A New Security Approach Based on CARP using Hard AI Problems Y Manohar Reddy & K Phalguna Rao

(1)

ISSN No: 2348-4845

International Journal & Magazine of Engineering,

Technology, Management and Research

A Peer Reviewed Open Access International Journal

Volume No: 2 (2015), Issue No: 9 (

September

)

September 2015

Dynamic:

Many security primitives are in setting of hard math-ematical issues. Using hard AI issues for security is mak-ing as an empowermak-ing new standard, however has been under-examined. In this paper, we bring another security primitive considering hard AI issues, to be particular, a novel party of framework ical riddle word structures con-sidering top of Captcha progress, which we call Captcha as graphical passwords (CaRP). CaRP is both a Captcha and a graphical riddle word approach. CaRP addresses particular security issues all things considered, for event, web guessing ambushes, exchange strikes, and, if united with twofold perspective sorts of advancement, shoulder-surfing attacks. Astoundingly, a CaRP riddle key can be found just probabilistically through adjusted web guess-ing strikes payguess-ing negligible respect to the way that the watchword is in the interest sorted out. CaRP in like man-ner offers a novel approach to manage supervise range the understood picture hotspot issue in grasped graphical puzzle word structures, for event, PassPoints, that when in doubt prompts weak watchword choices. CaRP is not a panacea, yet rather it offers sensible security and usability and appears to fit well with some sensible applications for improving online security.

Keywords:

Graphical mystery key, watchword, hotspots, CaRP, Capt-cha, word reference attack, watchword speculating strike, sec

Introduction:

AFUNDAMENTAL assignment in security is to make crypto-realistic primitives taking into account hard scien-tific issues that are computationally unmanageable.

For instance, the issue of whole number factorization is central to the RSA open key cryptosystem and the Rabin encryption. The discrete logarithm issue is principal to the ElGamal encryption, the Diffie-Hellman key trade, the Digital Signature Algorithm, the elliptic bend cryptogra-phy et cetera. Utilizing hard AI (Artificial Intelligence) issues for security, at first proposed in [17], is an ener -gizing new standardadigm. Under this ideal model, the most outstanding primitive created is Captcha, which rec-ognizes human clients from PCs by exhibiting a test, i.e., a riddle, past Nonetheless, this new ideal model has made only a restricted progress as contrasted and the crypto-graphic primitives in light of hard math issues and their wide applications. Is it conceivable to make any new se-curity primitive in light of hard AI issues? This is a testing and intriguing open prob-lem. In this paper, we present another security primitive in light of hard AI issues, to be specific, a novel group of graphical pass-word frame -works incorporating Captcha innovation, which we call CaRP (Captcha as gRaphical Passwords). CaRP is snap based graphical passwords, where a grouping of snaps on a picture is utilized to infer a secret key. Not at all like other snap based graphical passwords, pictures utilized as a part of CaRP are Captcha difficulties, and another CaRP picture is produced for each login endeavor.

The idea of CaRP is straightforward however non spe-cific. CaRP can have various instantiations. In principle, any Captcha plan depending on various item arrangement can be changed over to a CaRP plan. We introduce excel-lent CaRPs based on both content Captcha and picture acknowledgment Captcha. One of them is a content CaRP wherein a secret word is a succession of characters like a content watchword, however entered by tapping the right character grouping on CaRP pictures. CaRP offers insur-ance against online word reference assaults on passwords, which have been for long time a noteworthy security dan-ger for different online administrations.

Y.Manohar Reddy

M.Tech Student, Department of CSE,

Audisankara Institute of Technology, Gudur.

K.Phalguna Rao, M.Tech, Ph.D

HOD,

Department of CSE,

Audisankara Institute of Technology, Gudur.

(2)

ISSN No: 2348-4845

A Peer Reviewed Open Access International Journal

This danger is boundless and considered as a top digital security hazard [13]. Resistance against online lexicon as -saults is a more unpretentious issue than it may show up. Instinctive countermeasures, for example, throttling logon endeavors don’t function admirably for two reasons:

1) It reasons refusal of-administration assaults (which were misused to secure most astounding bidders out last minutes of eBay barters [12]) and brings about extrava -gant helpdesk costs for record reactivation.

