GRAPHICAL PASSWORDS AUTHENTICATION

SEMINAR CODE: CIT403

SEMINAR TITLE: EMERGING TECHNOLOGY

NATIONAL OPEN UNIVERSITY OF NIGERIA (NOUN)

ABEOKUTA STUDY CENTER

PRESENTED BY

ADENIRAN TIMOTHY ISHOLA

MATRIC NUMBER: NOU193138616

SUBMITTED TO THE DEPARTMENT OF COMPUTING

IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR AWARD

OF BACHELOR OF SCIENCE (B.Sc) IN THE DEPARTMENT OF
COMPUTER SCIENCE

MAY, 2025

1
 ABSTRACT
The most common computer authentication method is to use alphanumerical usernames and
passwords. This method has been shown to have significant drawbacks. For example, users
tend to pick passwords that can be easily guessed. On the other hand, if a password is hard
to guess, then it is often hard to remember, to address this problem, some researchers have
developed authentication methods that use pictures as passwords, Passwords provide
security mechanism for authentication and protection services against unwanted access to
resources. A graphical based password is one promising alternatives of textual passwords.
According to human psychology, humans are able to remember pictures easily. scheme is
resistant to shoulder surfing attack and many other attacks on graphical passwords. This
scheme is proposed for smart mobile devices (like smart phones i.e. ipod, iphone, PDAs etc)
which are more handy and convenient to use than traditional desktop computer systems.

2
1. Introduction
One of the major functions of any security system is the control of people in or out of
protected areas, such as physical buildings, information systems, and our national borders.
Computer systems and the information they store and process are valuable resources which
need to be protected. Computer security systems must also consider the human factors such
as ease of a use and accessibility. Current secure systems suffer because they mostly ignore
the importance of human factors in security. An ideal security system considers security,
reliability, usability, and human factors. All current security systems have flaws which
make them specific for well trained and skilled users only. A password is a secret that is
shared by the verifier and the customer. ”Passwords are simply secrets that are provided by
the user upon request by a recipient.” They are often stored on a server in an encrypted
form so that a penetration of the file system does not reveal password lists. Passwords are
the most common means of authentication because they do not require any special
hardware. Typically passwords are strings of letters and digits, i.e. they are alphanumeric.
Such passwords have the disadvantage of being hard to remember. Weak passwords are
vulnerable to dictionary attacks and brute force attacks where as Strong passwords are
harder to remember. To overcome the problems associated with password based
authentication systems, the researchers have proposed the concept of graphical passwords
and developed the alternative authentication mechanisms. Graphical passwords systems are
the most promising alternative to conventional password based authentication systems
Rachna Dhamija and Adrian Perrig, (2016).
Graphical passwords (GP) use pictures instead of textual passwords and are partially
motivated by the fact that humans can remember pictures more easily than a string of
characters.
The idea of graphical passwords was originally described by Greg Blonder in 1996.

3
2.1 Graphical passwords
Graphical passwords were first introduced by BLONDER in 1996. A graphical password is
an authentication system which allows the users to select from images, in a specific order,
presented in a graphical user interface (GUI). Graphical passwords can be easily
remembered, as users remember images better than words. Graphical passwords techniques
are categorized into two main techniques: recall-based and recognition-based graphical
techniques Xiayuan Suo, YingZhu, Scott. Owen, (2018).
 Recognition Based System
In recognition-based techniques, Authentication is done by challenging the user to identify
image or images that the user had selected during the registration stage. Another name for
recognition-based systems is search metric systems. It is generally require that users
memorize a number of images during password creation, and then to log in, must identify
their images among them. Humans have unique ability to identify images previously seen,
even those which has been viewed very briefly. Recognition based systems have been
proposed using usability and security considerations, and offers usability Xiayuan Suo,
YingZhu, Scott. Owen, (2018).
Pure Recall-Based Techniques
In this group, users need to reproduce the passwords without any help or reminder by
the system. Draw-A-Secret technique, Grid selection, and Pass doodle are some examples of
pure re-call-based techniques. DAS (Draw-A-Secret) scheme is the one in which the
password is a shape drawn on a twodimensional grid of size G * Gas in Fig.7. Each cell in
this grid is represented by distinct rectangular coordinates (x, y). The values of touch grids
are stored in temporal order of the drawing. If exact coordinates are crossed with the same
registered sequence, then the user is authenticated. As with other pure recall-based
techniques, DAS has many drawbacks. In 2016, a survey concluded that most users forget
their stroke order and they can remember text passwords easier than DAS. Also, the password
chosen by users are vulnerable to graphical dictionary attacks and replay attack.

