Authentication is the first security mechanism that can be used to prevent unauthorized access to the system. In addition, textual password (text-based password) is the most famous authentication mechanism which has been used for several years. In this authentication method, a user selects a combination of characters as his password, which is required to memorize by him. However, in order to have a secure password, the generated password must follow several requirements such as minimum 8 characters, a combination of capital and small characters, alphanumeric, using special characters, ... etc. Thus, this makes the password to be complex (e.g. "@bu*%183bDIK), which also makes difficulties for a hacker to guess (dictionary attack) or break (brute force attack) it. Similarly, the generated complex password provides this challenge for the users to memorize it for further access. Thus, the users tend to pen down their long and random passwords somewhere or take the easy passwords instead. Graphicalpassword is an alternative authentication password which can solve the problem of remembering the complex passwords in textual password approach. In this case, several images are used to represent a user password, rather than the text. Later on, upon login to the system, a user can select or produce the same graphic image correctly for accessing to the system. Since remembering the image is easier than the text, the selected images as the password is complex as well as easy to remember by the user at the same time. Additionally, the other advantage of graphicalpassword is to prevent stealing the passwords if a keystroke logger such as malicious software (Trojan) is installed by a hacker in order to capture the text-based passwords. In general, there are three graphicalpassword approaches such as recognition-based, pure recall-based and cued recall based. In the recognition- based approach, the user can pick several images such as icons or symbols which he recently selected in user
In this paper, we introduce a new security primitive based on hard AI problems, namely, a novel family of graphicalpassword systems integrating Captcha technology, which we call CaRP (Captcha as gRaphical Passwords). CaRP is click-based graphical passwords, where a sequence of clicks on an image is used to derive a password. Unlike other click-based graphical passwords, images used in CaRP are Captcha challenges, and a new CaRP image is generated for every login attempt. The notion of CaRP is simple but generic. CaRP can have multiple instantiations. In theory, any Captcha scheme relying on multiple-object classification can be converted to a CaRP scheme. We present exemplary CaRPs built on both text Captcha and image-recognition Captcha. One of them is a text CaRP wherein a password is a sequence of characters like a text password, but entered by clicking the right character sequence on CaRP images. CaRP offers protection against online dictionary attacks on passwords, which have been for long time a major security threat for various online services. This threat is widespread and considered as a top cyber security risk. Defense against online dictionary attacks is a more subtle problem than it might appear. Intuitive countermeasures such as throttling logon attempts do not work well for two reasons:
Now a days, due to advancements in technology, it is easier to hack into various kinds of computer systems. We live in era marked by technological advancements. Due to this, people have started using net banking and other critical services on their mobiles, tablets, etc. Because of this , they are exposed to environments where adversaries can steal their passwords by using various methods. Cyber-security is not a recent topic. In fact, there have been many researches and many techniques have been implemented to achieve security. But, still many people face problem pertaining to cyber thefts. We try to tackle and eventually eliminate issues such as shouldersurfing, smudge attack, dictionary attack and brute force attack. The graphicalpassword works by having the user select from images, in a specific order, presented graphical user interface. For this reason it is also called as Graphical user authentication (GUA). It can be categorized in two ways
The general concept behind a token-based authentication system is simple. Allow users to enter their user name and password in order to obtain a token which allows them to fetch a specific resource without using their user name and password. Once their token has been obtained, the user can offer the token which offers access to a specific resource for a time period to the remote site. Method of Loci. It also uses recall based technique. IBA is based on a user’s successful identification of his image password set. After the user name is sent to the authentication module, it responds by displaying an image set, which consists of images from the user’s password set mixed with other images. The user is authenticated by correctly identifying the password images. The human brain is more adept in recalling a previously seen image than a previously seen text.
