Abstract
Given that phishing is an ever-increasing problem, a better authentication system is required. We propose a system that uses a graphical password deployed from a Trojan and virus-resistant embedded device. The graphical password utilizes a personal image to construct an image hash, which is provided as input into a cryptosystem that returns a password. The graphical password requires the user to select a small number of points on the image. The embedded device will then stretch these points into a long alphanumeric password. With one graphical password, the user can generate many passwords from their unique embedded device. The image hash algorithm employed by the device is demonstrated to produce random and unique 256-bit message digests and was found to be responsive to subtle changes in the underlying image. Furthermore, the device was found to generate passwords with entropy significantly larger than that of users passwords currently employed today.
Similar content being viewed by others
References
APWG: http://www.antiphishing.org/reports/apwg_report_Q1_2008.pdf (2009). Accessed Feb 2009
Gartner Survey: http://www.gartner.com/it/page.jsp?id=565125 (2009). Accessed Feb 2009
APWG: http://www.antiphishing.org/reports/apwg_report_dec_2007.pdf (2009). Accessed Feb 2009
Alnajim A., Munro M.: An Evaluation of Users’ Tips Effectiveness for Phishing Websites Detection, pp. 63–68. Department of Computer Science, Durham University, ICDIM, Durham (2008)
Chen, T., Jeng, F., Liu, Y.: Hacking tricks toward security on network environments. In: PDCAT, Dec 2006, pp. 442–447. Department of Applied Mathematics, National Chiayi University, Taiwan (2006)
Baig, M.M., Mahmood, W.: A robust technique of anti key-logging using key-logging mechanism. In: DEST, Feb 2007, pp. 314–318. Al-Khawarzmi Institute of Computer Science, University of Engineering & Technology, Pakistan (2007)
Ors, S.B., Gurkaynak, F., Oswald, E., Preneel, B.: Power-analysis attack on an ASIC AES implementation. In: ITCC, vol. 2, pp. 546–552. Katholieke Universiteit Leuven, Department of ESAT/SCD-COSIC, Belgium (2004)
De Mulder E., Buysschaert P., Delmotte S.B., Delmotte P., Preneel B., Vandenbosch G., Verbauwhede I.: Electromagnetic analysis attack on an FPGA implementation of an elliptic curve cryptosystem. Memb. IEEE EUROCON 2, 1879–1882 (2005)
Wollinger, P.: How Secure Are FPGAs in Cryptographic Applications? Horst Görtz Institute for IT Security; Ruhr-Universität Bochum, Germany. http://eprint.iacr.org (2003). Accessed Feb 2009
Forget A., Biddle R.: Memorability of Persuasive Passwords. Carleton University, CHI, Ottawa (2008)
Sasse M., Adams A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
Jianxin, J.Y.: A note on proactive password checking. In: Proceedings of the 2001 workshop on new security paradigms, Cloudcroft, New Mexico, Session 7, pp. 127–135 (2001)
Yan J., Blackwell A., Anderson R., Grant A.: The Memorability and Security of Passwords—Some Empirical Results Technical report #500, Sept 2000. University of Cambridge, Cambridge (2000)
Kuo C., Romanosky S., Cranor L.F.: Human selection of mnemonic phrase-based passwords. ACM Int. Conf. Proc. Ser. 149, 67–78 (2006)
Forget, A., Chiasson, S., Van Oorschot, P., Biddle, R.: Improving text passwords through persuasion. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 1–12. Carleton University, ACM (2008)
Securitas Operandi, Password Safe: http://peterhgregory.wordpress.com/2007/02/27/use-password-safe-to-manage-passwords (2009). Accessed Feb 2009
Password Safe Pro: http://www.passwordsafepro.com (2009). Accessed Feb 2009
Password Safe: http://passwordsafe.sourceforge.net (2009). Accessed Feb 2009.
