combining captcha and graphical passwords for ... - Euroasiapub.org

IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334) 

COMBINING CAPTCHA AND GRAPHICAL PASSWORDS FOR USER 

AUTHENTICATION 

T. S. Ravi Kiran* 

Y. Rama Krishna** 

ABSTRACT 

Text passwords have been widely used for user authentication, however, it is well-known that 

text passwords are insecure for a variety of reasons .Graphical password schemes are 

believed to be more secure and more resilient to dictionary attacks than textual passwords, 

but more vulnerable to shoulder surfing attacks. Many recognition-based graphical password 

schemes alone, in order to offer sufficient security, require a number of rounds of 

verification, introducing usability issues. In this paper we suggest a hybrid user 

authentication approach combining CAPTCHA (Completely Automated Public Turing tests 

to tell Computers and Humans Apart) and graphical passwords to provide increased 

security. 

Keywords: CAPTCHA, Graphical Passwords, User Authentication, Phishing, Security 

*Lecturer, Department of Computer Science, P.G.Centre, P.B.Siddhartha College of Arts & 

Science, Vijayawada. 

**Assistant Professor, KITE Women’s College of Professional Engineering Sciences, 

Shabad, India. 

International Journal of Research in IT & Management 29 

http://www.mairec.org


INTRODUCTION 

Authentication is indeed at the heart of any secure system; a user has to be authenticated 

before he/she can be involved in online transactions, enter a secured vault, open a safe or 

reach his/her email account[1]. If sensitive information or unauthorized access is given to a 

wrong identity, the entire security of one system will collapse. Generally, the most common 

and convenient authentication method is the traditional alphanumeric password. However, 

their inherent security and usability problems [2, 3] led to the development of graphical 

passwords as an alternative. To date, there have been several graphical password schemes, 

such as [4, 5, 6, 7, 8]. They have overcome some drawbacks of traditional password schemes, 

but most of the current graphical password schemes remain vulnerable to spyware attacks. 

Most current graphical password schemes require users to enter the password directly, 

typically by clicking or drawing. Hence, passwords are easily exposed to a third party who 

has the opportunity to record a successful authentication session CAPTCHA (Completely 

Automated Public Turing tests to tell Computers and Humans Apart) is a program that 

generates and grades tests that are human solvable, but beyond the capabilities of current 

computer programs [9]. CAPTCHA is now almost a standard security mechanism for 

addressing undesirable or malicious Internet bot programs and major web sites such as 

Google, Yahoo and Microsoft all have their own CAPTCHAs. The rest of the paper is 

organized as follows. Section 2 briefly reviews related work. Sections 3 present our scheme. 

Conclusions and future work are addressed in section 4. 

RELATED WORKS 

There are many different ways a user can be authenticated by a system. This section looks at 

a number of different authentication systems to analyze their strengths and weakness. 

Alphanumeric Passwords 

An alphanumeric password is an authentication mechanism that utilizes letters, upper and 

lower case, numbers and some special characters such as exclamation marks and pound signs. 

A combination of all of these is used to form a string the user enters into a computer to 

authenticate themselves. Passwords of this nature are generally held to follow two guidelines; 

they must be memorable allowing the user to authenticate quickly and easily and that they 

must be secure [10].Alphanumeric passwords utilize recall which from the statement above is 

much harder for a user to remember their password. This means that in general users will be 

inclined to create an easily remembered password, which again reduces the security of the 




system. This point is further highlighted by the need to regularly change passwords to 

effectively 'reset' any attempts to steal a user's password 

Biometrics 

One alternative to the use of alphanumeric passwords is the use of biometrics. Biometrics is 

the utilization of uniquely and personally identifiable biological and physical information 