In 2017, the Grid selection technique was proposed by Thorpe and Van Oorschot to
enhance the password space of DAS. To improve the DAS security level, they suggested the
"Grid Selection" technique, where the selection grid is large at the beginning,

4
 A fine grained grid from which the person selects a drawing grid, a rectangular area to
zoom in on, in which they may enter their password as shown in Fig. 8. This technique would
increase the password space of DAS, which improves the security level at the same time.
Actually, this technique only improves the password space of DAS but still carries over DAS
weaknesses.

Pass doodle, is a graphical password of handwritten drawing or text, normally

sketched with a stylus over a touch sensitive screen as shown in Fig. 9. Goldberg et. al have
shown that users were able to recognize a complete doodle password as accurately as text-
based passwords. Unfortunately, the Pass doodle scheme has many drawbacks. Users were
fascinated by other users' drawn doodles, and usually entered other users' password merely to
a different doodles from their own. It is concluded that the Pass doodle scheme is vulnerable
to several attacks such as guessing, spyware, key-logger, and shoulder surfing.

Fig.8 Example of Grid selection Fig.9 .Example of Pass doodle

Recall Based System
In recall-based techniques, a user is asked to reproduce something that he or she created or
selected earlier during the registration stage. Recall-based graphical password systems are
occasionally referred as draw metric systems since a secret drawing is recalled and
reproduced by the user. In these systems, users typically draw their password either on a
blank canvas or on a grid. You can secure your password using various techniques in
graphical authentication.
Cued Recall-Based Techniques
In this technique, the system gives some hints which help users to reproduce their
passwords with high accuracy. These hints will be presented as hot spots (regions) within an
image. The user has to choose some of these regions to register as their password and they
have to choose the same region following the same order to log into the system. The user
must remember the “chosen click spots” and keep them secret. There are many
implementations, such as Blonder scheme and Pass-Point scheme.In 1996, Recall-based
5
Techniques G. E. Blonder designed a scheme in which a user is presented with a
predetermined image. A user has to locate one or more tap regions on the displayed image as
their password. The user has to click on the approximate areas of those tap regions in the
predefined order (Fig. 1).

Fig. 1- Blonder scheme Fig. 2- VisKey

SFR

The major problem with this scheme is related to the memorable password space. Users
cannot randomly click the background of the image since it will make the created password
difficult to recall because of the simple background of the image. VisKey is a recall-based
authentication scheme that currently has been commercialized by SFR Company in Germany.
This software was designed specifically for mobile devices such as PDAs. In PDA„s
techniques use grid for session password generation.To form a password, users need to tap
their spots in sequence (Fig. 2).
The problem with this technique is the input tolerance. Since it is difficult to point to
the exact spots on the picture, Viskey permits all input within a certain tolerance area around
it. The size of this area can be predefined by users. Nonetheless, some precautions related to
the input precision needs to be set carefully, as it will directly influence the security and the
usability of the password. For a practical setting of parameters, a four spot VisKey can offer
theoretically almost 1 billion possibilities to define a password. However, is not large enough
to avoid the off-line attacks by a high-speed computer. At least seven defined spots are
needed in order to overcome the brute force attacks. Passlogix Inc. is a commercial security
company located in New York City, USA. Their scheme called Passlogix v-Go uses a
technique known as “Repeating a sequence of actions” which means creating a password by a
sequence. In this scheme, user can select their background images based on the environment,
for example in the kitchen, bathroom, bedroom or etc. (Fig.3) To enter a password, user can
click and/or drag on a series of items within that image. For example in the kitchen
environment, user can prepare a meal by selecting cooking ingredients, take fast food from

6
fridge and put it in the microwave oven, select some fruits and wash it in washbasin and then
put it in the clean bowl.

Fig. 3- Passlogix scheme Fig. 4- Pass points scheme

Other environments such as cocktail lounge allow users to select their favorite vodka, brandy
or whiskey and mix it with other cock-tails. This type of authentication is easy to remember
and fun to use. Nevertheless, there are some disadvantages such as the size of password space
is small. There are limited places that one can take vegetables, fruits or food from and put
into, therefore causing the passwords to be somewhat guessable or predictable. Experimental
studies by Wiedenbeck et al extended Blonder's design. Their scheme called
“Pass Points” expanded the clickable area of the traditional image background introduced by
Blonder. As a result, users can click anywhere on an image to form a pass-word (Fig. 4). The
tolerance area of each selected location is also calculated to ensure it fulfills the usability and
security re-quirements. A user is authenticated if he or she accurately clicks all the selected
locations within the tolerance of each selected area. Since the authors allow the usage of any
types of images, the amount of memorable password space is relatively larger than textual
passwords. Pass Points users had more difficulties to learn the password and it also took more
time to input their passwords compared to alphanumeric passwords.