Nelson D., Reed U., Walling J.: Picture superiority effect. J. Exp. Psychol. Hum. Learn. Mem. 2(5), 523–528 (1977)
Chen D., Eng H.Y., Jiang Y.: Visual working memory for trained and novel polygons. Harv. Univ. Vis. Cogn. 14(1), 37–54 (2006)
De Angeli A., Coventrya L., Johnson G., Renaud K.: Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int. J. Hum. Comp. Stud. 63, 128–152 (2005)
PassfacesTM: http://www.passfaces.com (2009). Accessed Feb 2009
Brostoff, S., Sasse, M.: Are PassfacesTM more usable than passwords? A field trial investigation. In: Proceedings of HCI, Sept 2000, pp. 405–424 (2000)
Dhamija, R., Perrig, A., Déjà vu: A user study using images for authentication. In: Proceedings of the 9th USENIX Security Symposium, pp. 45–58 (2000)
Min, W., Yinian, M., Ashwin, S.: A signal processing and randomization perspective of robust and secure image hashing. Statistical Signal Processing, IEEE/SP 14th workshop, pp. 166–170 (2007)
Ashwin S., Mao Y., Wu M.: Robust and secure image hashing. IEEE Trans. Inf. Forensics Secur. 1(2), 215–230 (2006)
Xiang, S., Kim, H., Huang, J.: Histogram-based image hashing scheme robust against geometric deformations. In: Proceedings of the 9th Workshop on Multimedia & Security, pp. 121–128 (2007)
Wang Z., Bovik A.C., Sheikh H.R., Simoncelli E.P.: Image quality assessment: from error visibility to structural similarity. IEEE Trans. Image Process. 13(4), 600–612 (2004)
Wiedenbeck S., Waters J., Birget J-C., Memon N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63, 102–127 (2005)
Tari, F., Ozok, A., Holden, S.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: SOUPS ’06 Proceedings of the Second Symposium on Usable Privacy and Security, pp. 56–66 (2006)
Chiasson, S., Forget, A., Oorschot, P.: Influencing users towards better passwords: persuasive cued click-points. In: BCS-HCI ’08 Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture Creativity, Interaction, vol. 1, pp. 1–12 (2008)
Forget, A., Chiasson, S., Oorschot, P.: Improving text passwords through persuasion. In: SOUPS ’08 Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 1–12 (2008)
Thorpe S., Van Oorschot P.: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. USENIX Security, Berkeley (2007)
Weinshall, D.: Cognitive authentication schemes safe against spyware. In: IEEE Symposium on Security and Privacy, pp. 300–305 (2006)
Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme. In: IEEE Symposium on Security and Privacy, pp. 66–70 (2007)
Wang, L., Chang, X., Ren, Z., Gao, H., Liu, X., Aickelin, U.: Against spyware using CAPTCHA in graphical password scheme. In: 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 760–767 (2010)
Biddle, R.: Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, pp. 1107–1110 (2010)
Malek, B., Orozco, M., El Saddik, A.: Novel shoulder-surfing resistant haptic-based graphical password. In: Proceedings of the Eurohaptics Conference (2006)
Lashkari A.H., Zakaria O.B., Farmand S., Saleh R.: Shoulder surfing attack in graphical password authentication. Int. J. Comput. Sci. Inf. Secur. 6(2), 145–154 (2009)
Chiasson, S., Forget, A., Stobert, E., van Oorschot, P.C., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf (2009). Accessed Feb 2009
Parraga, C.A., Baldrich, R., Vanrell, M.: Accurate mapping of natural scenes radiance to cone activation space: a new image dataset. In: CGIV 2010/MCS’10—5th European Conference on Colour in Graphics, Imaging, and Vision (2010)
Openwall wordlists collection: http://www.openwall.com/wordlists/ (2011). Accessed Jul 2011
Cohen J.: A power primer. Psychol. Bull. 112, 155–159 (1992)
Cohen J.: Statistical Power Analysis for the Behavioral Sciences, 2nd edn. Lawrence Earlbaum Associates, Hillsdale (1988)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gyorffy, J.C., Tappenden, A.F. & Miller, J. Token-based graphical password authentication. Int. J. Inf. Secur. 10, 321–336 (2011). https://doi.org/10.1007/s10207-011-0147-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-011-0147-0