The shouldersurfing attack in an attack that can be performed by the adversary to obtain the user's password by watching over the user's shoulder as he enters his password. As conventional passwordschemes are vulnerable to shouldersurfing, Sobrado and Birget proposed three shouldersurfingresistantgraphicalpasswordschemes. Since then, many graphicalpasswordschemes with different degrees of resistance to shouldersurfing have been proposed, and each has its pros and cons. seeing that most users are more familiar with textual passwords than pure graphical passwords.
Abstract- Since conventional passwordschemes are vulnerable to shouldersurfing, many shouldersurfingresistantgraphicalpasswordschemes have been proposed. However, as most users are more familiar with textual passwords than pure graphical passwords, text-based graphicalpasswordschemes have been proposed. Unfortunately, both the text-based passwordschemes and graphicalpasswordschemes are not secure and efficient enough and not adopted. Textual passwords are the most common method used for authentication. But textual passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shouldersurfing. Graphical passwords are introduced as alternative techniques to textual passwords. Most of the graphicalschemes are vulnerable to shouldersurfing. To address this problem, text can be combined with colors to generate secure passwords for authentication. The user passwords can be used only once and every time a new password is generated. In this paper, the user propose an improved text-based shouldersurfingresistantgraphicalpassword scheme by using color PIN entry mechanism which are resistant to shouldersurfing. In the proposed scheme, the user can easily and efficiently log in into the system. This proposed work gives more security over the password from shouldersurfing and accidental log in.
Textual password is the most common technique used for authentication. The weaknesses of this technique likely produce eves dropping, social engineering, dictionary attack and shouldersurfing are well-known. Unpredicted and long passwords can make the system protected. On the other hand the main problem is the trouble of memorizing those passwords. Studies have uncovered that users have a tendency to choice small and stress-free password to recall. Fatefully, these passwords can be easily predicted or broken. Other techniques uses are graphical passwords and biometrics. On the other hand these methods have their particular drawback. In Biometrics password techniques such as facial recognition, finger prints etc. have been offered but not yet generally adopted. The main disadvantage of this method is that such systems can be valuable and slow. There are numerous graphicalpassword methods that are planned in the past years. On the other hand most methods are suffered from shouldersurfing attack which is becoming relatively a large problem. There are some graphical passwords patterns that are resistant to shoulder- surfing but they have their particular weaknesses like usability problems or takes large time for login or it has tolerance levels The shouldersurfing attack in an attack that can be performed by the adversary to obtain the user’s password by watching over the user’s shoulder as he enters his password. From the time many graphicalpassword methods with different degrees of resistance to shouldersurfing has estimated, e.g.,    , and each has its pros and cons. As expected passwordschemes are vulnerable to shouldersurfing, Sobrado and Birget  proposed three shouldersurfingresistantgraphicalpassword methods. Maximum users are using text-based passwords than graphical passwords, Zhao et al.  proposed S3APS text-based shouldersurfingresistantgraphicalpassword methods. In S3PAS, the user has to combine his textual password on the login screen to catch the session password but the login procedure of Zhao et al.’s methods is hard and boring. And then, a number of text-based shouldersurfingresistantgraphicalpassword methods have been proposed, such as . Undesirably, none of present textual based shouldersurfingresistantgraphicalpasswordschemes is both protected and effectual adequate. In this paper, we will suggest a better text-based shouldersurfingresistantgraphicalpassword structure by with colors and session. The process of the proposed methods is simple and easy to study for users aware with word-based passwords. The user can easily and efficiently to login the system without using any physical keyboard.
Password-based authentication schemes have been most commonly used on many smart devices when compared to other authentication schemes. The lower complexities in implementation, computation, processing requirements and so forth have led to the use of a password-based authentication system. Again, text-based passwords are more commonly used when compared to other existing authentication systems. However, various vulnerabilities were discovered by several cryptanalysts in text-based systems like brute force attack, guessing attack, dictionary attack, social engineering attack etc. In smart phones, the tiny screen size imposes some more constraints such as limited password length, implementation of easier authentication systems to increase performance etc. Moreover, the small on-screen keyboard makes typing inefficient and less precise. Consequently, the users tend to use a smaller password which makes it even more vulnerable. Since the size of smart devices is getting smaller and smaller; few authentication systems cannot be implemented in it due to its size .