2) It is powerless against worldwide watchword assaults [14] whereby enemies expect to break into any record in -stead of a particular one, and in this way attempt every secret word hopeful on various records and guarantee that the quantity of trials on every record is underneath the limit to abstain from activating record lockout.

CAPTCHA AS GRAPHICAL PASSWORDS

:

A. A New Way to Thwart Guessing Attacks :

In a speculating assault, a secret word conjecture tried in an unsuc-cessful trial is resolved wrong and barred from subse-quent trials. The quantity of undetermined secret word speculations diminishes with more trials, prompt-ing a superior shot of discoverprompt-ing the watchword. Scien-tifically, let S be the arrangement of secret word surmises before any trial, ρ be the watchword to discover, T mean This procedure is rehashed, every time with an alternate board. An effective login obliges that the aggregate likeli-hood that right answers were not entered by chance sur-passes an edge inside of a given number of rounds.

A review based plan obliges a client to recover the same cooperation result without prompting. Draw-A-Secret (DAS) [3] was the first review based plan proposed. A cli -ent draws her watchword on a 2D matrix. The framework encodes the arrangement of matrix cells along the drawing way as a client drawn secret word. Pass-Go [4] enhances DAS’s ease of use by encoding the matrix convergence focuses as opposed to the framework cells. BDAS [23] adds foundation pictures to DAS to urge clients to make more intricate passwords. In a signaled review conspire, an outside prompt is given to help remember and enter a secret word. PassPoints [5] is a generally mulled over snap based signaled review plan wherein a client clicks a grouping of focuses anyplace on a picture in making a watchword, and re-taps the same succession amid authen-ti-cation. Signaled Click Points (CCP) [18] is like

PassPoints yet utilizes one picture for every snap, with the following picture chose by a deterministic capacity. Enticing Cued Click Points (PCCP) [19] amplifies CCP by obliging a client to choose a point inside an arbitrarily situated viewport when making a secret word, bringing about all the more haphazardly conveyed snap focuses in a watchword. a trial while Tn indicate the n-th trial, and p(T = ρ) be the likelihood that ρ is tried in trial T . Let En be the arrangement of secret key speculations tried in trials up to (counting) Tn . The secret key estimate to be tried in n-th trial Tn is from situated S\E n −1, i.e., the relative supplement of En−1 in S. On the off chance that ρ S, then we have

p (T = ρ|T1 _= ρ, . . . , Tn−1 _= ρ ) > p(T = ρ), (1)

what’s more,

En → S with n → | S , (2)

p(T = ρ|T1 _= ρ, . . . , Tn−1 _= ρ) → 1

where |S | signifies the cardinality of S. From Eq. (2), the secret word is constantly found inside |S| trials on the off chance that it is in S; generally S is depleted after |S| tri -als. Every trial figures out whether the tried secret key estimate is the genuine watchword or not, and the trial’s outcome is deterministic.

In this paper, we recognize two sorts of speculating as-saults: programmed speculating assaults apply a pro-grammed experimentation handle however S can be physically developed though human speculating assaults apply a manual experimentation process. CaRP embraces a totally distinctive way to deal with counter programmed speculating assaults. It goes for understanding the accom-panying comparison:

p(T = ρ|T1, . . . , Tn−1) = p(T = ρ), n (3)

in a programmed speculating assault. Eq. (3) implies that every trial is computationally autonomous of different tri-als. In particular, regardless of what number of trials exe-cuted beforehand, the possibility of discovering the secret key in the present trial dependably continues as before. That is, a secret key in S can be discovered just proba-bilistically via programmed speculating (counting beast power) assaults, rather than existing graphical watchword plans where a watchword can be found inside of an al-tered number of trials.

