Skip to main content
SpringerLink
Log in

Token-based graphical password authentication

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Given that phishing is an ever-increasing problem, a better authentication system is required. We propose a system that uses a graphical password deployed from a Trojan and virus-resistant embedded device. The graphical password utilizes a personal image to construct an image hash, which is provided as input into a cryptosystem that returns a password. The graphical password requires the user to select a small number of points on the image. The embedded device will then stretch these points into a long alphanumeric password. With one graphical password, the user can generate many passwords from their unique embedded device. The image hash algorithm employed by the device is demonstrated to produce random and unique 256-bit message digests and was found to be responsive to subtle changes in the underlying image. Furthermore, the device was found to generate passwords with entropy significantly larger than that of users passwords currently employed today.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. APWG: http://www.antiphishing.org/reports/apwg_report_Q1_2008.pdf (2009). Accessed Feb 2009

  2. Gartner Survey: http://www.gartner.com/it/page.jsp?id=565125 (2009). Accessed Feb 2009

  3. APWG: http://www.antiphishing.org/reports/apwg_report_dec_2007.pdf (2009). Accessed Feb 2009

  4. Alnajim A., Munro M.: An Evaluation of Users’ Tips Effectiveness for Phishing Websites Detection, pp. 63–68. Department of Computer Science, Durham University, ICDIM, Durham (2008)

    Google Scholar 

  5. Chen, T., Jeng, F., Liu, Y.: Hacking tricks toward security on network environments. In: PDCAT, Dec 2006, pp. 442–447. Department of Applied Mathematics, National Chiayi University, Taiwan (2006)

  6. Baig, M.M., Mahmood, W.: A robust technique of anti key-logging using key-logging mechanism. In: DEST, Feb 2007, pp. 314–318. Al-Khawarzmi Institute of Computer Science, University of Engineering & Technology, Pakistan (2007)

  7. Ors, S.B., Gurkaynak, F., Oswald, E., Preneel, B.: Power-analysis attack on an ASIC AES implementation. In: ITCC, vol. 2, pp. 546–552. Katholieke Universiteit Leuven, Department of ESAT/SCD-COSIC, Belgium (2004)

  8. De Mulder E., Buysschaert P., Delmotte S.B., Delmotte P., Preneel B., Vandenbosch G., Verbauwhede I.: Electromagnetic analysis attack on an FPGA implementation of an elliptic curve cryptosystem. Memb. IEEE EUROCON 2, 1879–1882 (2005)

    Google Scholar 

  9. Wollinger, P.: How Secure Are FPGAs in Cryptographic Applications? Horst Görtz Institute for IT Security; Ruhr-Universität Bochum, Germany. http://eprint.iacr.org (2003). Accessed Feb 2009

  10. Forget A., Biddle R.: Memorability of Persuasive Passwords. Carleton University, CHI, Ottawa (2008)

    Google Scholar 

  11. Sasse M., Adams A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  12. Jianxin, J.Y.: A note on proactive password checking. In: Proceedings of the 2001 workshop on new security paradigms, Cloudcroft, New Mexico, Session 7, pp. 127–135 (2001)

  13. Yan J., Blackwell A., Anderson R., Grant A.: The Memorability and Security of Passwords—Some Empirical Results Technical report #500, Sept 2000. University of Cambridge, Cambridge (2000)

  14. Kuo C., Romanosky S., Cranor L.F.: Human selection of mnemonic phrase-based passwords. ACM Int. Conf. Proc. Ser. 149, 67–78 (2006)

    Google Scholar 

  15. Forget, A., Chiasson, S., Van Oorschot, P., Biddle, R.: Improving text passwords through persuasion. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 1–12. Carleton University, ACM (2008)

  16. Securitas Operandi, Password Safe: http://peterhgregory.wordpress.com/2007/02/27/use-password-safe-to-manage-passwords (2009). Accessed Feb 2009

  17. Password Safe Pro: http://www.passwordsafepro.com (2009). Accessed Feb 2009

  18. Password Safe: http://passwordsafe.sourceforge.net (2009). Accessed Feb 2009.

  19. Nelson D., Reed U., Walling J.: Picture superiority effect. J. Exp. Psychol. Hum. Learn. Mem. 2(5), 523–528 (1977)

    Article  Google Scholar 

  20. Chen D., Eng H.Y., Jiang Y.: Visual working memory for trained and novel polygons. Harv. Univ. Vis. Cogn. 14(1), 37–54 (2006)

    Google Scholar 

  21. De Angeli A., Coventrya L., Johnson G., Renaud K.: Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int. J. Hum. Comp. Stud. 63, 128–152 (2005)