1. Advanced Scalable Shoulder-SurfingResistantGraphicalPassword Authentication Scheme (AS3PAS): In the proposed system the user has to create its own region in AS3PAS. The smaller the region the security is more. Clicking on three times on a given complicated image. During registration process the user is provided with the complicated images. What user has to do is, he has to click on image three times creating a triangular region.
4 Haichang Proposed a new shoulder-surfingresistant scheme where the user is required to draw a curve across their password images orderly rather than clicking on them directly. This graphical scheme combines DAS and Story schemes to provide authenticity to the user
Shoulder- surfing problem is an attack in which the intruder can observe the passwords, PINs or other protected information by observing the owner or victim through his/her shoulder or other spying devices such as binoculars and video camera while the password is being used on the computer or at the terminal for authentication . The main aim of the intruder for this attack is to use the observed credentials for illicit transactions in order to impersonate the real owner (the victim) afterwards. The root cause of this drawback is due the fact that users enter their secrets directly to some poorly designed user interface in a way that is easy for intruder to gain knowledge of the secret via observation. To surmount this problem during authentication, a number of shoulder-surfingresistant techniques were proposed as helpful solutions to protect the user’s secret from being observed for illicit usage. To protect recall-based graphicalpassword systems such Draw-A-Secret and Background Draw-A-Secret DAS from shouldersurfing, three techniques which include decoy Strokes defense, disappearing Strokes, and line Snaking were proposed . These techniques are used during a login procedure as a means of distracting shoulder surfer away from capturing the correct password drawn by the user for security reason. Decoy Strokes defense technique allows user to draw many passwords of which only one is authentic user’s password. In disappearing stroke defense, the user stroke is being removed from the screen after it has been drawn. The idea behind is to make it difficult for attacker to store the image to memory. While line Snaking technique is based on the disappearing stroke solution but was intended to leave the vital
There are lot of research on password based on authentication has been done in the literature. Among all of these proposed schemes, from this paper focuses mainly on the graphical-based authentication systems along with a virtual keyboard shuffling. It defines that the keys will be hidden and shuffled after we pressed a password key by using fisher Yates shuffling algorithm. To avoid the shouldersurfing and key logger attack, we introduced the above concepts. We need to choose image. After the image is accepted to split into 7*11 matrixes, we need to specify the cell to set as password. After the cell is selected as password, login indicator will be generated based on cell which is selected. At initial stage we need to create with a username. To avoid key loggers attack while we typing username and other authentication based, keys are shuffled by using above mentioned algorithm.
The vulnerabilities of the textual password have been well known. Users tend to pick short passwords or pass-words that are easy to remember, which makes the pass-words vulnerable for attackers to break. Furthermore, tex-tual password is vulnerable to shoulder-surfing, hidden-camera and spyware attacks. Graphicalpasswordschemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder-surfing. In this paper, we propose a Scalable Shoulder- SurfingResistant Textual-GraphicalPassword Authentica-tion Scheme (S3PAS). S3PAS seamlessly integrates both graphical and textual passwordschemes and provides nearly perfect resistant to shoulder-surfing, hidden-came ra and spyware attacks. It can replace or coexist with con-ventional textual password systems without changing ex-isting user password profiles. Moreover, it is immune to brute-force attacks through dynamic and volatile session passwords. S3PAS shows significant potential bridging the gap between conventional textual password and graphicalpassword. Further enhancements of S3PAS scheme are pro-posed and briefly discussed. Theoretical analysis of the se-curity level using S3PAS is also investigated.
resistantgraphicalpassword scheme, TI-IBA, in which icons are presented not only spatially but also temporally. TI-IBA is less constrained by the screen size and easier for the user to find his pass-icons. Unfortunately, TI-IBA’s resistance to accidental login is not strong. And, it may be difficult for some users to find his pass-icons temporally displayed on the login screen. As most users are familiar with textual passwords and conventional textual password authentication schemes have no shouldersurfing resistance, Zhao et al. , in 2007, proposed a text-based shouldersurfingresistantgraphicalpassword scheme, S3PAS, in which the user has to find his textual password and then follow special rule to mix his textual password to get a session password to login the system. However, the login process of Zhao et al.’s scheme is complex and tedious .