ABSTRACT: The most common method is textual passwords that were used for authentication. Unfortunately, these passwords can be easily guessed or cracked. The next best techniques are graphical passwords. Since, there are many graphicalpassword schemes that are proposed in the last decade, But most of them suffer from shouldersurfing which is also a big problem. Also, there are few graphical passwords schemes that have been proposed which are resistant to various attacks. In this paper advanced authentication scheme is proposed for any transaction. The scheme authenticates the user by session passwords. Session passwords are passwords that are entered and used only once. Once the session is terminated, the session password is no longer useful. For every login process, user input different passwords. The session passwords provide better security against dictionary and brute force attacks as password changes for every session. We proposed advanced scalable shouldersurfing resistance graphicalpassword authentication scheme AS3PAS method which removes drawback of previous S3pas method. The proposed authentication schemes required less time for login process and uses co-ordinates of images for generating session passwords which reduces storage space in DB.
In paper author T, R.Nagendran, implemented system in which password is selected block of the image called the view port. But this system failed to secure from hotspot attack. In paper author N. López, M. Rodríguez, C. Fellegi, D. Long. proposed a graphical authentication systems in even odd form.Still unable to resist from shoulder surfing.In paper author S. Man, D. Hong, and M. Mathews, proposed that user should rate colors from 1 to 4 for password and he can remember it as “RGBY”. But the interface is quite difficult to understand to the normal user.In paper author M.Shreelatha, M.Sashi proposed a methodology on Session password which can be used only once,but this technique is proposed to generate session passwords using text which fails to resist shouldersurfing. In paper  author, Ushir Kishori Narhar, Ram.B.Joshi proposed a methodology using user name with graphicalpassword using persuasive cued click points along with biometric authentication using finger nail plate.. But biometrics such as face and fingerprints can easily be recorded and potentially misused by biometrics experts without user’s consent. Inpaper  Author, Neha Singh, Nikhil Bomanwar proposed a methodology of a persuasive cued click point which reduces the hotspot problem, but provides no security mechanism for shouldersurfing attack .Inpaper Author, Hung- Min Sun, Shiuan-Tung Chen, Jyh-Haw Yeh proposed a system based on authentication system Pass Matrix, based on graphical passwords with a one-time valid login indicator. But this System does not resist the shouldersurfing attack and also vulnerable to smudge attack.
An OTP  is a password as the name suggests that is valid scheme for authentication to next process of only one login transaction or session with the system. OTPs remove a number of shortcomings or limitations that are same with alphanumeric old and commonly used “static” passwords. The vital limitation or shortcoming that is overcome or noticed by OTPs is in contrast to generally used alphanumeric static passwords, they are not prone or vulnerable to replay attacks. That means even a potential intruder who can analyse to record an OTP somehow if possible, that was already previously used to log into a service or the system or to conduct a transaction will not be able to forge it since, it will be no longer valid data for transaction. On the other section, OTPs are also difficult for us to remember for long time. Therefore they require advance technology to work. How to generate OTP code and distribute to the individual user? OTP distribution and generation algorithms generally make use of pseudo randomness. This is necessary because if we don’t do so, it would be very easy and simple to guess future generated OTPs by analysing and observing the previous ones. Random and concrete OTP algorithms vary smartly in their workings.
Abstract- Since conventional password schemes are vulnerable to shouldersurfing, many shouldersurfingresistantgraphicalpassword schemes have been proposed. However, as most users are more familiar with textual passwords than pure graphical passwords, text-based graphicalpassword schemes have been proposed. Unfortunately, both the text-based password schemes and graphicalpassword schemes are not secure and efficient enough and not adopted. Textual passwords are the most common method used for authentication. But textual passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shouldersurfing. Graphical passwords are introduced as alternative techniques to textual passwords. Most of the graphical schemes are vulnerable to shouldersurfing. To address this problem, text can be combined with colors to generate secure passwords for authentication. The user passwords can be used only once and every time a new password is generated. In this paper, the user propose an improved text-based shouldersurfingresistantgraphicalpassword scheme by using color PIN entry mechanism which are resistant to shouldersurfing. In the proposed scheme, the user can easily and efficiently log in into the system. This proposed work gives more security over the password from shouldersurfing and accidental log in.
