The alphanumeric password has been part of the authentication process for a very long time. The most common computer authentication method is for a user to submit a user name and a text password. One of the main problems is the difficulty of remembering passwords. Studies have shown that users tend to pick short passwords or passwords that are easy to remember. Unfortunately, these passwords can also be easily guessed or broken. However, this simple and ubiquitous technology has some well-known usability problems especially on the memorability aspect. The humans ability to remember pictures better than text has been well documented in numerous cognitive and psychological studies that are graphicalpasswords . As a result, much research has been inspired in both the security and Human Computer Interaction communities in recent years to explore graphical authentication systems as an alternative or an enhancement to text passwords. As the name implies, graphical authentication uses graphics (pictures, icons, faces etc.) instead of the common used text strings.
The vulnerabilities of the textual password have been well known. Users tend to pick short passwords or pass-words that are easy to remember, which makes the pass-words vulnerable for attackers to break. Furthermore, tex-tual password is vulnerable to shoulder-surfing, hidden-camera and spyware attacks. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder-surfing. In this paper, we propose a Scalable Shoulder- SurfingResistant Textual-Graphical Password Authentica-tion Scheme (S3PAS). S3PAS seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surfing, hidden-came ra and spyware attacks. It can replace or coexist with con-ventional textual password systems without changing ex-isting user password profiles. Moreover, it is immune to brute-force attacks through dynamic and volatile session passwords. S3PAS shows significant potential bridging the gap between conventional textual password and graphical password. Further enhancements of S3PAS scheme are pro-posed and briefly discussed. Theoretical analysis of the se-curity level using S3PAS is also investigated.
In 2014, S. Sheen et al.  also proposed a text- based shouldersurfingresistantgraphical password scheme by using colors. Clearly, as the user has to additionally memorize the order of several colors, the memory burden of the user is high. In the same year, Kim et al.  proposed a text based shouldersurfingresistantgraphical password scheme, and employed an analysis method for accidental login resistance and shouldersurfing resistance to analyze the security of their scheme. Unfortunately, the resistance of Kim et al.’s scheme to accidental login is not satisfactory. In 2006, Welly.  proposed a text based shouldersurfingresistantgraphical password scheme, PPC. To login the system, the user has to mix his textual password to produce several pass-pairs, and then follow four predefined rules to get his session password on the login screen. However, the login process of PPC is too complicated and tedious. Mathews et al.  proposed PassPoints in which the user picks up several points (3 to 5) in an image during the password creation phase and re-enters each of these pre-selected click-points in a correct order within its tolerant square during the login phase. Comparing to traditional PIN and textual passwords, the Pass-Points scheme substantially increases the password space and enhances password memorability.
Textual password has been the most generally utilized confirmation technique for a considerable length of time comprised of numbers and upper and lower-case letters, textual passwords are considered strong enough to resist against brute force attacks. Be that as it may, a strong textual password is difficult to retain and remember. Subsequently, users have a tendency to pick passwords that are either short or from the dictionary, as opposed to arbitrary alphanumeric strings. Surprisingly, more dreadful, it is not an uncommon case that users may utilize just a single username and password for different records. As per an article in Computer world, a security group in a vast organization ran a system password cracker and shockingly split around 80% of the worker's passwords in 30 seconds. Printed passwords are regularly unreliable because of the trouble of keeping up strong ones.  
combinations of bits, and would have no way of differentiating one from another. A very small, i.e. 100-byte, one-time- password encoded string considered for a brute force attack would literally reveal every 100-byte string possible, including the actual OTP as an answer, but with least probability. Here the analysis of one-time password algorithm for a secure transactions over network available today based on mobile authentication or email authentication is completed and also the analysis of the possible attacks over the one-time password algorithms have studied.In the existing (OTP) one-time password algorithm, java Mobile midlet is a client application and we further assume that the client application runs in client’s mobile phones/cellphones which will be able to receive one time passwords during login requests. A MIDlet is a java based application that makes use of the Mobile Information Device Profile (MIDP) of the technology called Connected Limited Device Configuration (CLDC) for the Java Mobile Environment (ME). Typical applications using MIDLets include games running on mobile devices or other handheld devices and cell phones which have small graphical displays, simple numeric or alphanumeric keypad interfaces and limited but allowable network access over HTTP. The whole design resembles the two prime protocols used by Java system. Initially, the user has to download the clients (Java MIDlet) to his mobile phone or other handheld devices. Then the client application can executes a request to register with both the server and the service provider utilizing server system for generating OTP and user authentication. Post successful execution of user activation request, the user can run the authentication request in future for an unlimited number of times.