The most general technique used for authentication is text-based password. Due to that it is exposing to well-known attack like eves dropping, social engineering, dictionary attack and shouldersurfing attack. Unpredicted and lengthy passwords can make the system secure. On the other hand this may create problem i.e. the trouble of memorizing those passwords. Studies have showing that End-users have a trend to choice small passwords or passwords that are easy to recall. Fatefully, these passwords can be simply cracked. The different types of methods are present today like graphical passwords and biometrics with some disadvantages. In Biometrics password techniques such as finger prints, facial recognition etc. have been offered but not yet commonly adopted. The main disadvantage of this method is that such systems can be expensive and the overall procedure of identification can be slow. The number of graphicalpassword methods that are planned in the past years. On the other hand most methods are suffered from shouldersurfing attack which is becoming somewhat a big problem. There are graphical passwords patterns that have been predicted which are resistant to shoulder-surfing and they have their particular limitation like usability problems or takes large time for login. The shouldersurfing attack in an attack that can be did by the enemy to get the user’s password by watching above the user’s shoulder as he enters his password. From last some year the numerous hybrid graphicalpassword methods with different degrees of resistance to shouldersurfing has projected, e.g.,    , and each has its pros and cons. As expected passwordschemes are disposed to shouldersurfing, Sobrado and Birget  proposed three shouldersurfingresistantgraphicalpassword methods.
ABSTRACT: A Lot of security primitives are depend on more challenges and it will be resolved by some mathematical formulations. For security using high AI Problems and it’s become an evaluation for new pattern of security, but not explored well. In our studies we define Captcha as graphically password, graphically password system build on captcha technology mainly on hard AI problems we will present new security primitives. Captcha is combination of captcha and graphicalpassword. CaRP is address multiple security issue like shouldersurfing attack, if combined with dual view technology, relay attack and online guessing attack. CaRP alone becomes inefficient to prevent all security, hence this paper makes a survey of the various security measures for secure passwordschemes and gives a clear picture of the efficiencies of the different techniques. For improving online security highly secure password offers usability and reasonable security and appears suit well with practical applications.
Textual passwords are the most common method used for authentication. But textual passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shouldersurfing. Graphical passwords are introduced as alternative techniques to textual passwords. Most of the graphicalschemes are vulnerable to shouldersurfing. To address this problem, text can be combined with images or colors to generate session passwords for authentication. Session passwords can be used only once and every time a new password is generated. In this paper, a technique is proposed to generate session passwords using colors which are resistant to shouldersurfing. This method is suitable for Personal Digital Assistants.
Graphicalpasswordschemes have been proposed as a possible alternative to text-based schemes, the psychological studies which supports the fact that humans can remember pictures better than text. Pictures are generally easier to be remembered or recognized than text. Input devices such as mouse, stylus and touch screen that permit make the appearance of graphical user technique possible. Graphical passwords are applied to workstations, web log-in applications, TM machines and mobile devices. Shouldersurfing refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. Shouldersurfing is effective in public places because standing near someone and watch them entering a PIN number at ATM machine is nearly very easy. This attack is also possible at long distance using binoculars or vision enhancing devices like miniature closed circuit cameras
We have proposed CaRP, a new security primitive relying on unsolved hard AI problems. CaRP is both a Captcha and a graphicalpassword scheme. The notion of CaRP introduces a new family of graphical passwords, which adopts a new approach to counter online guessing attacks: a new CaRP image, which is also a Captcha challenge, is used for every login attempt to make trials of an online guessing attack computationally independent of each other. A password of CaRP can be found only probabilistically by automatic online guessing attacks including brute-force attacks, a desired security property that other graphicalpasswordschemes lack. Hotspots in CaRP images can no longer be exploited to mount automatic online guessing attacks, an inherent vulnerability in many graphicalpassword systems. CaRP forces adversaries to resort to significantly less efficient and much more costly human-based attacks. In addition to offering protection from online guessing attacks, CaRP is also resistant to Captcha relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. CaRP can also help reduce spam emails sent from a Web email service. Our usability study of two CaRP schemes we have implemented is encouraging. For example, more participants considered Animal Grid and Click Text easier to use than PassPoints and a combination of text password and Captcha. Both Animal Grid and Click Text had better password memo ability than the conventional text passwords. On the other hand, the usability of CaRP can be further improved by using images of different levels of difficulty based on the login history of the user and the machine used to log in. The optimal tradeoff between security and usability remains an open question for CaRP, and further studies are needed to refine CaRP for actual deployments.
