In the rule-based scheme, users are able to define their own click-rules when they creating passwords. The primary advantage is that rule-based scheme hides the click-rule. In the basic scheme, the click-rule is open to public, while in rule-based scheme, only the users themselves know their “pass-rules.” As a result, it becomes extremely hard for at-tackers to break user's password using password analysis techniques. Further, the rule-based scheme hides the length |k| of user's password. In the basic S3PASscheme, if Al-ice's password is |k| in length, she has to click |k| times, which releases her password length to attackers. However, users can protect their password length information well by the rule-based scheme. Another benefit is that it can also avoid the common border problem. In addition, it could be easier for users to remember their own click-rules.
In order to protect users’ digital property, authentication is required every time they try to access their personal account and data. However, conducting the authentication process in public might result in potential shouldersurfing attacks. Even a more complex password can be cracked easily through shouldersurfing. Using traditional textual passwords or PIN method, users need to type their passwords to validate themselves and thus these passwords can be revealed easily if someone peeks over shoulder or uses video recording devices such as cell phones or google glass. To overcome this problem, we proposed a shouldersurfingresistantauthentication system based on graphical passwords, named PassMatrix and PairBased. Using a one-time login indicator per image, users can point out the location of their pass-square without directly clicking or touching it, which is an action vulnerable to shouldersurfing attacks. Because of the design of the horizontal and vertical bars that cover the entire pass image, it offers no clue for attackers to narrow down the password space even if they have more than one login records of that account.
In  proposed authenticationscheme using text and colors for generating session password. Session password is a password that is used only once at a time. Once the session is terminating, the session password is no longer useful because for every login session; users must enter different passwords. Moreover, according to , the use of session password is very suitable for Personal Digital Assistants (PDA) because it is resistant to shouldersurfing attack. Session password is generated using grids and colors serve as an alternative authentication technique to reduce the drawback of textualpasswordauthentication. During registration phase, the user needs to submit his chosen password consisting of a minimum length of 8 passwords that is called as secret pass. The secret pass must contain an even number of characters because from this; the session passwords are generated. During the login phase, when the user enters his username, an interface that consists of alphabets and numbers in a grid size 6x6 is displayed. The characters are randomly placed on the grid, and the interface will change every time the user want to log in. Then, the user has to enter the password depend on upon their secret pass, and they must consider his secret pass in term of pairs. The
In ancient days, we used a textualpassword while we are logging into any authentication based website. Textualpassword consists of upper- and lower-case letters and numbers. It doesn’t provide a secured login into the network. Network affected by the shouldersurfing and the key loggers attack. Using video capturing and camera snapshot the attacker can stole our identity details. Even though we have virtual keyboard, the keys are highlighted while we pressing it. With the help of malicious key logging software, the screenshot recording will be done while keys are highlighted. It is vulnerable to the user as well as network. It will be overcome by shuffling the keys which is present in the keyboard. And we can set a image cell as password by using pass matrix. It will secure our sensitive information like username, password, PIN and personal identity.
Shoulder- surfing problem is an attack in which the intruder can observe the passwords, PINs or other protected information by observing the owner or victim through his/her shoulder or other spying devices such as binoculars and video camera while the password is being used on the computer or at the terminal for authentication . The main aim of the intruder for this attack is to use the observed credentials for illicit transactions in order to impersonate the real owner (the victim) afterwards. The root cause of this drawback is due the fact that users enter their secrets directly to some poorly designed user interface in a way that is easy for intruder to gain knowledge of the secret via observation. To surmount this problem during authentication, a number of shoulder-surfingresistant techniques were proposed as helpful solutions to protect the user’s secret from being observed for illicit usage. To protect recall-based graphicalpassword systems such Draw-A-Secret and Background Draw-A-Secret DAS from shouldersurfing, three techniques which include decoy Strokes defense, disappearing Strokes, and line Snaking were proposed . These techniques are used during a login procedure as a means of distracting shoulder surfer away from capturing the correct password drawn by the user for security reason. Decoy Strokes defense technique allows user to draw many passwords of which only one is authentic user’s password. In disappearing stroke defense, the user stroke is being removed from the screen after it has been drawn. The idea behind is to make it difficult for attacker to store the image to memory. While line Snaking technique is based on the disappearing stroke solution but was intended to leave the vital
In this paper, we have studied different methods for graphicalpasswordauthenticationscheme. We proposed a shouldersurfingresistantauthentication system basedon graphical passwords, named Pass Matrix. Using a one-time login indicator per image,users can point out the location of their pass-square without directly clicking or touching it, which is an action vulnerable to shouldersurfing attacks. Because of the design of thehorizontal and vertical bars that cover the entire pass-image, it offers no clue for attackersto narrow down the password space even if they have more than one login records ofthat account. Also additional, we proposed a system called Session password,it provides a new password for each session and need not to transfer password form server each time for authentication purpose that’s why Session passwordscheme provides more security than the other existed systems.