Fig. 11- Jermyn et al. DAS scheme

7
 Jermyn et al. proposed a scheme, known as “Draw-A-Secret (DAS)”. This scheme is
based on a two dimensional grid, users have to draw something to represent their password.
Each of the grids coordinates from the drawn pictures is stored in the order of the drawing. To
be authenticated, user needs to redraw the picture again. If the drawing lines up at the same
grids coordinates with the proper sequence, then the user is authenticated (Figure 2). There
are some advantages when using a grid as the back-ground for the drawing.
First, the users can draw a password as long as they wish. Second, grid based
techniques also lessens the need for the graphical database storage on the server side and
reduced the traffic loads without transferring an images through network. Further-more, the
full password space for a grid based schemes is much better than traditional textual
passwords.
Possible Attack on Graphical Password Techniques Very less study has been done on
cracking graphical passwords. Some of the possible techniques for breaking graphical pass-
words are given below and a comparison with text-based pass-words.
Brute Force Attack-The main defense against brute force attack is to have a
sufficiently large password space. Text-based pass-words have a password space of 94 N,
where N is the length of the password, 94 is the number of printable characters excluding
SPACE. In some graphical password techniques password space is similar to or larger than
that of text-based passwords. Recognition based graphical passwords tend to have smaller
password spaces than the recall based methods. A brute force attack is difficult to carry
against graphical passwords than text-based passwords. Automatically generated accurate
mouse movement is required in brute force attack to reproduce human input, which is mostly
difficult in case of recall based graphical passwords.
Dictionary Attacks- Since recognition based graphical pass-words involve mouse input
instead of keyboard input, it will be impractical to carry out dictionary attacks against this
type of graphical passwords. For some recall based graphical passwords, it is possible to use
a dictionary attack but an automated diction-ary attack will be much more difficult than a text
based dictionary attack. Overall, graphical passwords are less vulnerable to diction-ary
attacks than text-based passwords.
Guessing- Like a serious problem usually associated with text-based passwords, graphical
passwords also tend to predict. For example, studies on the Pass face technique have shown
that people often choose weak and predictable graphical passwords. Similar predictability is
found among the graphical passwords created with the DAS technique. As per Wickelgren

8
 m - γ (1+ βt ) - €

Where m is memory strength, and t is time (i.e., the retention interval). The equation has
three parameters: 1 is the state of long- term memory at t -0 (i.e., the degree of learning), c is
the rate of forgetting, and b is a scaling parameter here.
Spyware Attack- Excluding a few exceptions, key logging or key listening spyware cannot
be used to break graphical passwords. It is not clear whether “mouse tracking” spyware will
be an effective tool against graphical passwords or not. However, mouse motion alone is not
enough to break graphical passwords. Such information has to be associated with application
information, such as position and size of window, as well as time information. Shoulder
surfing: Most of the graphical passwords are vulnerable to shoulder surfing like text based
passwords. A few recognition-based techniques are designed to resist shoulder-surfing. Not
any of the recall-based based techniques are resistant to should-surfing attack.
Social Engineering- To give away graphical passwords to another person is difficult as
compared to text based password. For example, it is very difficult to give away graphical
passwords over the phone. Setting up a phishing web site to obtain graphical passwords
would be more time consuming.
Types of authentication
Token-based authentication includes key cards, bank cards, smart cards, etc.
Knowledge-based authentication includes text-based authentication and picture-based
authentication.
Biometric authentication include fingerprints authentication, iris scan and facial
recognition.
Considering the traditional username-password authentication, the alphanumeric passwords
are either easy to guess or difficult to remember. Also, users generally keep the same
passwords for all their accounts because it is difficult to remember a lot of them. Alternative
authentication methods, such as biometrics, graphical passwords are used to overcome these
problems associated with the traditional username-password authentication technique.
In a graphical password authentication system, the user has to select from images, in a
specific order, presented to them in a graphical user interface (GUI). According to a study,
the human brain has a greater capability of remembering what they see(pictures) rather than
alphanumeric characters. Therefore, graphical passwords overcome the disadvantage of
alphanumeric passwords. Graphical Password Authentication has three major categories
based on the activity they use for authentication of the password:

