combining captcha and graphical passwords for ... - Euroasiapub.org
combining captcha and graphical passwords for ... - Euroasiapub.org
combining captcha and graphical passwords for ... - Euroasiapub.org
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
COMBINING CAPTCHA AND GRAPHICAL PASSWORDS FOR USER<br />
AUTHENTICATION<br />
T. S. Ravi Kiran*<br />
Y. Rama Krishna**<br />
ABSTRACT<br />
Text <strong>passwords</strong> have been widely used <strong>for</strong> user authentication, however, it is well-known that<br />
text <strong>passwords</strong> are insecure <strong>for</strong> a variety of reasons .Graphical password schemes are<br />
believed to be more secure <strong>and</strong> more resilient to dictionary attacks than textual <strong>passwords</strong>,<br />
but more vulnerable to shoulder surfing attacks. Many recognition-based <strong>graphical</strong> password<br />
schemes alone, in order to offer sufficient security, require a number of rounds of<br />
verification, introducing usability issues. In this paper we suggest a hybrid user<br />
authentication approach <strong>combining</strong> CAPTCHA (Completely Automated Public Turing tests<br />
to tell Computers <strong>and</strong> Humans Apart) <strong>and</strong> <strong>graphical</strong> <strong>passwords</strong> to provide increased<br />
security.<br />
Keywords: CAPTCHA, Graphical Passwords, User Authentication, Phishing, Security<br />
*Lecturer, Department of Computer Science, P.G.Centre, P.B.Siddhartha College of Arts &<br />
Science, Vijayawada.<br />
**Assistant Professor, KITE Women’s College of Professional Engineering Sciences,<br />
Shabad, India.<br />
International Journal of Research in IT & Management 29<br />
http://www.mairec.<strong>org</strong>
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
INTRODUCTION<br />
Authentication is indeed at the heart of any secure system; a user has to be authenticated<br />
be<strong>for</strong>e he/she can be involved in online transactions, enter a secured vault, open a safe or<br />
reach his/her email account[1]. If sensitive in<strong>for</strong>mation or unauthorized access is given to a<br />
wrong identity, the entire security of one system will collapse. Generally, the most common<br />
<strong>and</strong> convenient authentication method is the traditional alphanumeric password. However,<br />
their inherent security <strong>and</strong> usability problems [2, 3] led to the development of <strong>graphical</strong><br />
<strong>passwords</strong> as an alternative. To date, there have been several <strong>graphical</strong> password schemes,<br />
such as [4, 5, 6, 7, 8]. They have overcome some drawbacks of traditional password schemes,<br />
but most of the current <strong>graphical</strong> password schemes remain vulnerable to spyware attacks.<br />
Most current <strong>graphical</strong> password schemes require users to enter the password directly,<br />
typically by clicking or drawing. Hence, <strong>passwords</strong> are easily exposed to a third party who<br />
has the opportunity to record a successful authentication session CAPTCHA (Completely<br />
Automated Public Turing tests to tell Computers <strong>and</strong> Humans Apart) is a program that<br />
generates <strong>and</strong> grades tests that are human solvable, but beyond the capabilities of current<br />
computer programs [9]. CAPTCHA is now almost a st<strong>and</strong>ard security mechanism <strong>for</strong><br />
addressing undesirable or malicious Internet bot programs <strong>and</strong> major web sites such as<br />
Google, Yahoo <strong>and</strong> Microsoft all have their own CAPTCHAs. The rest of the paper is<br />
<strong>org</strong>anized as follows. Section 2 briefly reviews related work. Sections 3 present our scheme.<br />
Conclusions <strong>and</strong> future work are addressed in section 4.<br />
RELATED WORKS<br />
There are many different ways a user can be authenticated by a system. This section looks at<br />
a number of different authentication systems to analyze their strengths <strong>and</strong> weakness.<br />
Alphanumeric Passwords<br />
An alphanumeric password is an authentication mechanism that utilizes letters, upper <strong>and</strong><br />
lower case, numbers <strong>and</strong> some special characters such as exclamation marks <strong>and</strong> pound signs.<br />
A combination of all of these is used to <strong>for</strong>m a string the user enters into a computer to<br />