[11]. This authentication method does not rely on user password selection so does not fall 

foul of the failings described above. Also, as this mechanism makes use of the personal 

attributes of the user as opposed to a password it is not possible to shoulder surf this 

technology. There are many biometric systems in place today such as the use of finger prints 

or voice recognition. Authentication takes place by comparing previously stored information 

against the information a user provides when they wish to authenticate. To many this may 

seem like the logical choice when it comes to replacing alphanumeric passwords with a far 

more secure system, but it too has flaws 

Graphical Passwords 

Graphical passwords can be largely classified into three categories: recognition-based, cuedrecall, 

or recall-based. In recognition-based graphical passwords, users are required to 

recognize and then select a set of preselected images from a larger set. In cued-recall, the 

images cue the user, for example, to click a set of points on an image. In recall-based, users 

are required to recall a password without any cues, a graphical password is the use of a 

picture, a part of a picture or several pictures together to authenticate a user. Graphical 

passwords have by in large been attributed to Blunder [12, 13] his system required a user to 

click several points on an image, the points were then compared with the stored version and 

the user was authenticated or the authentication failed and the user was rejected. Whilst 

alphanumeric passwords rely on a single stage many graphical passwords systems require the 

user to pass a number of stages or challenges to authenticate. This raises an important issue 

relating to how long it takes to authenticate and how long a user feels is too long to 

authenticate. 

PassFaces 

This system was developed by Real User Corporation [14] and makes use of the human 

ability to recognize faces. To register with the system the user selects four faces from a large 

bank of available choices. When a user wishes to authenticate themselves they are presented 

with an array of nine faces, arranged in three rows of three. One of the faces is part of the 

user's password while the other eight all act as decoys. The user then touches the face to 

select it and the system then displays the next set of faces. The challenges continue until the 




user has selected four faces, it is at this point that the user passes or fails authentication. 

There are a number of issues with this system; some relate to security and others relate to 

usability. The main usability concern, which is becoming more and more redundant as 

network speeds increase, is the time it could take to load the faces. This issue is particularly 

relevant when the authenticating server is based in a remote location, as is likely to be the 

case with public space interactions. 

Draw-a-Secret 

Unlike the PassFaces system this is a recall based authentication method. To log in using this 

method the user must reproduce an image on a grid which is displayed on the screen. The 

system registers pen down and pen up events and the order in which the parts of the grid are 

touched between these events occurring which the author of refers to as a stroke [15]. The 

'password' that is stored by the system is not the drawing itself but is instead the record of 

strokes the user has performed. As the system does not record the exact drawing but instead a 

representation of the drawing it is possible to inexactly reproduce the image but still achieve 

authentication. 

PassPoints 

This system is a direct descendant of Blonder's system where the user has to touch several 

points on the screen in order to gain access to the system. As with Draw-a-Secret a 

background image is used to help the user remember the location of their points. This again is 

a recall based method of authentication, with the twist that the image acts as a cue to assist 

with the task of recollection [16]. This system effectively falls between a pure recognition 

based and a pure recall based system. To register with the system the user must select an 

image they wish to use and then select the points they wish to authenticate with. This again 

brings the issue of allowing user selection as it has been shown that here too users are 

inclined to choose images that they associate with. The other major issue is that the image 

must not be too cluttered or too sparse. 

PROPOSED SCHEME 

The proposed scheme is a combination of CAPTCHA and recognition-based graphical 

password which is less subjective to phishing attack. Password can be created during user 

registration or after registration and be changed any time after creation. A graphical password 

policy is defined by displaying an interface which contains Random text CAPTCHAs and 

images. Figure 1 illustrates the proposed interface. 




Figure 1 Interface of proposed scheme 

The users choose combination of CAPTCHA and images as their graphical passwords. For 

each round of verification, the specified number of text CAPTCHAs and images are 

randomly selected by the system from a database. A user then chooses a specified number of 

text CAPTCHAs and images as her graphical password .This process repeats for the specified 

number of rounds. If the user does not like a particular set of images, he may request a new 

one or upload her own images to be included in the selection process. In the register phase, 

users are required to select and remember CAPTCHAs and images as their password. To be 

authenticated, users need to distinguish his/her CAPTCHA-images .The user must correctly 

select all images (one or more) pre-registered for this account in each round of graphical 

password verification. The user as usual enters a user name and authentication begins. In 

password verification, the proposed scheme displays the interface of CAPTCHA and Images 

and the user chooses out her preregistered combination of CAPTCHAs and Images. After the 

user completes verification, if correct he is granted account access. Otherwise, access is 

denied. 