    Article  Google Scholar 

  22. PassfacesTM: http://www.passfaces.com (2009). Accessed Feb 2009

  23. Brostoff, S., Sasse, M.: Are PassfacesTM more usable than passwords? A field trial investigation. In: Proceedings of HCI, Sept 2000, pp. 405–424 (2000)

  24. Dhamija, R., Perrig, A., Déjà vu: A user study using images for authentication. In: Proceedings of the 9th USENIX Security Symposium, pp. 45–58 (2000)

  25. Min, W., Yinian, M., Ashwin, S.: A signal processing and randomization perspective of robust and secure image hashing. Statistical Signal Processing, IEEE/SP 14th workshop, pp. 166–170 (2007)

  26. Ashwin S., Mao Y., Wu M.: Robust and secure image hashing. IEEE Trans. Inf. Forensics Secur. 1(2), 215–230 (2006)

    Article  Google Scholar 

  27. Xiang, S., Kim, H., Huang, J.: Histogram-based image hashing scheme robust against geometric deformations. In: Proceedings of the 9th Workshop on Multimedia & Security, pp. 121–128 (2007)

  28. Wang Z., Bovik A.C., Sheikh H.R., Simoncelli E.P.: Image quality assessment: from error visibility to structural similarity. IEEE Trans. Image Process. 13(4), 600–612 (2004)

    Article  Google Scholar 

  29. Wiedenbeck S., Waters J., Birget J-C., Memon N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63, 102–127 (2005)

    Article  Google Scholar 

  30. Tari, F., Ozok, A., Holden, S.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: SOUPS ’06 Proceedings of the Second Symposium on Usable Privacy and Security, pp. 56–66 (2006)

  31. Chiasson, S., Forget, A., Oorschot, P.: Influencing users towards better passwords: persuasive cued click-points. In: BCS-HCI ’08 Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture Creativity, Interaction, vol. 1, pp. 1–12 (2008)

  32. Forget, A., Chiasson, S., Oorschot, P.: Improving text passwords through persuasion. In: SOUPS ’08 Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 1–12 (2008)

  33. Thorpe S., Van Oorschot P.: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. USENIX Security, Berkeley (2007)

    Google Scholar 

  34. Weinshall, D.: Cognitive authentication schemes safe against spyware. In: IEEE Symposium on Security and Privacy, pp. 300–305 (2006)

  35. Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme. In: IEEE Symposium on Security and Privacy, pp. 66–70 (2007)

  36. Wang, L., Chang, X., Ren, Z., Gao, H., Liu, X., Aickelin, U.: Against spyware using CAPTCHA in graphical password scheme. In: 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 760–767 (2010)

  37. Biddle, R.: Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, pp. 1107–1110 (2010)

  38. Malek, B., Orozco, M., El Saddik, A.: Novel shoulder-surfing resistant haptic-based graphical password. In: Proceedings of the Eurohaptics Conference (2006)

  39. Lashkari A.H., Zakaria O.B., Farmand S., Saleh R.: Shoulder surfing attack in graphical password authentication. Int. J. Comput. Sci. Inf. Secur. 6(2), 145–154 (2009)

    Google Scholar 

  40. Chiasson, S., Forget, A., Stobert, E., van Oorschot, P.C., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)

  41. http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf (2009). Accessed Feb 2009

  42. Parraga, C.A., Baldrich, R., Vanrell, M.: Accurate mapping of natural scenes radiance to cone activation space: a new image dataset. In: CGIV 2010/MCS’10—5th European Conference on Colour in Graphics, Imaging, and Vision (2010)

  43. Openwall wordlists collection: http://www.openwall.com/wordlists/ (2011). Accessed Jul 2011

  44. Cohen J.: A power primer. Psychol. Bull. 112, 155–159 (1992)

    Article  Google Scholar 

  45. Cohen J.: Statistical Power Analysis for the Behavioral Sciences, 2nd edn. Lawrence Earlbaum Associates, Hillsdale (1988)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, University of Alberta, Edmonton, AB, Canada

    John Charles Gyorffy & James Miller

  2. Department of Computing Science, The King’s University College, Edmonton, AB, Canada

    Andrew F. Tappenden

Authors
  1. John Charles Gyorffy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew F. Tappenden
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. James Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to James Miller.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gyorffy, J.C., Tappenden, A.F. & Miller, J. Token-based graphical password authentication. Int. J. Inf. Secur. 10, 321–336 (2011). https://doi.org/10.1007/s10207-011-0147-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-011-0147-0

Keywords

Search

Navigation