With the increasing trend of apps and other web services the user is accessing it from anywhere and anytime with the different devices. In order to secure the devices authentication is always required when the try to access the services. Engaging in authentication in public can lead to different potential attacks as shouldersurfing. Textual passwords can be seen easily as the user has to type the whole password from the keyboard and the current authentication systems are still immature in some aspects.
In this paper, we study shouldersurfing defences for recall-based graphicalpassword systems such as Draw-A-Secret (DAS), Background Draw-A-Secret (BDAS) and Pass-Go. DAS is a representative graphicalpasswordscheme and worthy of extensive study for the following reasons. First, its theoretical password space can be larger than that of text passwords. Second, unlike many other graphicalpassword systems, DAS can be used for not only user authentication, but also for key generation. Although some research has revealed that the user choices of DAS passwords could render this theoretically sound scheme less secure in practice, it appears that many of the weaknesses could be improved by introducing a background image into the drawing grid, together with other countermeasures.
Different graphicalpasswordauthentication plan, were produced to address the issues and shortcomings connected with textual passwords. In light of a few reviews, for example, those in, people have a superior capacity to remember image with long term memory (LTM) than verbal representations. Image based passwords were turned out to be less demanding to recall in a few user considers. Subsequently, users can set up a complex authenticationpassword and are capable for recalling it after quite a while regardless of the possibility that the memory is not actuated occasionally. In any case, the greater part of these image based passwords are powerless against shouldersurfing attacks (SSAs). This kind of attack either utilizes coordinate perception, for example, viewing behind someone or applies video catching procedures to get passwords, PINs, or other delicate individual information. 
4 Haichang Proposed a new shoulder-surfingresistantscheme where the user is required to draw a curve across their password images orderly rather than clicking on them directly. This graphicalscheme combines DAS and Story schemes to provide authenticity to the user
Abstract: In today's modern world, securing the organization’s data has become a major concern. To provide security, the most widely recognized authentication methods are credentials, OTP, LTP etc. These methods are more prone to Brute Force Attack, ShoulderSurfing Attack, and Dictionary Attack. ShoulderSurfing Attack (SSA) is a data theft approach used to obtain the personal identification numbers or passwords by looking over the user's shoulder or by external recording devices and video capturing devices. Since SSA occurs in a benevolent way, it goes unnoticed most of the times. It is one of the simple and easy methods for hackers to steal one's sensitive information. The hacker has to simply peek in while the user types in the password without any much effort involved. Therefore, this phenomenon is widely unknown to people all over the world. Textual passwords are a ubiquitous part of digital age. Web applications/mobile applications demand a strong password with at least one capital letter and a special letter. People tend to give easy passwords in order to remember them which can be easily shoulder surfed. To overcome this, graphicalpassword techniques are used to provide a more secure password. In the graphicalauthentication system, the users click on target images from a challenge set for authentication. Various graphical systems have been proposed over the years which are shown to be more secure when compared to other authentication systems. In this paper, a shouldersurfingresistantgraphicalauthentication system is implemented using honeypot concept.
