6 Login Form 1 Interface Design

28
 login2

Click on Password Area to Login

Login

Figure 3. 7: Login Form 2 user Interface Design

29
 CHAPTER FOUR

4.1 INTRODUCTION

System implementation refers to the transformation of the system specification designed,

from the originally obtained requirement, into program codes. This chapter describes in detail the

stages involved in the implementation of this project. After the initial design, has been finalized,

the development of the system will be iterated. Each iteration will include the implementatio n,

evaluation and testing. (System Design Document , 2014)

4.2 SOFTWARE DEVELOPMENT

This phase produces the actual code that will be delivered as the running system. Individ ua l

modules developed in this phase are tested before being delivered to the next phase.

This application was developed using PHP, HTML, JavaScript and MYSQL as mentioned

earlier. This software is designed to complement the existing Alphanumeric password system of

authenticating users.

4.3 SOFTWARE TESTING AND DEBUGGING

This is the stage where by the new system is being tested by populating it with data via the

front end to ensure that it is working properly.

Software testing is a critical element of software quality assurance and represents ultimate

review of specification, design and code generation. Testing refers to the verification and

validation activities of the system while debugging is the detection, location and removal of errors

in a program (System Design Document , 2014). The testing and debugging stage has several

purposes; it is used to affirm the quality of the program to eliminate any residual error.

30
Since the system is entirely new, then every aspect must be checked with a test data, perhaps using

multiple systems. Recovery and security procedures must be tested. Once these tasks are

satisfactory, data files are established and simultaneously runs initiated. Also, during testing and

implementation, some errors might be flagged which can be corrected. Documentation must be

altered to reflect the changes.

4.4 SOFTWARE IMPLEMENTATION

System implementation take place when the new or proposed system might have been

realized after which the new system is tested and found to be working without errors. It is the

installation of the new system after all the requirements have been met based on the user definitio n

of quality. The implementation comes directly after the testing phase. In a situation where an old

method exists, like in the case of this work; the new system must be able to replace the new method

with additional functionality before it can be considered to replace the old method. Such

functionality includes: Reliability of the software, Performance of the software and Security of the

software.

31
4.4.1 Home Page

Figure 4. 1: Home Page

The home page serve as a gateway through which all other functionalities of the applicatio n

can be accessed, important links available at the top navigation menu of the homepage are: (1) the

register page for new users and (2) login page for returning users to access their account.

32
Figure 4. 2: User registration Page

4.4.2 Registration page

For a user to be able to use the system, he must first register. The registration page has a

user registration form containing six (6) compulsory fields that must be filled with the appropriate

information before the system will accept them for processing and storage. These fields include

(1) A username field which must be unique to each user. (2) email address field (which is also

unique, as it will be used for password reset). (3) Users first and last name (4) Rank/designatio n.

Of importance, however, is the file selection field which enables the user to select from his local

storage a photo he wants to use in generating the password. As soon as a photo is selected, it will

automatically be displayed on the page as shown in figure() below. the user will then be prompted

to click on three areas in an order that he can recall.

33
Figure 4. 3 : Login Page 1

4.4.3 Login Page

The login process in this application comes in two phases. In the first phase, a registered

user input his username and clicks on the login button, the system checks in the database to verify

if such username exists, if it doesn’t find a matching user, an error message pops up. If a matching

user is found, the link to his password picture is fetched.

In the second phase, the password image fetched in phase one is displayed and the user is

prompted to click on the areas he selected during the registration. On finishing the required number

of clicks, the system validates each point in the order they were clicked, matching them with the

ones in the database within a specified tolerance level. If all the points where found to fall within

the tolerance level, the user is logged in, otherwise the user is asked to repeat the procedure in

phase 2 again.

34
Figure 4. 4: Login Page 2

4.4.4 Password Recovery/reset.

The process of password recovery is also divided into two phases, in the first phase, the user

inserts his username then click on “forgot Password”. The system takes the username and check

the email address associated with the account then send a unique password reset link to it.

The second phase begins when a user clicks on the link, the system validates the link,

update the recovery field in the database and display a file selection menu that allows the user to

select a new image he wish to use for password creation. On submission, the user’s old password

is updated with the new one.

35
 CHAPTER FIVE

SUMMARY CONCLUSIONS AND RECOMMENDATIONS

5.1 SUMMARY

In this project, we presented a web-based graphical password scheme that is designed to

be simple and the same time robust and resistant to many forms of attacks including shoulder

surfing attack that has bedeviled many graphical password schemes. The most important usability

and security goal in the authentication systems is to help the user selects better passwords that can

easily be remembered without hampering with the effective password space. To balance between

these two important goals (usability and security), we added a special module that send a password

reset link directly to a user’s email when he forgets his password.

5.2 CONCLUSION

With this working model presented in this project, it is a proof that our system can be used

in securing many web-based services like emails, internet banks, organizational and institutio na l

websites, and no doubt, an improved extension of it can be used as a means of authentication on a

variety of devices and platforms.

