A Captcha-Based Graphical Password with Strong Password Space and Usability Study

Abstract

Security for authentication is required to give a superlative secure users’ personal information. This paper presents a model of the Graphical password scheme under the impact of security and ease of use for user authentication. We integrate the concept of recognition with re-called and cued- recall based schemes to offer superior security compared to existing schemes. Click Symbols (CS) Alphabet combine into one entity: Alphanumeric (A) and Visual (V) symbols (CS-AV) is Captcha-based password scheme, we integrate it with recall- based n×n grid points, where a user can draw the shape or pattern by the intersection of the grid points as a way to enter a graphical password. Next scheme, the combination of CS-AV with grid cells allows very large password space (2.4 × 104 bits of entropy) and provides reasonable usability results by determining an empirical study of memorable password space. Proposed schemes support most applicable platform for input devices and promising strong resistance to shoulder surfing attacks on a mobile device which can be occurred during unlocking (pattern) the smartphone.

Introduction

I. INTRODUCTION

A fundamental task of information security is the authentication of a legitimate user on the system. Text password is the most common user authentication scheme for desktop or mobile applications, but this scheme has several limitations & drawbacks [1] i.e., while a number of the passwords of per user increases, the forgetting rate of the password also rises [2]. Graphical authentication schemes are alternative of the traditional text password and it has been deeply studied [3]. Graphical password can highly motivate by the fact that humans can remember pictures better than text [3], this assumption is supported by psychological study [4, 5]. Another approach of user authentication is based on biometric traits, either physical or behavioral. These schemes based on biometric trait suffer from the problem of spoofing and need to verify the liveness of distinguish between a real user and a photo or a video [6]. The graphical password can be used as an alternative to biometric systems or aggregate with them.

The main issue of graphical password is shoulder surfing attack to capture the login credential such as during unlocking the smart phone [7], (see at [8-10]). In shoulder surfing attack, the login process can capture by direct observation or with external technical equipment (e.g. camera). Another issue of the text and the graphical password is a low entropy rate of the password space. User can create a strong password at single system, but it is difficult to remember for a long time. Recently, Zhu et al. [11] introduce the CaRP (Captcha as gRaphical Passwords) schemes. CaRP provides the clickable Captcha image and the sequence of clicks on an image is used to generate the graphical password. Most prominent of CaRP is ClickText (CT) and AnimalGrid (AG) schemes. The CT scheme corresponds to a traditional password where the alphabets drawn on a Captcha image and a user set the password by click on the sequence of alphabets. AG consists of animal models and after clicking the animal on an image, it leads to another ????× ???? grid-cells window wherein a user can choose grid-cells for his/her password.

We inspire from Zhu et al. [11] CaRP scheme and proposed a new password scheme using Alphanumeric (A) and Visual (V) symbols (CS-AV) (we reported it in our previous work [12]) combining with Pass-Go [13] scheme. It opposes the shoulder surfing attacks on mobile devices. We call it “Clicked on Object to Draw a Pattern (CODP)”. The CODP scheme chooses an object from CS-AV image and then grid points’ window is appeared where the intersection points are used to draw a pattern as like a Pass-Go scheme [13]. The intersection points are same as a pattern used in smartphone. Expected password is a combination of CS-AV objects with intersection points. Another main issue of the graphical password is a low password space. We introduce another novel scheme to overcome this issue by using CS-AV scheme combine with ????× ???? grid cells’ window. We call it as “Click on Object to Select Secrets (COSS)”. It is as like GA [11] scheme with addition a user can click on alphabets or objects to select them for password and besides it, proposed COSS scheme uses an object as graphical cue behind ????× ???? grid- cells to improve the usability measurement.

Further, both schemes are based on emoji [14] sign system to measure the password strength that a user can observe and reset his password accordingly. Next, for the security analysis, the password space is measured in entropy bits for both schemes. It shows 58.6 bits and 2.4 × 104 bits of entropy of CODP and COSS schemes, respectively. In contrary, state-of-the-art schemes have shown 43 bits, 40 bits, and 271 bits for pass-points [15], CT [11], and QBP [16] schemes, respectively. The most recent, QBP scheme shows 271 bits password space, which is obtained by integrating secret questions and answers with pattern to enhance the entropy bits. While proposed COSS scheme obtain 2.4 × 104 bits of entropy which is reliable and highest compare to these state-of-the-art schemes.

In this paper, the empirical study of security and usability of proposed schemes are conducted by following [11, 13, 16] schemes. The remaining paper is organized as followed: Related work is described in Section II. Section III shows our proposed mechanisms, and Sections IV and V explain the empirical study of usability and security issues of our schemes. Section VI concludes the discussion and conclusion.

II. RELATED WORK

A. Graphical Password

The graphical password schemes can be classified into three basic categories according to password structure including Recall, Cued-recall, and Recognition-based authentication, the explanation is given in [11].

