Safe validation of shoulder surfing using the concept of secret password with PassMatrix

Full text


Safe validation of shoulder surfing using the concept of secret password with


SugunaM K Assistant Professor,Dept. of ISE & Mohamadi GhousiyaKousar Assistant Professor, Dept. of CSE

Sir M Visvesvaraya Institute of Technology, Bangalore,India


Information and computer security is supported largely by passwords which are the principle part of the authentication process. Traditionally, picture-based password systems employ pictures/icons/symbols as input during an authentication session. Also the most common computer authentication method is to use alphanumerical username and password which has significant drawbacks, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual’s authentication session. This is referred to as shoulder surfing. Recent software-based approaches attempt to minimize this threat by requiring users to enter their passwords indirectly by performing certain mental tasks to derive the indirect password, thus concealing the user's actual password. However, there are many situations where the user can still be exposed to any kind of shoulder surfing attack. So, we use graphical authentication as a solution.

Keywords:Authentication Scheme, Graphical Password, Graphical Authentication, Passwords, Password Attacks, Shoulder Surfing.


Current authentication systems suffer from many weaknesses. Text-based passwords are the most common way to secure access to protected resources. The limitations of text-based passwords are well known. For example, a secure text-based password must be random and formed using a combination of uppercase, lowercase, and special characters. [2]However, secure passwords are hard to

remember. As such, users have a tendency to choose weak text-based passwords, which are short and easy to remember. Such an approach weakens the password's strength and makes the password easy to guess by an adversary.[2] applications and input devices such as mouse, stylus and touch-screen that permit make the appearance of the graphical user authentication techniques possible. However, they are mostly vulnerable to shoulder-surfing as well. Picture-based password systems have been generally categorized into draw metrics, loci metrics, and search metrics systems. Draw metrics-based systems require users to draw a previously determined pattern on a canvas in order to log in to the system. Loci metrics-based systems require users to select previously determined points in an image for users in order to access the system. [3]

In this paper, a picture-based password scheme that uses the concept of concealing information about the password images as much as possible is proposed to overcome the shoulder-surfing attack issue without adding any extra complexity into the authentication procedure.[2]



All Rights Reserved © 2019 IJARCET


as typing from their keyboard or clicking on the pass-images or pass-points in public may reveal their passwords to people with bad intention.

Existing System is vulnerable to shoulder surfing attacks

Type-I: Naked eyes.

Type-II: Video captures the entire authentication process only once.

Type-III: Video captures the entire authentication process more than once.

Due to this shoulder surfing attacks had increased at greater some of the problems are:

 There is the problem of how the login operation can be performed in the public with the security.

 Next problem is how the space of password can be increased instead of the traditional type of passwords.

 Next problem is how to memorize the extra stuff while authentication time.

 The next problem is that only some devices have the restriction of limited usability of login.


 the security weakness of the traditional PIN method

 the easiness of obtaining passwords by observers in public

 the compatibility issues to devices.

We introduced a graphical authentication system called PassMatrix. In PassMatrix, a password consists of only one pass-square per pass-image for a sequence of n images. The number of images (i.e., n) is user-defined. In PassMatrix, users choose one square per image for a sequence of n images rather than n squares in one image as that in the PassPoints scheme.

There are two phases in the proposed method: Registration Phase and Authentication Phase.

Registration phase:

In registration phase, user has to register by giving his information such as userid, user name, password, valid e-mail id etc., and after giving this information, randomly three images will be assigned to the user, in those images he has to select the coordinate squares

of the images as the graphical password. The details of coordinates of all images will be stored in the database with respect to the specific user.

After successful setting of the coordinates of the images ,those details will be stored in the database, concatenating all the three images coordinates and generate hash code for that and store in the database with respect to the user.


Authentication Phase:


All Rights Reserved © 2019 IJARCET



According to the student members [paper no] ,they tested the estimated visibility of IllusionPIN through a user study of simulated shoulder-surfing attacks on smartphone devices. In total, they performed 84 attacks with 21 different people and none of the attacks was successful.[1]

The authors of International Journal of Advanced Research in Computer and Communication Engineering (IJARCCE) tested with 50 users for guessing the password of another user and the results are shown in the tables below.[4]

When the accuracy of the pass matrix scheme was tested, both the phases showed extremely high percentage of success.[4]

According to the authors of papers from The Scientific World Journal, time analysis was made for 10 login attempts. Fig below shows the mean times of ten successful login attempts. The chart indicates that, over the ten successful login attempts, the login time for the participants decreased significantly as the participants gained more experience with the system. [3]


Weak passwords are threat to any application or the system. This paper provides an efficient method for authentication and prevent shoulder surfing. In this process the user can easily complete the registration and login process.

The traditional textual passwords or PIN based methods, can be cracked easily through shoulder surfing. The process explained is based on graphical authentication named PassMatrix. We use one time password, in which the user can point to the location of the pass square, without directly clicking or touching it, which completely prevents the shoulder surfing.



[2] Arash Habibi Lashkari, Computer Science and Data Communication (MCS), University Malaya (UM) Kuala Lumpur, SAMANEH FARMAND Computer Science and Information Technology (IT),University Malaya (UM) Kuala Lumpur, Dr. OMAR BIN ZAKARIA Computer Science and Data Communication (MCS), University of Malaya (UM), Kuala Lumpur, DR. ROSLI SALEH Computer Science and Data Communication (MCS), University of Malaya (UM), Kuala Lumpur,”Shoulder Surfing attack in graphical password authentication”,IJCSIS,2009.

[3] Peng Foong Ho, Yvonne Hwei-Syn Kam, Mee Chin Wee, Yu Nam Chong, and Lip Yee Por,”Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects' Information”,2014.

[4] HarshaMathur, Vijay Lokhande BIST Bhopal,” Improved Pass-Matrix for Graphical Authentication”, IJARCCE, February 2017.