B. CaRP: An Overview :

(3)

ISSN No: 2348-4845

A Peer Reviewed Open Access International Journal

Volume No: 2 (2015), Issue No: 9 (

September

)

September 2015

(e.g., alphanumerical characters, comparative creatures) to produce a CaRP picture, which is additionally a Capt-cha Capt-challenge. CaRP plans are clicked-based graphical passwords. As per the memory assignments in retaining and enter-ing a secret word, CaRP plans can be charac-terized into two classes: acknowledgment and another classification, acknowledgment review, which obliges perceiving a picture and utilizing the recog-nized items as signals to enter a watchword. Acknowledgment review joins the errands of both acknowledgment and prompted review, and holds both the acknowledgment based point of preference of being simple for human memory and the signaled review favorable position of a huge secret key space. Praiseworthy CaRP plans of every sort will be in-troduced later.

C. Changing over Captcha to CaRP :

On a basic level, any visual Captcha plan depending on recogniz-ing two or more predefined sorts of items can be changed over to a CaRP. All content Captcha plans and most IRCs meet this prerequisite. Those IRCs that depend on perceiving a solitary predefined kind of articles can likewise be changed over to CaRPs all in all by includ-ing more sorts of items. Practically speakinclud-ing, transforma-tion of a particular Captcha plan to a CaRP plot normally obliges a case by contextual analysis, keeping in mind the end goal to guarantee both security and ease of use. We will show in Sections IV and V a few CaRPs based on top of content and picture acknowledgment Captcha plans. Some IRCs depend on distinguishing protests whose sorts are not predefined. A run of the mill sample is Cortcha

[25] which depends on connection based item acknowl

-edgment wherein the article to be perceived can be of any sort. These IRCs can’t be changed over into CaRP since an arrangement of pre-characterized article sorts is vital for building a secret key.

D.Client Authentication

With

CaRP

Schemes:

Like other graphical passwords, we expect that CaRP plans are utilized with extra assurance, for example, se-cure channels in the middle of customers and the confir -mation server through Transport Layer Security (TLS). A run of the mill approach to apply CaRP plans in client confirmation is as per the following. The authentica-tion server AS stores a salt s and a hash esteem H (ρ, s) for every client ID, where ρ is the secret word of the record

[image:3.595.344.514.238.320.2]

and not put away. A CaRP watchword is a grouping of visual item IDs or clickable-purposes of visual articles that the client chooses. After getting a login demand, AS produces a CaRP picture, records the areas of the items in the picture, and sends the picture to the client to snap her secret key. The directions of the clicked focuses are recorded and sent to also

Fig. 1. Flowchart of fundamental CaRP validation.

with the client ID. AS maps the got coordinates onto the CaRP picture, and recuperates an arrangement of visual item IDs or clickable purposes of visual articles, ρ_, that the client tapped on the picture. At that point AS recov-ers salt s of the record, computes the hash estimation of ρ_ with the salt, and contrasts the outcome and the hash quality put away for the record. Validation succeeds just if the two hash qualities match. This procedure is known as the essential CaRP validation and demonstrated in Fig. 1. Propelled confirmation with CaRP, for instance, challenge-reaction, will be introduced in Section V-B. We expect in the accompanying that CaRP is utilized with the fundamental CaRP validation unless unequivocally ex-pressed something else.

IV. Acknowledgment BASED CaRP :

For this sort of CaRP, a secret word is a succession of vi-sual articles in the letter set. Per perspective of customary acknowledgment based graphical passwords, acknowl-edgment based CaRP appears to have entry to a limitless number of distinctive visual items. We introduce two ac-knowledgment based CaRP plans and a variety next.

A. ClickText :

\

ClickText is an acknowledgment construct CaRP plan fabricated with respect to top of content Captcha. Its let-ters in order includes characlet-ters with no outwardly befud-dling characters. For instance, Letter “O” and digit “0” may bring about perplexity in CaRP pictures, and in this way one character ought to be barred from the letter set.

ISSN No: 2348-4845

International Journal & Magazine of Engineering,

A Peer Reviewed Open Access International Journal

Volume No: 2 (2015), Issue No: 9 (

September

)

September 2015

A ClickText secret word is an arrangement of characters in the letter set, e.g., ρ =”AB#9CD87”, which is like a content watchword.. The confirmation server depends on the ground truth to distinguish the characters relating to client clicked focuses. In ClickText pictures, characters can be organized disorderly.

Fig. 2. A ClickText picture with 33 characters.