Abstract: In today's modern world, securing the organization’s data has become a major concern. To provide security, the most widely recognized authentication methods are credentials, OTP, LTP etc. These methods are more prone to Brute Force Attack, ShoulderSurfing Attack, and Dictionary Attack. ShoulderSurfing Attack (SSA) is a data theft approach used to obtain the personal identification numbers or passwords by looking over the user's shoulder or by external recording devices and video capturing devices. Since SSA occurs in a benevolent way, it goes unnoticed most of the times. It is one of the simple and easy methods for hackers to steal one's sensitive information. The hacker has to simply peek in while the user types in the password without any much effort involved. Therefore, this phenomenon is widely unknown to people all over the world. Textual passwords are a ubiquitous part of digital age. Web applications/mobile applications demand a strong password with at least one capital letter and a special letter. People tend to give easy passwords in order to remember them which can be easily shoulder surfed. To overcome this, graphical password techniques are used to provide a more secure password. In the graphical authentication system, the users click on target images from a challenge set for authentication. Various graphical systems have been proposed over the years which are shown to be more secure when compared to other authentication systems. In this paper, a shouldersurfingresistantgraphical authentication system is implemented using honeypot concept.
Graphicalpasswords were introduced to overcome the attacks faced by textual passwords mostly shouldersurfing, key logging etc. Various graphical password schemes were introduced by many authors. In such a scheme the user have to enter the username. After that the graphical objects will be displayed on the screen. Depending on the scheme either user have to place images from random to correct order which were preselected by user while registration. Using mouse, touch pad, touch screen user has to select the objects. Also signatures can be used for authentication. But even if the slight change is found the authentication is stopped. Though the system is secured compare to the textual passwords it has lots of disadvantages. User verifies or authenticate only when proper sketch is drawn. Extra sensitive key pads are required for such scheme. Also the time required in authentication process is longer. Graphical password authentication techniques are as follows:
authentication method. Strong textual passwords are hard to memorize. To address the weakness of textual password graphicalpasswords are proposed. Click based or pattern based approaches are widely used techniques for mobile authentication system. Such textual and graphicalpasswords a scheme suffers from shouldersurfing attacks. Attacker can directly observe or can use video recorder or webcam to collect password credentials. To overcome the problem, shouldersurfing attack resistanttechnique is proposed. This technique contains pass-matrix. More than one image are used to set the password. For every login session, user needs to scroll circulatory horizontal and vertical bars. A password hint is provided to the user to select desired image password grid. Horizontal and vertical scroll bar covers the entire scope of pass-images. For password selection, password hint and horizontal and vertical scroll bar are used. The proposed technique is implemented on android platform. The system performance is measured using memorability and usability of a password scheme with respect to the existing technique.
system is more prone to shouldersurfing than graphical password system. As drawing is being entered on the screen, an attacker needs to see the login process just once for getting the password and recall is not always a difficult task depending on memory prompts or cues. Passwords based on recognition-based techniques are remembered over a longer period of time. The system discussed in this paper provides more resistant to shouldersurfing and efficient than Jansen et. al algorithm  which is based on the correct sequence of clicks on the thumbnail images. The proposed system introduces a key, which would be difficult for an attacker to notice along with the correct click. The system discussed here is less confusing than the system used by Sobrado and Brdget for avoiding shouldersurfing as it contains thousands of pass-objects on the screen, out of which user had to select some objects which is being selected during the registration phase . Therefore, introduction of key stroke along with click provide better protection against shoulder-surfing as compared with other algorithms. The formal specification regarding the working of the proposed system has been shown in Algorithm 1. The algorithm considers that the user has to click on 5 images (image1, image2, image3, image4 and image7) out of n images. Moreover, the user also enters an additional textual key along with the click on image1.
Zhao and Li  proposed a Textual- Graphical Password Authentication scheme (S3PAS) to resist the shouldersurfing attacks. This scheme combines advantages of both textual and graphicalpasswords and is resistant to shoulder-surfing, spyware and hidden-camera attacks. At the time of registration, user has to select a string k as the original textual password. Password length may vary on different environments and for different security requirements. During login, user has to find the original password in the login image and then click inside the invisible triangles, called “passtriangles”, created by the original password.