We have proposed CaRP, a new security primitive relying on unsolved hard AI problems. CaRP is both a Captcha and a graphicalpassword scheme. The notion of CaRP introduces a new family of graphical passwords, which adopts a new approach to counter online guessing attacks: a new CaRP image, which is also a Captcha challenge, is used for every login attempt to make trials of an online guessing attack computationally independent of each other. A password of CaRP can be found only probabilistically by automatic online guessing attacks including brute-force attacks, a desired security property that other graphicalpasswordschemes lack. Hotspots in CaRP images can no longer be exploited to mount automatic online guessing attacks, an inherent vulnerability in many graphicalpassword systems. CaRP forces adversaries to resort to significantly less efficient and much more costly human-based attacks. In addition to offering protection from online guessing attacks, CaRP is also resistant to Captcha relay attacks, and, if combined with dual- view technologies, shoulder-surfing attacks. CaRP can also help reduce spam emails sent from a Web email service. Our usability study of two CaRP schemes we have implemented is encouraging. For example, more participants considered AnimalGrid and ClickText easier to use than PassPoints and a combination of text password and Captcha.
In registration phase, user has to register by giving his information such as userid, user name, password, valid e-mail id etc., and after giving this information, randomly three images will be assigned to the user, in those images he has to select the coordinate squares
Abstract— Text-based passwords, despite their well-known drawbacks, remain the dominant user authentication scheme implemented. Graphicalpassword systems, based on visual information such as the recognition of photographs and / or pictures, have emerged as a promising alternative to the aggregate reliance on text passwords. Nevertheless, despite the advantages offered they have not been widely used in practice since many open issues need to be resolved. In this paper we propose a novel graphicalpassword scheme, NAVI, where the credentials of the user are his username and a password formulated by drawing a route on a predefined map. We analyze the strength of the password generated by this scheme and present a prototype implementation in order to illustrate the feasibility of our proposal. Finally, we discuss NAVI’s security features and compare it with existing graphicalpasswordschemes as well as text-based passwords in terms of key security features, such aspassword keyspace, dictionary attacks and guessing attacks. The proposed scheme appears to have the same or better performance in the majority of the security features examined.
However, if a user chooses his own password he would choose an easy-to-remember password rather than a random one. Let us assume that the user chooses a word from the English language. The exact number of the English words is nearly impossible to define accurately, and it is equally hard to estimate the words a human individual can remember. However, it is hard to argue that a human will be capable of memorizing and using more than 200.000 words, even in an over-optimistic scenario where the end user is a genius. In this case the attackers will have a 1/200.000 chance that any single guess would match the given password. An attacker that has some additional information of his target can launch a more targeted guessing attack that will consist of words like the target’s name, maiden name, city of birth, country, city and address of residence etc.
Once the user has logged-out from that session., the password entered for the earlier time gets lost. Now, when the user is logging-in for the next time he has to make the working as like earilier. But for this time the keyboard generated to entered his password gets shafaled and hence, the combination of word ‘suraj’ is also gets changed. It will provide the security form the dictonary attack, shouldersurfing attack and some possible network attacks also. In this way, we are successfully perform the machanism of AAA – Authentication, Authorication and Access in our implemented software application for online banking where security is the formost requirement.