Fig. 3. Captcha Zoo with stallions circumnavigated red.

Fig. 4. A ClickAnimal picture (left) and 6 × 6 frame-work (right) dictated by red turkey’s jumping

rect-angle.

on 2D space. This is not quite the same as content Capt -cha -challenges in which -characters are normally request-ed from left to right with the end goal clients should sort them consecutively. Fig. 2 demonstrates a ClickText pic -ture with a letters in order of 33 characters. In entering a secret key, the client taps on this picture the characters in her watchword, in the same request, for instance “A”, “B”, “#”, “9”, “C”, “D”, “8”, and after that “7” for secret key ρ = “AB#9CD87”.

B. ClickAnimal :

Captcha Zoo [32] is a Captcha plan which utilizes 3D mod -els of steed and canine to create 2D creatures with diverse compositions, hues, lightings and postures, and master-minds them on a jumbled foundation. A client clicks ev-ery one of the steeds in a test picture to breeze through the test. Fig. 3 demonstrates an example challenge wherein every one of the stallions are surrounded red.

ClickAnimal is an acknowledgment construct CaRP plan assembled in light of top of Captcha Zoo [32], with a letter set of comparable creatures, for example, canine, steed, pig, and so forth. Its secret word is a grouping of creature names, for example, ρ = “Turkey, Cat, Horse, Dog,… .” For every creature, one or more 3D models are fabricated. The Captcha era procedure is connected to create ClickAnimal pictures: 3D models are utilized to produce 2D creatures by applying diverse perspectives, compositions, hues, lightning impacts, and alternatively twists. The subsequent 2D creatures are then master -minded on a jumbled foundation, for example, prairie. A few creatures may be blocked by different creatures in the picture, however their center parts are not impeded with the end goal people should recognize each of them. Fig. 4 demonstrates a ClickAnimal picture with a letter set of 10 creatures. Note that distinctive perspectives connected in mapping 3D models to 2D creatures,

C. AnimalGrid :

(4)

ISSN No: 2348-4845

International Journal & Magazine of Engineering,

A Peer Reviewed Open Access International Journal

(e.g., alphanumerical characters, comparative creatures) to produce a CaRP picture, which is additionally a Capt-cha Capt-challenge. CaRP plans are clicked-based graphical passwords. As per the memory assignments in retaining and enter-ing a secret word, CaRP plans can be charac-terized into two classes: acknowledgment and another classification, acknowledgment review, which obliges perceiving a picture and utilizing the recog-nized items as signals to enter a watchword. Acknowledgment review joins the errands of both acknowledgment and prompted review, and holds both the acknowledgment based point of preference of being simple for human memory and the signaled review favorable position of a huge secret key space. Praiseworthy CaRP plans of every sort will be in-troduced later.

C. Changing over Captcha to CaRP :

On a basic level, any visual Captcha plan depending on recogniz-ing two or more predefined sorts of items can be changed over to a CaRP. All content Captcha plans and most IRCs meet this prerequisite. Those IRCs that depend on perceiving a solitary predefined kind of articles can likewise be changed over to CaRPs all in all by includ-ing more sorts of items. Practically speakinclud-ing, transforma-tion of a particular Captcha plan to a CaRP plot normally obliges a case by contextual analysis, keeping in mind the end goal to guarantee both security and ease of use. We will show in Sections IV and V a few CaRPs based on top of content and picture acknowledgment Captcha plans. Some IRCs depend on distinguishing protests whose sorts are not predefined. A run of the mill sample is Cortcha

[25] which depends on connection based item acknowl

-edgment wherein the article to be perceived can be of any sort. These IRCs can’t be changed over into CaRP since an arrangement of pre-characterized article sorts is vital for building a secret key.