ABSTRACT: There are a large number of Internet users around the world. Our software applications deal with sensitive as well as private information which must be saved from misuse by some malicious users and their attacks. Hence authentication is a very important technique by which the system can identify the type of users.There are many authentication schemes available among which password based authentication is most used as it is cost effective and secure. The classical PIN entry mechanism is widely used because of its ease of usability and security, but it often leads to shouldersurfing attack in which a user can record the login session and retrieve the user original PIN for misuse in future. Based on the information available to the user the login methods can be categorized into fully observable and partially observable. In fully observable attack the user can fully observe the entire login procedure and in partially observable attack the user can partially observe the login session. The existing Color Pass methodology provides onetime pass paradigm corresponding to four color PINs in which the user gets four challenges for which the user enter response to each challenge. Its easy to use and doesnt require any additional knowledge. This method leads to drawback as the user uses the headphones to get the color values. Sometimes the headphones will not work properly or the user does not have the clarity in hearing, this leads to the poor understanding of the challenge values. Here 0-9 Feature tables are generated which increases the user response time. To overcome the disadvantage in the proposed method Multi Color Pass system the color values will be received via mobile phone. Instead of Feature
authentication method. Strong textual passwords are hard to memorize. To address the weakness of textual passwordgraphical passwords are proposed. Click based or pattern based approaches are widely used techniques for mobile authentication system. Such textual and graphical passwords a scheme suffers from shouldersurfing attacks. Attacker can directly observe or can use video recorder or webcam to collect password credentials. To overcome the problem, shouldersurfing attack resistant technique is proposed. This technique contains pass-matrix. More than one image are used to set the password. For every login session, user needs to scroll circulatory horizontal and vertical bars. A password hint is provided to the user to select desired image password grid. Horizontal and vertical scroll bar covers the entire scope of pass-images. For password selection, password hint and horizontal and vertical scroll bar are used. The proposed technique is implemented on android platform. The system performance is measured using memorability and usability of a password scheme with respect to the existing technique.
Authentication systems have been changing through the passage of time. At first, password-based authentications were popular because of its simplicity of remembrance and applicability among people (Shen et al., 2016). Due to the fact of simplicity, valuable pieces of information or assets are protected by simple passwords and this causes insecurity for data owners. The essence of a password is exposed to many easy-to-run attacks such as phishing, social engineering or keylogging technique (Svogor and Kisasondi, 2012). Each of password characteristics such as password length, password composition and password selection reveals different concern which some designers take some or all of them into consideration to force users to choose a strong password (Shen et al., 2016). As a result, authentication systems gradually became more creative. For instance, on-the-fly password policy systems indicate weakness or strength of user chosen password according to the password characteristics as mentioned before.
5.2 Problems of Recall Based Methods:
The problem with the Grid based methods is that during authentication the user must draw his/her password in the same grids and in the same sequence. It is really hard to remember the exact coordinates of the grid. The problem with Passlogix is that the full password space is small. In addition a user chosen password might be easily guessable . DAS scheme has some limitations like it is vulnerable to shouldersurfing attack if a user accesses the system in public environments, there is still a risk for the attackers to gain access to the device if the attackers obtained a copy of the stored secret, and, brute force attacks can be launched by trying all possible combinations of grid coordinates, ) Drawing a diagonal line and identifying a starting point from any oval shape figure using the DAS scheme itself can be a challenge for the users, and finally Difficulties might arise when the user chooses a drawing which contains strokes that pass too close to a grid-line, thus, the scheme may not be able to distinguish which cell the user is choosing.
cracked by malpractices like online guessing attack, online dictionary attack and shouldersurfing attacks. The problem of security arises because passwords are expected to include two requirements: 1) Passwords should be easy and memorable, 2) Passwords should be secure, i.e. they should be hard to guess.Users often end up ignoring the requirements, which leads to poor password practices. This problem has led to innovations to improve passwords.
Nowadays, authentication is one of the important fields in information security. Strong text-based password could provide certain degree of security level. However, the fact that, those strong passwords are difficult to memorize by the users. Graphical authentication has been proposed as an alternative solution to text-based authentication. Many researches shows that humans can remember images better than text. In recent years, many networks, computer systems and Internet based environments used graphical authentication technique for authentication. But this graphical authentication technique has many limitations. CAPTCHA is a programme that protects website against bots by generating and grading tests that human can pass but current computer program cannot. This paper present a new technology called Captcha as gRaphicalPassword (CaRP). CaRP combines both CAPTCHA and graphicalpassword scheme. CaRP offers protection against dictionary attacks, relay attacks, shouldersurfing attacks. With the rapid development of internet, the number of people who are online also increases tremendously. The misuse and abuse of internet is growing at an alarming rate. Restriction of access is performed by introducing the concept of blacklisting of IP address.