Starting form 1999 , different graphical password schemes include as an option or alternatives to simple and easy text-based password authentication. This section paper provides analytical overview and comprehensive system of published research work in this domain, viewing the both the features such as security aspects, usability and along with that system opinion. This survey first documents the existing or already prevailing approaches, innovative and enlightening new features of the individual styles and finding the key features of security advantages or usability ease. This paper takes into account the usability parameters for knowledge-based authentication and authorization as being applied to pictorial secure passwords and detect the security issues getting addressed that these techniques must identify and analyze, discuss technical problems concerned with performance evaluation, and search the research areas for further improvement and study. With text based passwords or credentials, users try out for unsecure coping technique, like making use of exact passwords for different transactional accounts to avoid forgetting memorizing different passwords and avoiding the passwords for different his/her accounts, change in security level cannot be alone addressed by the basic technical security of the system. Major problems that actually impact significantly in real life are about usability of that system. GUI (Graphical User Interface) design strategies and approaches may intentionally or unintentionally sway users’ behavior or tendency towards less secure transactional behaviors. Thus these most and powerful secure applications system must constraint high GUI related constraints based on necessary research work including the shortcomings and capabilities of the targeted users. In pictorial passwords, human nature for memorizing objects or visual passwords will provide appropriate and the optimal selection use of high level secure and passwords that have very low predictability, refraining users from unsecure practices.
ABSTRACT: The most common method is textual passwords that were used for authentication. Unfortunately, these passwords can be easily guessed or cracked. The next best techniques are graphicalpasswords. Since, there are many graphical password schemes that are proposed in the last decade, But most of them suffer from shouldersurfing which is also a big problem. Also, there are few graphicalpasswords schemes that have been proposed which are resistant to various attacks. In this paper two new authentication schemes are proposed with steganography algorithm for any transaction . Any authentication process gets very secure when two or three techniques used together for a system. For every login process, user input different passwords. We proposed two different shouldersurfing resistance graphical password authentication scheme methods one is AS3PAS and second is hybrid textual scheme using color code also Advanced LSB which removes the drawback of simple LSB that it supports all image format.
Shoulder- surfing problem is an attack in which the intruder can observe the passwords, PINs or other protected information by observing the owner or victim through his/her shoulder or other spying devices such as binoculars and video camera while the password is being used on the computer or at the terminal for authentication . The main aim of the intruder for this attack is to use the observed credentials for illicit transactions in order to impersonate the real owner (the victim) afterwards. The root cause of this drawback is due the fact that users enter their secrets directly to some poorly designed user interface in a way that is easy for intruder to gain knowledge of the secret via observation. To surmount this problem during authentication, a number of shoulder-surfingresistant techniques were proposed as helpful solutions to protect the user’s secret from being observed for illicit usage. To protect recall-based graphical password systems such Draw-A-Secret and Background Draw-A-Secret DAS from shouldersurfing, three techniques which include decoy Strokes defense, disappearing Strokes, and line Snaking were proposed . These techniques are used during a login procedure as a means of distracting shoulder surfer away from capturing the correct password drawn by the user for security reason. Decoy Strokes defense technique allows user to draw many passwords of which only one is authentic user’s password. In disappearing stroke defense, the user stroke is being removed from the screen after it has been drawn. The idea behind is to make it difficult for attacker to store the image to memory. While line Snaking technique is based on the disappearing stroke solution but was intended to leave the vital
In this paper, we have studied different methods for graphical password authentication scheme. We proposed a shouldersurfingresistant authentication system basedon graphicalpasswords, named Pass Matrix. Using a one-time login indicator per image,users can point out the location of their pass-square without directly clicking or touching it, which is an action vulnerable to shouldersurfing attacks. Because of the design of thehorizontal and vertical bars that cover the entire pass-image, it offers no clue for attackersto narrow down the password space even if they have more than one login records ofthat account. Also additional, we proposed a system called Session password,it provides a new password for each session and need not to transfer password form server each time for authentication purpose that’s why Session password scheme provides more security than the other existed systems.
Authentication is the first step in information security in today’s world; there are many techniques for protecting the passwords. These techniques are vulnerable to different attacks such as shouldersurfing, eves dropping, dictionary attack, spyware etc. Graphicalpasswords have their own disadvantages. Complicated passwords are difficult to remember. We are using color password for which session passwords are created. For every login user input is different password. The password is generated using text and color rating which are resistant to various attacks. It can be used where security is of main purpose such as net banking, trade transactions, server-side etc.
