Alphanumeric and visual password schemes

Alphanumeric password schemes are the most widely used type of knowledge based authentication methods. Secure or strong alphanumeric passwords are not easy to remember. There is thus a conflict between security and ease of use. A number of practices that lessen the security of alphanumeric password schemes have been observed. For example, it was observed that users give away their passwords to colleagues to help cover for their absence from the office (Wieden-beck et al., 2006). Also, a large percentage of users decide to write down their passwords (Wiedenbeck et al., 2006). This is especially so when passwords to re-member are many and are not used on a regular basis (Wiedenbeck et al., 2005).

A study also shows that some users use pets’ and family members’ names (Benko et al., 2006). In addition, colleagues find it difficult to hide their passwords when authenticating in the presence of their colleagues, as it might give the impression of distrusting them.

Alphanumeric passwords can be eavesdropped, written down and stolen, shoul-der surfed and hacked both through dictionary attacks and brute force attacks.

A case study has showed that 25% of alphanumeric passwords can be guessed by using a relatively small dictionary (Jermyn et al., 1999). The reasons

men-tioned above led to the development of visual passwords as a better alternative to alphanumeric passwords.

The major types of visual password schemes will be reviewed next. Most of them have undergone modifications by different researchers, who have given their adaptations new names.

1. Passfaces.

This method originated with Realuser (2012). In this method, the user selects some faces (e.g. four) from a large number of available faces stored on a server. On log-in, the user is presented with a three-by-three matrix of faces. One of the faces is part of the user’s password, while the others act as decoys. The user touches a face to select it and the system displays the next set of faces. The challenge-response cycle continues until the user has selected all (four) faces and it is at this point that the user passes or fails authentication.

The main concerns regarding Passfaces have to do with usability and secu-rity. Usability has to do with the network speed required to load pictures and is becoming less of a problem as network speed increases.

There are a number of security issues with the Passfaces type of authenti-cation, one of which has to do with the fact that the user has to physically touch or indicate the face that he is selecting, which may make it vulnerable to shoulder surfing (Lashkari et al., 2009). However, a number of methods to counter shoulder surfing in this and other visual password schemes have been proposed (Farmand & Bin Zakaria, 2010; Jebriel & Poet, 2011; Kim et al., 2010;Li et al., 2005;Miyachi et al., 2010;Seng et al.,2011; Wieden-beck et al.,2006).

For example, Farmand & Bin Zakaria (2010) proposed Recognition-Based Sequence Reproduction in four ways (RBSR4). One unique idea suggested by this approach is the addition of four scanning directions (4-ways) and dates in the choice of pass-images. The user types a number to represent the position of the pass-image randomly placed on the screen, along with the decoy images, counting from any of the four directions provided during the registration phase: left to right, right to left, bottom to top and top

to bottom. An additional level of security is provided by including dates, for example, choosing to use right to left on even days (i.e., Tuesday) and left to right on odd days (i.e., Wednesday). This information is kept on the server.

Jebriel & Poet (2011) found that using keyboards to select pass-images is more secure than using the mouse. They conducted an experiment where doodles were displayed in a four-by-four matrix, using four different meth-ods of pass-image selection: numeric, numeric and alphabetic, column and row (matrix) type and clicking type as shown in Figure 2.1 on the follow-ing page. An interestfollow-ing observation was that the matrix method was not better than any of the other keyboard entry methods, even though observ-ing a sobserv-ingle key press still left the observer with one in four guesses. They speculated that a possible explanation was that the user was unconsciously indicating which keys were needed to determine the pass-image, perhaps by hovering their fingers over both keys (for selecting the Pass-image row and column), before deciding which one to press. An indication that this might be the case was the observation that the time needed to enter data in the matrix case was five seconds longer than any other method. They suggested further experiments where users were given time to practice the various forms of choice indication before being observed and observers were given the chance to explain how they worked out the chosen image.

Kim et al. (2010) came up with the Pressure-Grid system for multi-touch tabletop environments. This method relies heavily on the technology be-ing used in vision based multi-touch systems, which can obtain the size of the finger contact (or blob) detected by the camera. Changes in finger pressure are readily apparent to the tracking systems, but are very difficult for observers to discern. This is further improved by the fact that increas-ing pressure on less dexterous fincreas-ingers (i.e., little fincreas-inger), causes involuntary movements on other fingers that is likely to add to the confusion of the observer. The authors compared their method using the four ways of coun-tering shoulder surfing: reducing visibility, subdividing actions, dissipating attention and transforming knowledge. The authors tested the

Pressure-(a) Numeric (b) Numeric and alphabetic

(c) Matrix (d) Clicking type

Figure 2.1: Pass-image selection types (Jebriel & Poet, 2011)

Grid system using finger positions as shown in Figure 2.2 on Page 17 in the study context shown in Figure 2.3 on Page 18. The authors used four authentication methods for their tests: basic (unshielded) PIN, basic (un-shielded) faces, Pressure PIN and Pressure faces. The results are as shown in Table 2.1 on Page 18. It was observed that Pressure-Grid was the best, with no shoulder surfer succeeding against this method.

Figure 2.2: Pressure-Grid finger positions (Kim et al., 2010)

Li et al.(2005) also proposed an authentication method that involves adding a passpoints type graphical password and grouped colour choice login to a Passfaces type password scheme, as a way of improving shoulder surfing resistance.

Miyachi et al.(2010) used Discreet Wavelet Transform (DWT) to blend low

Figure 2.3: Pressure-Grid study context (Kim et al., 2010) Table 2.1: Results of Pressure-Grid experiments (Kim et al., 2010)