We propose a web application based security system. When a user interacts with a computing system to enter a secret password, shouldersurfing attacks are of great concern. This system overcomes the problem of shouldersurfing. Previous system proposed a methodology in which the user has to remember all the events performed. This limits the system usage. Our novel approach enhances the shouldersurfing security with human interaction; indeed can break the well-known PIN entry method previously evaluated to be secure against shouldersurfing. To overcome the problem, we design a multi-color number panel. This interface provides the user, a higher level of security that the shoulder surfer cannot be aware of the process the user undergoes. The color pattern in the number panel changes periodically so that for each user is provided a different pattern.
A shoulder-surfingresistantgraphicalpassword scheme Man, et al. proposed another shoulder- surfingresistant algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass- object has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each scene contains several pass-objects (each in the form of a randomly chosen variant) and many decoy-objects. The user has to type in a string with the unique codes corresponding to the pass-object variants present in the scene as
Traditionally, picture-based password color coding systems employ password objects (pictures/icons/symbols) as input during an authentication session, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. Recent software-based approaches attempt to minimize this threat by requiring users to enter their passwords indirectly by performing certain mental tasks to derive the indirect password, thus concealing the user’s actual password. However, weaknesses in the positioning of distracter and password objects introduce usability and security issues. In this paper, a new method, which conceals information about the password objects as much as possible, is proposed. Besides concealing the password objects and the number of password objects, the proposed method allows both password and distracter objects to be used as the challenge set’s input. The correctly entered password appears to be random and can only be derived with the knowledge of the full set of password objects. Therefore, it would be difficult for a shoulder-surfing adversary to identify the user’s actual password. Simulation results indicate that the correct input object and its location are random for each challenge set, thus preventing frequency of occurrence analysis attack. User study results show that the proposed method is able to prevent shoulder-surfing attack.
chosen/identified images. The right OTP will be associated with the correct images and it is also a challenge from the server. On registration, a lock pattern is drawn and a set of four (4) images out of thirty (30) are chosen. During authentication, the user first begins by drawing the lock pattern, next to selecting the right images (two of the previously selected four) from the portfolio of images and finally inputting a random number (i.e. one-time password if the right one is chosen) associated with the selected images. This will be sent as a response to the server. This authentication improves the ability to recall the pattern and identify images more efficiently. Nevertheless, a reasonable amount of pictures need to be stored on the server for improved security which can be a bottle neck for the server.
In  proposed authentication scheme using text and colors for generating session password. Session password is a password that is used only once at a time. Once the session is terminating, the session password is no longer useful because for every login session; users must enter different passwords. Moreover, according to , the use of session password is very suitable for Personal Digital Assistants (PDA) because it is resistant to shouldersurfing attack. Session password is generated using grids and colors serve as an alternative authentication technique to reduce the drawback of textual password authentication. During registration phase, the user needs to submit his chosen password consisting of a minimum length of 8 passwords that is called as secret pass. The secret pass must contain an even number of characters because from this; the session passwords are generated. During the login phase, when the user enters his username, an interface that consists of alphabets and numbers in a grid size 6x6 is displayed. The characters are randomly placed on the grid, and the interface will change every time the user want to log in. Then, the user has to enter the password depend on upon their secret pass, and they must consider his secret pass in term of pairs. The
pictures/icons/symbols as input during an authentication session. Also the most common computer authentication method is to use alphanumerical username and password which has significant drawbacks, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual’s authentication session. This is referred to as shouldersurfing. Recent software-based approaches attempt to minimize this threat by requiring users to enter their passwords indirectly by performing certain mental tasks to derive the indirect password, thus concealing the user's actual password. However, there are many situations where the user can still be exposed to any kind of shouldersurfing attack. So, we use graphical authentication as a solution.