Skip to main content
SpringerLink
Log in

Shoulder surfing resistant graphical password schema: Randomized Pass Points (RPP)

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Shoulder-surfing attacks are pervading in today’s digital environment. With the widespread usage of mobile devices in public and uncontrolled settings, intentional or unintentional observation of user authentication processes is quite frequent. Scientists in the security domain have spent considerable effort in developing shoulder-surfing-resistant authentication mechanisms. In this study, a pass-graph methodology that benefits from randomity and alternative pass-graphs derivation is proposed with the name of Randomized Pass Points. The proposed authentication methodology is scrutinized for its resistance to brute force and shoulder-surfing attacks. Evaluations prove that the proposed alternative is stronger than that of the 8-digit 71-character-set password methodology against brute force attacks and it necessitates at least 5 valid log-ins to be captured by the attacker to derive the pass-graph under given assumptions in shoulder-surfing attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data availability

Detailed data on the experiments and the survey can be requested from the corresponding author via e-mail.

References

  1. Alsuhibany SA (2020) Usability and shoulder surfing vulnerability of pattern passwords on mobile devices using camouflage patterns. J Ambient Intell Humaniz Comput 11(4):1645–1655

    Article  Google Scholar 

  2. Amer MMM, Kam YHS, Elkhedrawi AH (2022) Improving memorability using Emojis in a shoulder surfing resistant authentication method. F1000Research 11(362):362

    Article  Google Scholar 

  3. Bianchi A, Oakley I, Kostakos V, Kwon DS (2010) The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In: Proceedings of the fifth international conference on tangible, embedded, and embodied interaction, pp 197–200

  4. Binbeshr F, Kiah MM, Por LY, Zaidan AA (2021) A systematic review of PIN-entry methods resistant to shoulder-surfing attacks. Comput Secur 101:102116

    Article  Google Scholar 

  5. Blonder G (1996) Graphical passwords, United States Patent 5559961

  6. Burks AW (1970) Von Neumann’s self-reproducing automata. In: Burks AW (ed) Essays on cellular automata. University of Illinois Press, Champaign, pp 3–64

    MATH  Google Scholar 

  7. Chen YL, Ku WC, Yeh YC, Liao DM (2013) A simple text-based shoulder surfing resistant graphical password scheme. In: 2013 international symposium on next-generation electronics. IEEE, pp 161–164

  8. Eiband M et al (2016) My scrawl hides it all: protecting text messages against shoulder surfing with handwritten fonts. Proceedings of the 2016 CHI conference extended abstracts on human factors in computing systems

  9. Farzand H, Bhardwaj K, Marky K, Khamis M (2021) The interplay between personal relationships & shoulder surfing mitigation. In: Mensch und Computer 2021, pp 338–343

  10. Jermyn IH, Mayer A, Monrose F, Reiter MK, Rubin AD (1999) The design and analysis of graphical passwords. USENIX Association, Berkeley

    Google Scholar 

  11. Khedr WI (2018) Improved keylogging and shoulder-surfing resistant visual two-factor authentication protocol. J Inf Secur Appl 39:41–57

    Google Scholar 

  12. Kumar M, Garfinkel T, Boneh D, Winograd T (2007) Reducing shoulder-surfing by using gaze-based password entry. In: Proceedings of the 3rd symposium on usable privacy and security, pp 13–19

  13. Luo J-N, Yang M-H (2016) A mobile authentication system resists to shoulder-surfing attacks. Multimed Tools Appl 75(22):14075–14087

    Article  Google Scholar 

  14. Li Z, Sun Q, Lian Y, Giusto DD (2005) An association-based graphical password design resistant to shoulder-surfing attack. In: 2005 IEEE international conference on multimedia and expo. IEEE, pp 245–248

  15. Malek B, Orozco M, El Saddik A (2006) Novel shoulder-surfing resistant haptic-based graphical password. Proc. EuroHaptics, vol 6

  16. Man, S., Hong, D., & Matthews, M. M. (2003, June). A Shoulder-Surfing Resistant Graphical Password Scheme-Wiw. In Security and Management (pp. 105–111)

  17. Minoofam SAH, Dehshibi MM, Bastanfard A, Eftekhari P (2012) Ad-hoc Ma’qeli script generation using block cellular automata. J Cell Autom 7(4):321–334

    MATH  Google Scholar 

  18. Papadopoulos A, Nguyen T, Durmus E, Memon N (2017) IllusionPIN: shoulder-surfing resistant authentication using hybrid images. IEEE Trans Inf Forensics Secur 12(12):2875–2889. https://doi.org/10.1109/TIFS.2017.2725199

    Article  Google Scholar 

  19. Perković T, Čagalj M, Rakić N (2010) SSSL: shoulder surfing safe login. J Commun Softw Syst 6(2):65–73

    Article  Google Scholar 

  20. Rajanna V, Polsley S, Taele P, Hammond T (2017) A gaze gesture-based user authentication system to counter shoulder-surfing attacks. In: Proceedings of the 2017 CHI conference extended abstracts on human factors in computing systems, pp 1978–1986

  21. Roth V, Richter K, Freidinger R (2004) A PIN-entry method resilient against shoulder surfing. In: Proceedings of the 11th ACM conference on computer and communications security, pp 236–245

  22. Sun HM, Chen ST, Yeh JH, Cheng CY (2018) A shoulder surfing resistant graphical authentication system. IEEE Trans Dependable Secure Comput 15(2):180–193. https://doi.org/10.1109/TDSC.2016.2539942

    Article  Google Scholar 

  23. Varshney S, Umar MS, Nazir A (2020) A secure shoulder surfing resistant hybrid graphical user authentication scheme. In: Cybernetics, cognition and machine learning applications. Springer, Singapore, pp 79–87

  24. Wang Z, Liao L, Meng R, Yang CN, Zhou Z, Yang H (2022) Verification grid and map slipping based graphical password against shoulder-surfing attacks. Secur Commun Netw 2022

  25. Wiedenbeck S, Waters J, Sobrado L, Birget JC (2006) Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces, pp 177–184

  26. Wu TS, Lee ML, Lin HY, Wang CY (2014) Shoulder-surfing-proof graphical password authentication scheme. Int J Inf Secur 13(3):245–254

    Article  Google Scholar 

  27. Yu X et al (2017) EvoPass: Evolvable graphical password against shoulder-surfing attacks. Comput Secur 70:179–198

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Engineering Department, Middle East Technical University, Ankara, 06800, Turkey

    Hakan Bostan

  2. Computer Engineering Department, Ankara Science University, 06200, Ankara, Turkey

    Atila Bostan

Authors
  1. Hakan Bostan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Atila Bostan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Atila Bostan.

Ethics declarations

Limitations

User test and survey results in this study should be considered as indicators no scientific proofs, since the number of participants were limited due to available resources.

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bostan, H., Bostan, A. Shoulder surfing resistant graphical password schema: Randomized Pass Points (RPP). Multimed Tools Appl 82, 43517–43541 (2023). https://doi.org/10.1007/s11042-023-15227-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-023-15227-x

Keywords

Search

Navigation