5.3 RECOMMENDATIONS

Since this application has not been checked completely for usability and effectiveness on

mobile phones and small screen devices, as part of future extension, it will be a very good area of

research if it will be made compatible with almost all devices and platforms.

36
 References

Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the
ACM(Association for Computing Machinery), 40-42.
B.DawnMedlin, & Cazier, J. A. (2005). An Investigatieve Study: Consumers Password. Journal
of Information Privacy & Security, 44.
Bahrick, H. (1984). semantic memory content in permastore: Fifty years of memory for Spanish
learned in school. Journal of Verbal Learning and Verbal Behavior, 1-24.
Biederman, I., Glass, A. L., & Stacy, E. (1973). Searching for objects in real world scenes.
Journal of Experimental Psychology, 97, 22-27.
Bradley, M. M., Grenwald, M. K., Petry, M. C., & and Lang, P. J. (1992). Remembering
pictures: Pleasure and arousal in memory. Journal of Experimental Psychology, 81(2),
379-390.
Britt, P. (2017, March 30). Cybersecurity Risk Management: Finding and Fixing Your Security
Vulnerabilities. Retrieved from eSecurity Planet:
www.esecurityplanet.com/amp/network-security/cybersecurity-risk- management.htm
Burnett, M. (2002, March 7). Ten Windows Password Myths. Retrieved july 20, 2018, from
securityfocus.com: http://www.securityfocus.com/infocus/1554
Davis, D., Monrose, F., & and Reiter, M. (2004, August 9-14). On User Choice in Graphical
Password. Retrieved September 10, 2018, from Usenix:
http://www.usenix.org/events/sec04/tech/davis.html
Dhamija, R., & Perrig, A. (2000, August 14). Déjà Vu: User study using images for
authentication. Retrieved August 26, 2018, from usenix.org:
http://www.usenix.org/publications/library/proceedings/sec2000/dhamija.html
Gao, H., Guo, X., Chen, X., Wang, L., & Liu., X. (2008). YAGP: Yet Another Graphical
Password Strategy. Annual Computer Security Applications Conference (ACSAC), 121 -
129.
Hollingsworth, A., & Henderson, J. S. (2002). Accurate visual memory for previously attended
objects in natural scenes. Journal of Experimental Psychology –Human Percpetion and
Performance(28), 113-136.
Idrus, S. Z., Cherrier, E., Rosenberger, C., & Schwartzmann, J.-J. (2013). A Review on
Authentication Methods. Australian Journal of Basic and Applied Sciences., 95-107.
Ives, B., Walsh, K. R., & Schneider, H. (2004). The Domino Effect of Password Reuse.
Association for Computing Machinery. Communications of the ACM.

37
Nelson, D. L., Reed, U. S., & Walling, J. (1977). Picture Superiority Effect. Journal of
Experimental Psychology: Human Laerning And Memory, 485-497.
Norman, D. A. (1988). The Design of Everyday Things. New York: Basic Books.
Paivio, A., Rogers, T. B., & Smythe, P. C. (1976). Why are pictures easier to recall than words?
.Psychonomic Science 11, 4(11), 137-138.
Rouse, M., & Scarpati, J. (2018). TechTarget.com. Retrieved from TechTarget.com:
https://searchnetworking.techtarget.com/definition/networking
Rundus, D. J. (1971). Analysis of rehearsal processes in free recall. . Journal of Experimental
Psychology, 63-77.
Sans.org. (2013). www.sans.org. Retrieved from Sans Institute of Password Policy:
www.sans.org/
Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the 'Weakest Link': a
Human/Computer Interaction Approach to Usable and Effective Security. BT Technology
Journal, 122.
Shepard, R. N. (2000). Recognition Memory for Words, Sentences and Pictures. Journal of
Verbal Learning and Verbal Behaviour., 156-163.
Standing, L. P. (2001). Learning 10,000 pictures. Quarterly Journal of Experimental Psychology,
207-222.
System Design Document . (2014). Retrieved from CMS.gov: https://www.cms.gov/Research-
Statistics...Systems/.../SystemDesignDocument.docx
US-CERT. (2008). Computer Forensics. Retrieved October 31, 2018, from US-CERT: www.us-
cert.gov/publications/forensics.pdf.
Wiedenbeck, S., Jean-Camille , B., Alex, B., Nasir , M., & Jim , W. (2018). Authentication
Using Graphical Passwords:Effects of Tolerance and Image Choice.
Wixted, T. J. (2004). The psychology and neuroscience of forgetting. Annual Review of
Psychology, 235-26.
Zviran, M., & Haga, W. J. (1999). Password security: An empirical study. Journal of
Management Information Systems, 161.
Zviran, M., & Haga, W. J. (1999). Password security: An Empirical Study. Journal of
Management Information System, 161.

38
APPENDIX

39