Abstract- Since conventional password schemes are vulnerable to shouldersurfing, many shouldersurfingresistantgraphical password schemes have been proposed. However, as most users are more familiar with textual passwords than pure graphicalpasswords, text-based graphical password schemes have been proposed. Unfortunately, both the text-based password schemes and graphical password schemes are not secure and efficient enough and not adopted. Textual passwords are the most common method used for authentication. But textual passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shouldersurfing. Graphicalpasswords are introduced as alternative techniques to textual passwords. Most of the graphical schemes are vulnerable to shouldersurfing. To address this problem, text can be combined with colors to generate secure passwords for authentication. The user passwords can be used only once and every time a new password is generated. In this paper, the user propose an improved text-based shouldersurfingresistantgraphical password scheme by using color PIN entry mechanism which are resistant to shouldersurfing. In the proposed scheme, the user can easily and efficiently log in into the system. This proposed work gives more security over the password from shouldersurfing and accidental log in.
Considering that maximum users are more used textual passwords than graphicalpasswords, Zhao et al.  proposed S3APS, text based shouldersurfingresistantgraphical password methods. In S3PAS, the user has to fusion his text password on the login screen to hold the session password. However, the login procedure of Zhao et al.’s methods is hard and unexciting. And then, a number of textual shouldersurfingresistantgraphical password methods have been proposed, such as . Undesirably, none of present textual shouldersurfingresistantgraphical password schemes are both secure and efficient. In this paper, we will suggest a better textual based shouldersurfingresistantgraphical password structure by with colors. The process of the proposed methods is easy and simple to study for users aware with word-based passwords. The user can effortlessly and professionally to login the system without using any physical keyboard.
At present conventional secret word patterns are exposed to dictionary attacks, eves dropping and shouldersurfing, numerous shouldersurfing unaltered graphical password patterns proposed. On the other hand, Textual passwords are the utmost public technique used for authentication. There are several graphical password schemes that are planned in the past years. Most users are used word-based passwords than untainted graphicalpasswords sentence or word-based or character based graphical password schemes have been proposed. Undesirably, none of existing schemes are create graphical lock to resisting the impersonation. The shouldersurfingresistant and other attacks like eves dropping, dictionary attacks, and social engineering attack on text and character are improved by this paper by using colors. In the expected scheme, the operator can robustly, cleanly and professionally login system and inspect the security and usability of the planned system and show the resistance of the proposed scheme to unintended login.
There are two types of passive adversaries. The shoulder-surfing attacker is a weaker adversary whose capabilities are confined to those of a human. On the other hand, the camera-based recording attacker is a stronger adversary equipped with automatic recording devices Since PINs are so popularly used in, smartphones, automated teller machines (ATM), and pointof-sale (PoS) terminals. There is a great need for a secure PIN entry scheme that does not significantly sacrifice usability .
A multitude of graphical password schemes have been proposed, motivated by the promise of improved password memorability and thus usability, while at the same time improving strength against guessing attacks. Like text passwords, graphicalpasswords are knowledge based authentication mechanisms where users enter a shared secret as evidence of their identity. However, where text passwords involve alphanumeric and/or special keyboard characters, the idea behind graphicalpasswords is to leverage human memory for visual information, with the shared secret being related to or composed of images .There has been a great deal of hype for graphicalpasswords since two decade due to the fact that primitive’s methods suffered from an innumerable number of attacks which could be imposed easily. Here we will progress down the taxonomy of authentication methods. To start with we focus on the most common computer authentication method that makes use of text passwords. Despite the vulnerabilities, it’s the user natural tendency of the users that they will always prefer to go for short passwords for ease of remembrance  and also lack of awareness about how attackers tend to attacks. Unfortunately, these passwords are broken mercilessly by intruders by several simple means such as masquerading, Eaves dropping and other rude means say dictionary attacks, shouldersurfing attacks, social engineering attacks .To mitigate the problems with traditional methods, advanced methods have been proposed using graphical as passwords. The idea of graphicalpasswords first described by Greg Blonder(1996). For Blonder, graphicalpasswords have a predetermined image that the sequence and the tap regions selected are interpreted as the graphical password. Since then, many other graphical password schemes have been proposed. The desirable quality associated with graphicalpasswords is that psychologically humans can remember graphical far better than text and hence is the best alternative being proposed. There is a rapid and growing interest in graphicalpasswords for they are more or Infinite in numbers thus providing more resistance.