authenticate themselves. Passwords of this nature are generally held to follow two guidelines;<br />
they must be memorable allowing the user to authenticate quickly <strong>and</strong> easily <strong>and</strong> that they<br />
must be secure [10].Alphanumeric <strong>passwords</strong> utilize recall which from the statement above is<br />
much harder <strong>for</strong> a user to remember their password. This means that in general users will be<br />
inclined to create an easily remembered password, which again reduces the security of the<br />
International Journal of Research in IT & Management 30<br />
http://www.mairec.<strong>org</strong>
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
system. This point is further highlighted by the need to regularly change <strong>passwords</strong> to<br />
effectively 'reset' any attempts to steal a user's password<br />
Biometrics<br />
One alternative to the use of alphanumeric <strong>passwords</strong> is the use of biometrics. Biometrics is<br />
the utilization of uniquely <strong>and</strong> personally identifiable biological <strong>and</strong> physical in<strong>for</strong>mation<br />
[11]. This authentication method does not rely on user password selection so does not fall<br />
foul of the failings described above. Also, as this mechanism makes use of the personal<br />
attributes of the user as opposed to a password it is not possible to shoulder surf this<br />
technology. There are many biometric systems in place today such as the use of finger prints<br />
or voice recognition. Authentication takes place by comparing previously stored in<strong>for</strong>mation<br />
against the in<strong>for</strong>mation a user provides when they wish to authenticate. To many this may<br />
seem like the logical choice when it comes to replacing alphanumeric <strong>passwords</strong> with a far<br />
more secure system, but it too has flaws<br />
Graphical Passwords<br />
Graphical <strong>passwords</strong> can be largely classified into three categories: recognition-based, cuedrecall,<br />
or recall-based. In recognition-based <strong>graphical</strong> <strong>passwords</strong>, users are required to<br />
recognize <strong>and</strong> then select a set of preselected images from a larger set. In cued-recall, the<br />
images cue the user, <strong>for</strong> example, to click a set of points on an image. In recall-based, users<br />
are required to recall a password without any cues, a <strong>graphical</strong> password is the use of a<br />
picture, a part of a picture or several pictures together to authenticate a user. Graphical<br />
<strong>passwords</strong> have by in large been attributed to Blunder [12, 13] his system required a user to<br />
click several points on an image, the points were then compared with the stored version <strong>and</strong><br />
the user was authenticated or the authentication failed <strong>and</strong> the user was rejected. Whilst<br />
alphanumeric <strong>passwords</strong> rely on a single stage many <strong>graphical</strong> <strong>passwords</strong> systems require the<br />
user to pass a number of stages or challenges to authenticate. This raises an important issue<br />
relating to how long it takes to authenticate <strong>and</strong> how long a user feels is too long to<br />
authenticate.<br />
PassFaces<br />
This system was developed by Real User Corporation [14] <strong>and</strong> makes use of the human<br />
ability to recognize faces. To register with the system the user selects four faces from a large<br />
bank of available choices. When a user wishes to authenticate themselves they are presented<br />
with an array of nine faces, arranged in three rows of three. One of the faces is part of the<br />
user's password while the other eight all act as decoys. The user then touches the face to<br />
select it <strong>and</strong> the system then displays the next set of faces. The challenges continue until the<br />
International Journal of Research in IT & Management 31<br />
http://www.mairec.<strong>org</strong>
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
user has selected four faces, it is at this point that the user passes or fails authentication.<br />
There are a number of issues with this system; some relate to security <strong>and</strong> others relate to<br />
usability. The main usability concern, which is becoming more <strong>and</strong> more redundant as<br />