D.Client Authentication

With

CaRP

Schemes:

Like other graphical passwords, we expect that CaRP plans are utilized with extra assurance, for example, se-cure channels in the middle of customers and the confir -mation server through Transport Layer Security (TLS). A run of the mill approach to apply CaRP plans in client confirmation is as per the following. The authentica-tion server AS stores a salt s and a hash esteem H (ρ, s) for every client ID, where ρ is the secret word of the record

and not put away. A CaRP watchword is a grouping of visual item IDs or clickable-purposes of visual articles that the client chooses. After getting a login demand, AS produces a CaRP picture, records the areas of the items in the picture, and sends the picture to the client to snap her secret key. The directions of the clicked focuses are recorded and sent to also

Fig. 1. Flowchart of fundamental CaRP validation.

with the client ID. AS maps the got coordinates onto the CaRP picture, and recuperates an arrangement of visual item IDs or clickable purposes of visual articles, ρ_, that the client tapped on the picture. At that point AS recov-ers salt s of the record, computes the hash estimation of ρ_ with the salt, and contrasts the outcome and the hash quality put away for the record. Validation succeeds just if the two hash qualities match. This procedure is known as the essential CaRP validation and demonstrated in Fig. 1. Propelled confirmation with CaRP, for instance, challenge-reaction, will be introduced in Section V-B. We expect in the accompanying that CaRP is utilized with the fundamental CaRP validation unless unequivocally ex-pressed something else.

IV. Acknowledgment BASED CaRP :

For this sort of CaRP, a secret word is a succession of vi-sual articles in the letter set. Per perspective of customary acknowledgment based graphical passwords, acknowl-edgment based CaRP appears to have entry to a limitless number of distinctive visual items. We introduce two ac-knowledgment based CaRP plans and a variety next.

A. ClickText :

\

ClickText is an acknowledgment construct CaRP plan fabricated with respect to top of content Captcha. Its let-ters in order includes characlet-ters with no outwardly befud-dling characters. For instance, Letter “O” and digit “0” may bring about perplexity in CaRP pictures, and in this way one character ought to be barred from the letter set.

ISSN No: 2348-4845

International Journal & Magazine of Engineering,

A Peer Reviewed Open Access International Journal

A ClickText secret word is an arrangement of characters in the letter set, e.g., ρ =”AB#9CD87”, which is like a content watchword.. The confirmation server depends on the ground truth to distinguish the characters relating to client clicked focuses. In ClickText pictures, characters can be organized disorderly.

Fig. 2. A ClickText picture with 33 characters.

Fig. 3. Captcha Zoo with stallions circumnavigated red.

Fig. 4. A ClickAnimal picture (left) and 6 × 6 frame-work (right) dictated by red turkey’s jumping

rect-angle.

on 2D space. This is not quite the same as content Capt -cha -challenges in which -characters are normally request-ed from left to right with the end goal clients should sort them consecutively. Fig. 2 demonstrates a ClickText pic -ture with a letters in order of 33 characters. In entering a secret key, the client taps on this picture the characters in her watchword, in the same request, for instance “A”, “B”, “#”, “9”, “C”, “D”, “8”, and after that “7” for secret key ρ = “AB#9CD87”.

B. ClickAnimal :

Captcha Zoo [32] is a Captcha plan which utilizes 3D mod -els of steed and canine to create 2D creatures with diverse compositions, hues, lightings and postures, and master-minds them on a jumbled foundation. A client clicks ev-ery one of the steeds in a test picture to breeze through the test. Fig. 3 demonstrates an example challenge wherein every one of the stallions are surrounded red.

ClickAnimal is an acknowledgment construct CaRP plan assembled in light of top of Captcha Zoo [32], with a letter set of comparable creatures, for example, canine, steed, pig, and so forth. Its secret word is a grouping of creature names, for example, ρ = “Turkey, Cat, Horse, Dog,… .” For every creature, one or more 3D models are fabricated. The Captcha era procedure is connected to create ClickAnimal pictures: 3D models are utilized to produce 2D creatures by applying diverse perspectives, compositions, hues, lightning impacts, and alternatively twists. The subsequent 2D creatures are then master -minded on a jumbled foundation, for example, prairie. A few creatures may be blocked by different creatures in the picture, however their center parts are not impeded with the end goal people should recognize each of them. Fig. 4 demonstrates a ClickAnimal picture with a letter set of 10 creatures. Note that distinctive perspectives connected in mapping 3D models to 2D creatures,

C. AnimalGrid :

(5)

ISSN No: 2348-4845

International Journal & Magazine of Engineering,

A Peer Reviewed Open Access International Journal

Volume No: 2 (2015), Issue No: 9 (

September

)

September 2015

Utilizing the ground truth, the server recuperates the first creature from the got succession, recovers the lattice pic-ture from the creapic-ture’s jumping rectangle, and recoups the clicked framework cells. This procedure is rehashed to recuperate the secret word the client clicked. Its hash is then figured and contrasted and the put away hash.

