Abstract
In this paper, a new scheme that uses digraph substitution rules to conceal the mechanism or activity required to derive password-images is proposed. In the proposed method, a user is only required to click on one of the pass-image instead of both pass-images shown in each challenge set for three consecutive sets.While this activity is simple enough to reduce login time, the images clicked appear to be random and can only be obtained with complete knowledge of the registered password along with the activity rules. Thus, it becomes impossible for shoulder-surfing attackers to obtain the information about which password images and pass-images are used by the user. Although the attackers may know about the digraph substitution rules used in the proposed method, the scenario information used in each challenge set remains. User study results reveal an average login process of less than half a minute. In addition, the proposed method is resistant to shoulder-surfing attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Jiang P, Wen Q Y, Li W M, Jin Z P, Zhang H. An anonymous and efficient remote biometrics user authentication scheme in a multi server environment. Frontiers of Computer Science, 2015, 9(1): 142–156
Sasse M A, Brostoff S, Weirich D. Transforming the “weakest link”: a human-computer interaction approach for usable and effective security. BT Technology Journal, 2001, 19(3): 122–131
Herley C, Oorschot P C, Patrick A S. Passwords: if we’re so smart, why are we still using them?. In: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. 2009, 23–26
Renaud K, De-Angeli A. Visual Passwords: cure-all or snake-oil?. Communications of the ACM, 2009, 52(12): 135–140
De-Angeli A, Coventry L, Johnson G, Renaud K. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 2005, 63(1): 128–152
Forget A, Chiasson S, Biddle R. Shoulder-surfing resistance with eyegaze entry in cued-recall graphical passwords. In: Proceedings of the 28th Annual CHI Conference on Human Factors in Computing Systems. 2010, 1107–1110
Biddle R, Chiasson S, Van Oorschot P. Graphical passwords: learning from the first twelve years. Journal of ACM Computing Surveys (CSUR), 2012, 44(4): 19–41
Davis D, Monrose F, Reiter M. On user choice in graphical password schemes. In: Proceedings of the 13th USENIX Security Symposium. 2004, 151–164
Por L Y, Lim X T. Issues, threats and future trend for GSP. In: Proceedings of the 7thWSEAS International Conference on Applied Computer & Applied Computational Science. 2008, 627–633
Por L Y, Lim X T. Multi-grid background Pass-Go. WSEAS Transactions on Information Science & Applications, 2008, 5(7): 1137–1148
Wiedenbeck S, Waters J, Sobrado L, Birget J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the Working Conference on Advanced Visual Interfaces. 2006, 177–184
Gao H C, Liu X Y, Wang S D, Liu H G, Dai R Y. Design and analysis of a graphical password scheme. In: Proceedings of the 4th International Conference on Innovative Computing, Information and Control. 2009, 675–678
Por L Y. Frequency of occurrence analysis attack and its countermeasure. The International Arab Journal of Information Technology, 2013, 10(2): 189–197
Manjunath G, Satheesh K, Saranyadevi C, Nithya M. Text-based shoulder surfing resistant graphical password scheme. International Journal of Computer Science and Information Technologies, 2014, 5(2): 2277–2280
Shaikh J, Pawar C C, Jadhav V S, Sindhu M R. User authentication using graphical system. Progress in Science and Engineering Research Journal, 2015, 17(3): 56–61
Gao H C, Wei J, Ye F, Ma L C. A survey on the use of graphical passwords in security. Journal of Software, 2013, 8(7): 1678–1698
Sobrado L, Birget J C. Graphical passwords. The Ruthgers Scholar, 2002, 4
Ion I, Reeder R, Consolvo S. “· · · no one can hack my mind”: comparing expert and non-expert security practices. In: Proceedings of Symposium on Usable Privacy and Security (SOUPS). 2015, 327–346
Gao S, Ma W P, Zhuo Z P, Wang F H. On cross-correlation indicators of an S-box. Frontiers of Computer Science in China, 2011, 5(4): 448–453
Por L Y, Kiah M L M. Shoulder surfing resistance using penup event and neighbouring connectivity manipulation. Malaysian Journal of Computer Science, 2010, 23(2): 121–140
Por L Y, Delina B. Information hiding: a new approach in text steganography. In: Proceedings of the 7th WSEAS International Conference on Applied Computer and Applied Computational Science. 2008, 689–695
Por L Y, Delina B, Ang T F, Ong S Y. An enchanced mechanism for image steganography using sequential colour cycle algorithm. The International Arab Journal of Information Technology, 2013, 10(1): 51–60
Por L Y, Lai W K, Alireza Z, Delina B. StegCure: an amalgamation of different steganographic methods in GIF image. In: Proceedings of the 12th WSEAS International Conference on Computers. 2008, 420–425
Por L Y, Wong K, Chee K O. UniSpaCh: a text-based data hiding method using Unicode space characters. Journal of Systems and Software, 2012, 85(5): 1075–1082
Feng D, Wu C. Advances in cryptography and information security — introduction of 2002–2006 progress of SKLOIS. Frontiers of Computer Science in China, 2007, 1(4): 385–396
Acknowledgements
This project was supported by the Postgraduate Research Grant (PPP) (PG169-2015A, PG005-2015B) from the University of Malaya, Malaysia, and also the Fundamental Research Grant Scheme (FRGS) (FP071-2015A) from the Ministry of Higher Education, Malaysia.
Author information
Authors and Affiliations
Corresponding author
Additional information
Lip Yee Por received the PhD degree from University of Malaya (UM), Malaysia in 2012. Currently, he is a senior lecturer at the Department of Computer System and Technology, UM. In general, his research interests are bioinformatic (e.g., biosensors, pain research), computer security (e.g., information security, steganography, authentication (graphical password)), neural network (e.g., supervised and unsupervised learning methods such as support vector machine, extreme learning machine), grid computing, and e-learning framework.
Chin Soon Ku received the MS degree in computer science from University of Malaya, Malaysia in 2013. He is currently a lecturer with the Department of Computer Science, University of Tunku Abdul Rahman, Malaysia. His current research interests include computer security, decision support application, and speech recognition.
Amanul Islam received the BS degree in information and communication technology from The Millennium University, Bangladesh. He is currently a master student from the Faculty of Computer Science and Information Technology, University of Malaya, Malaysia. His research interests include computer network, network security, graphical authentication, and wireless system.
Tan Fong Ang received the PhD degree from University of Malaya (UM), Malaysia. He is currently a senior lecturer at the Department of Computer System and Technology, UM. His current research interests include resource allocation, cloud computing, software defined network, and network security.
Electronic supplementary material
Rights and permissions
About this article
Cite this article
Por, L.Y., Ku, C.S., Islam, A. et al. Graphical password: prevent shoulder-surfing attack using digraph substitution rules. Front. Comput. Sci. 11, 1098–1108 (2017). https://doi.org/10.1007/s11704-016-5472-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11704-016-5472-z