network speeds increase, is the time it could take to load the faces. This issue is particularly<br />
relevant when the authenticating server is based in a remote location, as is likely to be the<br />
case with public space interactions.<br />
Draw-a-Secret<br />
Unlike the PassFaces system this is a recall based authentication method. To log in using this<br />
method the user must reproduce an image on a grid which is displayed on the screen. The<br />
system registers pen down <strong>and</strong> pen up events <strong>and</strong> the order in which the parts of the grid are<br />
touched between these events occurring which the author of refers to as a stroke [15]. The<br />
'password' that is stored by the system is not the drawing itself but is instead the record of<br />
strokes the user has per<strong>for</strong>med. As the system does not record the exact drawing but instead a<br />
representation of the drawing it is possible to inexactly reproduce the image but still achieve<br />
authentication.<br />
PassPoints<br />
This system is a direct descendant of Blonder's system where the user has to touch several<br />
points on the screen in order to gain access to the system. As with Draw-a-Secret a<br />
background image is used to help the user remember the location of their points. This again is<br />
a recall based method of authentication, with the twist that the image acts as a cue to assist<br />
with the task of recollection [16]. This system effectively falls between a pure recognition<br />
based <strong>and</strong> a pure recall based system. To register with the system the user must select an<br />
image they wish to use <strong>and</strong> then select the points they wish to authenticate with. This again<br />
brings the issue of allowing user selection as it has been shown that here too users are<br />
inclined to choose images that they associate with. The other major issue is that the image<br />
must not be too cluttered or too sparse.<br />
PROPOSED SCHEME<br />
The proposed scheme is a combination of CAPTCHA <strong>and</strong> recognition-based <strong>graphical</strong><br />
password which is less subjective to phishing attack. Password can be created during user<br />
registration or after registration <strong>and</strong> be changed any time after creation. A <strong>graphical</strong> password<br />
policy is defined by displaying an interface which contains R<strong>and</strong>om text CAPTCHAs <strong>and</strong><br />
images. Figure 1 illustrates the proposed interface.<br />
International Journal of Research in IT & Management 32<br />
http://www.mairec.<strong>org</strong>
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
Figure 1 Interface of proposed scheme<br />
The users choose combination of CAPTCHA <strong>and</strong> images as their <strong>graphical</strong> <strong>passwords</strong>. For<br />
each round of verification, the specified number of text CAPTCHAs <strong>and</strong> images are<br />
r<strong>and</strong>omly selected by the system from a database. A user then chooses a specified number of<br />
text CAPTCHAs <strong>and</strong> images as her <strong>graphical</strong> password .This process repeats <strong>for</strong> the specified<br />
number of rounds. If the user does not like a particular set of images, he may request a new<br />
one or upload her own images to be included in the selection process. In the register phase,<br />
users are required to select <strong>and</strong> remember CAPTCHAs <strong>and</strong> images as their password. To be<br />
authenticated, users need to distinguish his/her CAPTCHA-images .The user must correctly<br />
select all images (one or more) pre-registered <strong>for</strong> this account in each round of <strong>graphical</strong><br />
password verification. The user as usual enters a user name <strong>and</strong> authentication begins. In<br />
password verification, the proposed scheme displays the interface of CAPTCHA <strong>and</strong> Images<br />
<strong>and</strong> the user chooses out her preregistered combination of CAPTCHAs <strong>and</strong> Images. After the<br />
user completes verification, if correct he is granted account access. Otherwise, access is<br />
denied.<br />
CONCLUSION<br />
Our proposed scheme offers some advantages in countering common attacks against text<br />
<strong>passwords</strong>, such as naive key logging <strong>and</strong> phishing. In this paper, we have presented a new<br />