9
 Recognition based Authentication: A user is given a set of images and he has to identify
the image he selected during registration.
For example, Passfaces is a graphical password scheme based on recognizing human faces.
During password creation, users are given a large set of images to select from. To log in,
users have to identify the pre-selected image from the several images presented to him.
Recall based Authentication: A user is asked to reproduce something that he created or
selected at the registration stage. For example, in the Passpoint scheme, a user can click any
point in an image to create the password and a tolerance around each pixel is calculated.
During authentication, the user has to select the points within the tolerance in the correct
sequence to login.
Cued Recall: Cued Click Points (CCP) is an alternative to the PassPoints technique. In
CCP, users click one point on each image rather than on five points on one image (unlike
PassPoints). It offers cued-recall and instantly alerts the users if they make a mistake while
entering their latest click-point.
2.2 Implementation and Discussion
Graphical Password can be implemented in authenticating several systems and websites. The
implementation has few focuses:
 Password: Contain image as reference & encryption algorithm.
 Login: Contains username, images, Graphical password and related methods.
 SSR shield: Contains shield for Shoulder surfing.
 Grids: Contains unique grid values and grid clicking related methods.
2.3 Advantages of graphical authentication method:
 The security of the system is very high.
 Graphical password schemes provide a way of making more human-friendly
passwords.
 Dictionary attacks and brute force search are infeasible.
 It is user-friendly.
 It provides higher security than other traditional password schemes.
 CCP makes attacks based on hotspot analysis more challenging.

2.4 Disadvantages:
 Require much more storage space than text based passwords.
 Password registration and log-in process take too long.

10
  Shoulder Surfing: As the name implies, shoulder surfing is watching over people’s
shoulders as they process information. Because of their graphic nature, nearly all
graphical password schemes are quite vulnerable to shoulder surfing.

3. Conclusion
The core element of computational trust is identity. Currently many authentication methods
and techniques are available but each with its own advantages and shortcomings. There is a
growing interest in using pictures as passwords rather than text passwords but very little
research has been done on graphical based passwords so far. In view of the above, we have
proposed authentication system which is based on graphical password schemes we need our
authentication systems to be more secure, reliable and robust as there is always a place for
improvement.

11
References

Adams A. and Sasse M.A. (1999) Communications of the ACM, 42, 41-46.

Blonder G. (1996) In Lucent Technologies, Inc., Murray Hill, NJ, United States Patent
5559961.

Brostoff S. and Sasse M.A. In People and Computers XIV – Usability or Else: Proceedings of
HCI. Sunderland, U.K, 2017.

Davis D., Monrose F. and Reiter M.K. (2004) Proceedings of the 13th USENIX Security
Symposium. California.

Dhamija R. and Perrig A. (2016) In Proceedings of the 9th USENIX Security Symposium.

Hong D., Man S., Hawes B. and Mathews M. (2004) Interna- tional conference on security
and management, Las Vergas, NV. [10] SFR IT-Engineering (2017)
http://www.sfrsoftware. de/cms/ EN/pocketpc/viskey/.

Jansen W., Gavrila S., Korolev V., Ayers R. and Swanstrom R. (2019) NISTt NISTIR 7030.

Jermyn I., Mayer A. Monrose F., Reiter M.K. and Rubin A.D. (2020) In Proceedings of the
8th USENIX Security Symposi- um.

M.sashi ,M.Sreelatha ,M.Anirudh,Md.Sultan Ahamer, V.Manoj kumar ,IJNSA , Dept.of

CSSE,Andhra university, india

Passlogix (2017) http://www.passlogix.com.

Rachna Dhamija and Adrian Perrig, (2017). “Deja Vu: A User Study. Using Images for
Authentication” In Proceedings of the 9th USENIX Security Symposium, August 2015.

Real User Corporation (2015) Passfaces T M , http//:www.realuser.com.

Sarita Yardi , Nick Feamster , Amy Bruckman School of Computer Science,School of

Interactive Computing Georgia Institute of Technology ,
yardi,feamster,[email protected] WOSN‟08,August 18, 2018, Seattle, Washington,
USA

So brad o L. and Bi rg et J. ( 2017) ht tp: //

rutgersscholar.rutgers.edu/volume04/sobrbirg/sobrbi rg.htm.

Wiedenbeck S., Waters J., Birget J.C., Brodskiy A. and Memon N. (2015) International
Journal of Human-Computer Studies, 63, 102-127.

Wixted, J.T., & Ebbesen, E. (1991). On the form of forgetting. Psy-chological Science , 2 ,
409–415

12
Xiayuan Suo, YingZhu, Scott. Owen, (2017). “Graphical Passwords: A Survey”, In
Proceedings of Annual Computer Security Applications Conference, 2005. Approaches
to Authentication:

13