V. Acknowledgment RECALL CaRP :

In acknowledgment review CaRP, a secret key is a suc-cession of some invariant purposes of items. An invariant purpose of an item (e.g. letter “A”) will be a point that has an altered relative position in diverse incarnations (e.g., text styles) of the item, and therefore can be particular-ly distinguished by people regardless of how the article shows up in CaRP pictures. To enter a secret key, a client must distinguish the items in a CaRP picture, and after-ward utilize the recognized articles as signals to find and snap the invariant focuses coordinating her watchword. TextPoint, an acknowledgment review CaRP plan with a letters in order of characters, is introduced next, trailed by a variety for test reaction confirmation.

A. TextPoints :

Characters contain invariant focuses. Fig. 5 demonstrates some invariant purposes of letter “A”, which offers an in number sign to retain and find its invariant focuses. A point is said to be an interior purpose of an article if its separation to the nearest limit of the item surpasses an edge. An arrangement of inner invariant purposes of characters is chosen to frame an arrangement of clickable focuses for TextPoints. Furthermore, variety ought to ad-ditionally be mulled over. For instance, if the focal point of a stroke portion in one character is chosen, we ought to abstain from selecting the focal point of a comparative stroke section in another character. Rather, we ought to choose

Fig. 5. Some invariant focuses (red crosses) of “A”.

an alternate point from the stroke portion, e.g., a point at 33% length of the stroke fragment to an end. This variety in selecting clickable focuses guarantees that a clickable point is setting ward: a comparatively organized point might possibly be a clickable point, contingent upon the character that the point lies in. Character

acknowledgment is needed in finding clickable focuses on a TextPoints picture despite the fact.

CONCLUSION :

We have proposed CaRP, another security primitive de-pending on unsolved hard AI issues. CaRP is both a Capt-cha and a graphical secret key plan. The thought of CaRP introduction duces another group of graphical passwords, which receives another way to deal with counter internet speculating assaults: another CaRP picture, which is like-wise a Captcha test, is utilized CaRP powers enemies to fall back on essentially less productive and a great deal all the more expensive human-based assaults. Notwithstand-ing offerNotwithstand-ing security from web speculatNotwithstand-ing assaults, CaRP is likewise impervious to Captcha transfer assaults, and, if joined with double view advances, shoulder-surfing as -saults. CaRP can likewise help lessen spam messages sent from a Web email administration. Both AnimalGrid and ClickText would be wise to secret key memora-bility than the routine content passwords. By and large, our work is one stage forward in the standard of utilizing hard AI issues for security. Of sensible security and ease of use and reasonable applications, CaRP has great potential for refinements, which call for helpful future work. All the more imperatively, we anticipate that CaRP will move new developments of such AI based security primitives.

FUTURE ENHANCEMENT:

For many security reasons there is a stage forward ques-tion is there? using AI there may be a different way of generating the captcha’s and applying them for user friendliness logging. for some different reasons we may improve normal standalone captcha to moving captcha which stores on and from captcha engine. so like in fu-ture there is a major importance for human AI for solv-ing the issue by breaksolv-ing the movsolv-ing captcha’s.Not only moving captcha’s can improve the human AI’s and also there is a straight forward challenge on generating capt-cha from different group of images can improve a lot of user friendliness..the main challenging task we can face in future with the help of captcha we can improve more and more security by generating sequential passwords by captcha’s and finding the correct captcha’s from moving captcha’s so that everyone can make a commonsense ap-plied on solving different type of AI issues for Security challenge.