approach to protect user’s password against spyware attack. Our main contribution is that we<br />
introduce CAPTCHA into the realm of <strong>graphical</strong> <strong>passwords</strong> to resist spyware programs.<br />
From a security viewpoint, this exploration is expected to advance the development of<br />
International Journal of Research in IT & Management 33<br />
http://www.mairec.<strong>org</strong>
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
<strong>graphical</strong> <strong>passwords</strong>. Our future work concentrates on improving the login time <strong>and</strong><br />
memorability.<br />
REFERENCES<br />
[1] L. V. Ahn, M. Blum, Nicholas J. Hopper <strong>and</strong> J. Lang<strong>for</strong>d, CAPTCHA:CAPTCHA: Using<br />
hard AI problems <strong>for</strong> security, In the Proceedings of Eurocrypt’03, pp. 294-311, 2003,<br />
available at: http://www. <strong>captcha</strong>.net/, Visited on Sep. 27, 2005.<br />
[2] M. Akao, S. Yamanaka, G. Hanaoka, et al., Personal entropy from<strong>graphical</strong> <strong>passwords</strong>:<br />
Methods <strong>for</strong> quantification <strong>and</strong> practical keygeneration, IEICE Trans. On Fundamentals of<br />
Electronics Communications <strong>and</strong> Computer Sciences, E87A (10), pp. 2543-2554, Oct. 2004.<br />
[3] D. Davis, F. Monrose, <strong>and</strong> M. K. Reiter, On User Choice in Graphical Password<br />
Schemes. In the 13th USENIX Security Symposium, 2004.<br />
[4] R. Dhamija <strong>and</strong> A. Perrig, Deja Vu: A User Study Using Images <strong>for</strong> Authentication. In<br />
the 9th USENIX Security Symposium, 2000.<br />
[5] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, <strong>and</strong> A. Rubin, The Design <strong>and</strong> Analysis of<br />
Graphical Passwords. In the 8th USENIX Security Symposium, 1999.<br />
[6] D. Klein, Foiling the Cracker: A Survey of, <strong>and</strong> Improvements to, Password Security. In<br />
the 2nd USENIX Security Workshop, pp. 514, 1990.<br />
[7] M. Orozco <strong>and</strong> A. El Saddik, Signature Identification with Haptic devices, In proceedings<br />
of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces,<br />
<strong>and</strong> Measurement Systems, Giardini Naxos, Italy, Jul. 2005.<br />
[8] J. Ortega-Garcia, J. Bigun, D. Reynolds, J. Gonzalez-Rodriguez, Authentication gets<br />
personal with biometrics. In Signal Processing Magazine, IEEE Volume 21, Issue 2, pp. 50-<br />
62, Mar. 2004.<br />
[9] J. Ortega-Garcia, J. Fierrez-Aguilar, J. Martin-Rello, <strong>and</strong> J. Gonzalez-Rodriguez,<br />
Complete signal modeling <strong>and</strong> score normalization <strong>for</strong> function-based dynamic signature<br />
verification, In Proc. 4th Int. Conf. Audio <strong>and</strong> Video-Based Person Authentication, AVBPA<br />
2003, LNCS 2688, pp. 658-667, Jun. 2003.<br />
[10] B. Pinkas <strong>and</strong> T. S<strong>and</strong>er, Securing Passwords Against Dictionary Attacks. In<br />
Proceedings of the ACM Computer <strong>and</strong> Security Conference (CCS’ 02), pp. 161-170. ACM<br />
Press, Nov. 2002.<br />
[11] R. Plamondon <strong>and</strong> S. N. Srihari, On-line <strong>and</strong> off-line h<strong>and</strong>writing recognition: A<br />
comprehensive survey, IEEE Trans. Pattern Anal. MachineIntell.,vol. 22, no. 1, pp. 63-84,<br />
Jan. 2000.<br />
International Journal of Research in IT & Management 34<br />
http://www.mairec.<strong>org</strong>
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)<br />
[12] Reachin Technologies, available at: http://www.reachin.se, Visited on Jan. 3rd, 2006.<br />
[13]S. Chiasson. Usable Authentication <strong>and</strong> Click-Based Graphical Passwords. PhD thesis,<br />
Carleton University, Ottawa, Canada, January 2009.<br />
[14]S. Chiasson, A. F<strong>org</strong>et, R. Biddle, <strong>and</strong> P.C. van Oorschot. Influencing Users Towards<br />
Better Passwords: Persuasive Cued Click-Points. In Proc. of HCI’08, September 2008.<br />
[15]S. Chiasson, P.C. van Oorschot, <strong>and</strong> R. Biddle. Graphical Password Authentication Using<br />
Cued Click Points. In Proc. of ESORICS’07, volume 4734, pages 359–374, September 2007.<br />
[16]D. Davis, F. Monrose, <strong>and</strong> M. Reiter. On User Choice in Graphical Password Schemes.<br />
In Proc. of 13th USENIX Security Symposium, August 2004.<br />
International Journal of Research in IT & Management 35<br />
http://www.mairec.<strong>org</strong>