At present conventional secret word patterns are exposed to dictionary attacks, eves dropping and shouldersurfing, numerous shouldersurfing unaltered graphicalpassword patterns proposed. On the other hand, Textual passwords are the utmost public technique used for authentication. There are several graphicalpassword schemes that are planned in the past years. Most users are used word-based passwords than untainted graphical passwords sentence or word-based or character based graphicalpassword schemes have been proposed. Undesirably, none of existing schemes are create graphical lock to resisting the impersonation. The shouldersurfingresistant and other attacks like eves dropping, dictionary attacks, and social engineering attack on text and character are improved by this paper by using colors. In the expected scheme, the operator can robustly, cleanly and professionally login system and inspect the security and usability of the planned system and show the resistance of the proposed scheme to unintended login.
Authentication is the first security mechanism that can be used to prevent unauthorized access to the system. In addition, textualpassword (text-based password) is the most famous authentication mechanism which has been used for several years. In this authentication method, a user selects a combination of characters as his password, which is required to memorize by him. However, in order to have a secure password, the generated password must follow several requirements such as minimum 8 characters, a combination of capital and small characters, alphanumeric, using special characters, ... etc. Thus, this makes the password to be complex (e.g. "@bu*%183bDIK), which also makes difficulties for a hacker to guess (dictionary attack) or break (brute force attack) it. Similarly, the generated complex password provides this challenge for the users to memorize it for further access. Thus, the users tend to pen down their long and random passwords somewhere or take the easy passwords instead. Graphicalpassword is an alternative authenticationpassword which can solve the problem of remembering the complex passwords in textualpassword approach. In this case, several images are used to represent a user password, rather than the text. Later on, upon login to the system, a user can select or produce the same graphic image correctly for accessing to the system. Since remembering the image is easier than the text, the selected images as the password is complex as well as easy to remember by the user at the same time. Additionally, the other advantage of graphicalpassword is to prevent stealing the passwords if a keystroke logger such as malicious software (Trojan) is installed by a hacker in order to capture the text-based passwords. In general, there are three graphicalpassword approaches such as recognition-based, pure recall-based and cued recall based. In the recognition- based approach, the user can pick several images such as icons or symbols which he recently selected in user
As maximum users are aware with conventional text-based and text based password verification methods have no shouldersurfing resistance. In 2007, Zhao et al.  proposed a textual-based shouldersurfingresistantgraphicalpasswordscheme known as S3PAS, in which the user has to determine his textualpassword and then follow some rule to mix his textualpassword to hold a session password to login the system. At the same time, the login methods of Zhao et al.’s are complicated and uninteresting. Sreelatha et al. , in 2011, also proposed a text-based shouldersurfingresistantgraphicalpasswordscheme by using colors. Noticeably, as the user has to in addition memorize the order of some colors which make the memory load of the user is too high. In the similar year, Kim et al.  proposed a another text based shouldersurfingresistantgraphicalpasswordscheme, and at the same time employed an analysis method for shouldersurfing resistance and accidental login resistance to analyze the safety measures of their scheme. Fatefully, the resistance of Kim et al.’s scheme to accidental login is not satisfactory. Rao et al. , in 2012, suggested a text-based shouldersurfingresistantgraphicalpasswordscheme i.e. PPC, in which the user has to mix his textualpassword to produce several pass-pairs, and then follow four predefined rules to get his session password on the login screen. On the other hand, the login procedure of PPC is too boring and hard.
ABSTRACT: The most common method is textual passwords that were used for authentication. Unfortunately, these passwords can be easily guessed or cracked. The next best techniques are graphical passwords. Since, there are many graphicalpassword schemes that are proposed in the last decade, But most of them suffer from shouldersurfing which is also a big problem. Also, there are few graphical passwords schemes that have been proposed which are resistant to various attacks. In this paper two new authentication schemes are proposed with steganography algorithm for any transaction . Any authentication process gets very secure when two or three techniques used together for a system. For every login process, user input different passwords. We proposed two different shouldersurfing resistance graphicalpasswordauthenticationscheme methods one is AS3PAS and second is hybrid textualscheme using color code also Advanced LSB which removes the drawback of simple LSB that it supports all image format.