CONCLUSION 

Our proposed scheme offers some advantages in countering common attacks against text 

passwords, such as naive key logging and phishing. In this paper, we have presented a new 

approach to protect user’s password against spyware attack. Our main contribution is that we 

introduce CAPTCHA into the realm of graphical passwords to resist spyware programs. 

From a security viewpoint, this exploration is expected to advance the development of 




graphical passwords. Our future work concentrates on improving the login time and 

memorability. 

REFERENCES 

[1] L. V. Ahn, M. Blum, Nicholas J. Hopper and J. Langford, CAPTCHA:CAPTCHA: Using 

hard AI problems for security, In the Proceedings of Eurocrypt’03, pp. 294-311, 2003, 

available at: http://www. captcha.net/, Visited on Sep. 27, 2005. 

[2] M. Akao, S. Yamanaka, G. Hanaoka, et al., Personal entropy fromgraphical passwords: 

Methods for quantification and practical keygeneration, IEICE Trans. On Fundamentals of 

Electronics Communications and Computer Sciences, E87A (10), pp. 2543-2554, Oct. 2004. 

[3] D. Davis, F. Monrose, and M. K. Reiter, On User Choice in Graphical Password 

Schemes. In the 13th USENIX Security Symposium, 2004. 

[4] R. Dhamija and A. Perrig, Deja Vu: A User Study Using Images for Authentication. In 

the 9th USENIX Security Symposium, 2000. 

[5] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The Design and Analysis of 

Graphical Passwords. In the 8th USENIX Security Symposium, 1999. 

[6] D. Klein, Foiling the Cracker: A Survey of, and Improvements to, Password Security. In 

the 2nd USENIX Security Workshop, pp. 514, 1990. 

[7] M. Orozco and A. El Saddik, Signature Identification with Haptic devices, In proceedings 

of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces, 

and Measurement Systems, Giardini Naxos, Italy, Jul. 2005. 

[8] J. Ortega-Garcia, J. Bigun, D. Reynolds, J. Gonzalez-Rodriguez, Authentication gets 

personal with biometrics. In Signal Processing Magazine, IEEE Volume 21, Issue 2, pp. 50- 

62, Mar. 2004. 

[9] J. Ortega-Garcia, J. Fierrez-Aguilar, J. Martin-Rello, and J. Gonzalez-Rodriguez, 

Complete signal modeling and score normalization for function-based dynamic signature 

verification, In Proc. 4th Int. Conf. Audio and Video-Based Person Authentication, AVBPA 

2003, LNCS 2688, pp. 658-667, Jun. 2003. 

[10] B. Pinkas and T. Sander, Securing Passwords Against Dictionary Attacks. In 

Proceedings of the ACM Computer and Security Conference (CCS’ 02), pp. 161-170. ACM 

Press, Nov. 2002. 

[11] R. Plamondon and S. N. Srihari, On-line and off-line handwriting recognition: A 

comprehensive survey, IEEE Trans. Pattern Anal. MachineIntell.,vol. 22, no. 1, pp. 63-84, 

Jan. 2000. 




[12] Reachin Technologies, available at: http://www.reachin.se, Visited on Jan. 3rd, 2006. 

[13]S. Chiasson. Usable Authentication and Click-Based Graphical Passwords. PhD thesis, 

Carleton University, Ottawa, Canada, January 2009. 

[14]S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot. Influencing Users Towards 

Better Passwords: Persuasive Cued Click-Points. In Proc. of HCI’08, September 2008. 

[15]S. Chiasson, P.C. van Oorschot, and R. Biddle. Graphical Password Authentication Using 

Cued Click Points. In Proc. of ESORICS’07, volume 4734, pages 359–374, September 2007. 

[16]D. Davis, F. Monrose, and M. Reiter. On User Choice in Graphical Password Schemes. 

In Proc. of 13th USENIX Security Symposium, August 2004.

combining captcha and graphical passwords for ... - Euroasiapub.org

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?