ISSN No: 2348-4845

International Journal & Magazine of Engineering,

A Peer Reviewed Open Access International Journal

Volume No: 2 (2015), Issue No: 9 (

September

)

September 2015

REFERENCES:

[1]R. Biddle, S. Chiasson, and P. C. van Oorschot, “Graphical passwords: Learning from the first twelve years,” ACM Comput. Surveys, vol. 44, no. 4, 2012.

[2](2012, Feb.). The Science Behind Passfaces [Online]. Available: http://www.realuser.com/published/Science-BehindPassfaces.pdf

[3]I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Ru -bin, “The design and analysis of graphical passwords,” in Proc. 8th USENIX Security Symp., 1999, pp. 1–15.

[4]H. Tao and C. Adams, “Pass-Go: A proposal to im -prove the usability of graphical passwords,” Int. J. Netw. Security, vol. 7, no. 2, pp. 273–292, 2008.

[5]S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, “PassPoints: Design and longitudinal evaluation of a graphical password system,” Int. J. HCI, vol. 63, pp. 102–127, Jul. 2005.

[6]P. C. van Oorschot and J. Thorpe, “On predictive mod -els and user-drawn graphical passwords,” ACM Trans. Inf. Syst. Security, vol. 10, no. 4, pp. 1–33, 2008.

[7]K. Golofit, “Click passwords under investigation,” in Proc. ESORICS, 2007, pp. 343–358.

[8]A. E. Dirik, N. Memon, and J.-C. Birget, “Model -ing user choice in the passpoints graphical password scheme,” in Proc. Symp. Usable Privacy Security, 2007, pp. 20–28.

[9]J. Thorpe and P. C. van Oorschot, “Human-seeded at -tacks and exploiting hot spots in graphical passwords,” in Proc. USENIX Security, 2007,

pp.103–118.

[10]P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe, “Purely automated attacks on passpoints-style graphical passwords,” IEEE Trans. Inf. Forensics Security, vol. 5, no. 3, pp. 393–405, Sep. 2010.

[11]P. C. van Oorschot and J. Thorpe, “Exploiting pre -dictability in click-based graphical passwords,” J. Com -put. Security, vol. 19, no. 4, pp. 669–702, 2011.

[12]T. Wolverton. (2002, Mar. 26). Hackers Attack eBay Accounts [Online]. Available: http://www.zdnet.co.uk/

news/networking/2002/03/ 26/hackers-attack-ebay-ac

-counts-2107350/

[13]HP TippingPoint DVLabs, Vienna, Austria. (2010). Top Cyber Security Risks Report, SANS Institute and Qualys Research Labs [Online]. Available: http://dvlabs. tippingpoint.com/toprisks2010.

[14]B. Pinkas and T. Sander, “Securing passwords against dictionary attacks,” in Proc. ACM CCS, 2002, pp. 161– 170.

[15]P. C. van Oorschot and S. Stubblebine, “On counter -ing online dictionary attacks with login histories and hu-mans-in-the-loop,” ACM Trans. Inf. Syst. Security, vol. 9, no. 3, pp. 235–258, 2006.

[16]M. Alsaleh, M. Mannan, and P. C. van Oorschot, “Revisiting defenses against large-scale online password guessing attacks,” IEEE Trans. Dependable Secure Com-put., vol. 9, no. 1, pp. 128–141, Jan./Feb. 2012.

[17]L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, “CAPTCHA: Using hard AI problems for security,” in Proc. Eurocrypt, 2003,pp. 294–311.

[18]S. Chiasson, P. C. van Oorschot, and R. Biddle, “Graphical password authentication using cued click points,” in Proc. ESORICS, 2007,pp. 359–374.

[19]S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot, “Influencing users towards better passwords: Persuasive cued click-points,” in Proc. Brit. HCI Group Annu. Conf. People Comput., Culture, Creativity, Interac-tion, vol. 1. 2008, pp. 121–130.

[20]D. Davis, F. Monrose, and M. Reiter, “On user choice in graphical password schemes,” in Proc. USENIX Secu -rity, 2004, pp. 1–11.

[21]R. Dhamija and A. Perrig, “Déjà Vu: A user study us -ing images for authentication,” in Proc. 9th USENIX Se -curity, 2000, pp. 1–4.

(6)