ABSTRACT: Early people use textual passwords as a security but these passwords get affected to the various attacks like dictionary attack, shouldersurfing, etc. After the period, graphical passwords are coming to the existence but the graphical passwords have some own disadvantages such as they require more time to authenticate. Hence, This paper has taken a review of session password technique in which the password is used only once for each and when session will end the password is not useful. The proposed session passwordscheme uses Text session password. The session passwordscheme uses pair-based authenticationscheme. Textual passwords generally used for login authentication. Graphicalpassword is introduced exactly opposite technique to textual passwords. As most users are well known about textual passwords than pure graphical passwords. Shoulder-surfing is an attack where an attacker can capture a password by direct show or by listening the authentication session password. Session password can use only once because every time a new password will generate. Session Password supports Pair based scheme which is secure and more efficient. In this paper, it is proposed an improved text-based shouldersurfingresistantscheme by using pair based scheme is used for alphabet, digit , symbols where session password will form at every session or transaction using virtual shuffling keyboard. The user can easily and efficiently login to the system. Proposed system analyzes the security and usability of the proposed scheme, and shows the support of the scheme to shouldersurfing attack.
In 2002, to reduce the shouldersurfing attack, Sobrado and Birget  proposed three shouldersurfingresistantgraphicalpassword schemes, the Movable Frame scheme, the Intersection scheme, and the Triangle scheme. But from all this schemes, the Movable Frame scheme and the Intersection scheme fail frequently in the process of Authentication. In the Triangle scheme, the user has to select and memorize several pass icons as his password. To login the system, the user has to correctly pass the predetermined number of challenges and in every challenge, the user has to find three pass-icons from a set of randomly chosen icons displayed on the login screen, and then click inside the invisible triangle created by those three pass- icons.
In this work, we have proposed on random image augmented text passwordauthentication system. That is highly resistant to shouldersurfing attacks. As the textualpassword randomly, this makes shouldersurfing difficult. Also keystroke time logging & comparison, makes attacks such as shouldersurfing, brute force & dictionary attacks highly improbable. Our system combines the best of the two prominent techniques namely text based password(s) & image based password(s), as text password are hard to memorize, & short password are vulnerable to various attack. Also image based passwords are very easy to remember, but are highly susceptible to attack such as shouldersurfing. Here, in this system, we have combined the desirable characteristics of the two schemes such as high memorability of the image related data, & better security of textualpassword for shouldersurfing attacks, to create a highly resistantauthentication system. As image is only used for cueing the user for enter a specific text password & the text password(s) are randomly warranted, out of a pool on N password - image pairs
The aim of this paper is to investigate the reasons behind low commercial acceptance and provide suitable recommendations to overcome them. In the second half of this paper, based on these recommendations, we design a simple graphicalpasswordscheme, called SECURE GRAPHICALPASSWORDAUTHENTICATION is a cued recognition based graphicalauthenticationscheme, which allows users to choose number, text as well as images as passwords without any specific alternations to underlying authentication design and process. It also blends together the strengths of Numbers, Alphabets and Pictures (NAP) to effectively defeat prevalent forms of social hacking. In this paper we describe the complete design of SECURE GRAPHICALPASSWORDAUTHENTICATION and argue for its potential benefits in terms of security and usability. We then provide results of user study and security analysis.
Once the user has logged-out from that session., the password entered for the earlier time gets lost. Now, when the user is logging-in for the next time he has to make the working as like earilier. But for this time the keyboard generated to entered his password gets shafaled and hence, the combination of word ‘suraj’ is also gets changed. It will provide the security form the dictonary attack, shouldersurfing attack and some possible network attacks also. In this way, we are successfully perform the machanism of AAA – Authentication, Authorication and Access in our implemented software application for online banking where security is the formost requirement.