Recall-based graphical password scheme demands a user to regenerate the same interaction outcome with no cueing. DAS (Draw-A-Secret) is the first recall-based scheme proposed by Jermyn et al. [17], where a user draws a password on a 2D grid. BDAS [18] adds background images into DAS scheme to encourage the user to create a more complex password. Hai Tao [13] introduces a Pass-Go scheme that generates a password and it increases the usability by using grid intersection points. Besides this, recent recall-based graphical password, e.g., Questions-Background Image- Pattern (QBP), is introduced in [16], which is integrated by adding the BDAS and Pass-Go scheme, in result it provides a strong password space. QBP [16] scheme also contains secret questions and answers which integrated with pattern to enhance the entropy bits, while this scheme may take a long time in setting of questions and answers, it’s a tedious task. The cued-recall scheme provides the visual cue to a user in memorizing the graphical password. Pass-point [19] is a widely known example of the Cued-recall scheme. Recognition-based graphical password systems develop on a variety of images where a user can generate his/her password by using those certain images. Zhu at el. [11] introduce a novel approach of graphical password called as Captcha as gRaphical Password (CaRP). CaRP schemes are click-based graphical password. It uses alphanumerical characters and 2D animal’s models to generate CaRP image, which is built on the Captcha technology. These visual objects appear in the CaRP image and allow a user to input the password. CaRP further sub-categorized into Recognition and Recognition-recall scheme. Recognition–based CaRP called as CT. Recognition-recall is combined tasks of both recognition and cued-recall. It contains both properties of recognition and cued-recall schemes. E.g., AG, wherein 2d animal’s models on image covers the recognition part, while grid-cells window indicates cued-recall scheme. Therefore, AG provides an effective password space. However, in AG, a user has to perform an additional dragging task to set his password.

Conclusion

This paper introduces two new graphical passwords schemes: CODP and COSS schemes which can overcome the shoulder surfing attacks, such as unlock the smartphone’s pattern and provides a strong password space. The proposed method, CODP and COSS scheme generates 58.5 and 2.45 × 104 entropy bits password space, respectively, while state-of- the-art methods CT [11], CA [11], and QBP [16] entropy bits approach to 40, 42, and 271, respectively. The proposed method shows strongest entropy bits compare to the QBP scheme by obtaining 2.45 × 104 entropy bits. It is because of set of pixels are integrated with alphabets. In contrary, QBP scheme allows to generate 271 bits strong password by using set of questions and answers as part of password which looks a tedious task. In security study, we found that our schemes can be under attack by deep learning techniques which has been only investigated on 2-layers Captcha challenges and it needs a pixel-level labelling to learn the model of Captcha scheme. Nevertheless, it did not investigate the CaRP image particularly. The future work is to investigate a comprehensive study of CaRP image segmentation or objects recognition on CaRP image and next is to combine the proposed scheme with biometrics systems to enhance the security of spoofing attacks.

References

[1] H. Yuan, Y. Han, and J. Hu, “Password memorability and security?: empirical results,” Int. Comput. Sci. Softw. Eng. Conf. Vol. 4, pp. 25– 31, 2008. [2] D. R. Pilar, A. Jaeger, C. F. A. Gomes, and L. M. Stein, “Passwords usage and human memory limitations: a survey across age and educational background,” PLoS One, vol. 7, no. 12, 2012. [3] P. Elftmann, “Secure alternatives to authentication mechanisms submitted by,” Aachen Univ. Aachen, Ger. Thesis, October 2006, pp. 1– 92. [4] L. Standing, J. Conezio, and R. N. Haber, “Perception and memory for pictures: Single-trial learning of 2500 visual stimuli,” Psychon. Sci., vol. 19, no. 2, pp. 73–74, Aug. 1970. [5] R. N. Shepard, “Recognition memory for words, sentences, and pictures,” J. Verbal Learning Verbal Behav., vol. 6, no. 1, pp. 156–163, 1967. [6] D. C. Garcia and R. L. de Queiroz, \\\"Face-Spoofing 2D-Detection Based on Moiré-Pattern Analysis,\\\" in IEEE Transactions on Information Forensics and Security, vol. 10, no. 4, pp. 778-786, April 2015. [7] F. Schaub, R. Deyhle, and M. Weber, “Password entry usability and shoulder surfing susceptibility on different smartphone platforms,” Proc. 11th Int. Conf. Mob. Ubiquitous Multimed. - MUM ’12, pp. 1-10, 2012. [8] R. Biddle, S. Chiasson, and P. C. Van Oorschot, “Graphical Passwords: Learning from the first twelve years,” ACM Comput. Surv., vol. 44, no. 4, p. 41, 2012. [9] G. Ye et al., “Cracking android pattern lock in five attempts,” Proc. 2017 Netw. Distrib. Syst. Secur. Symp., no. March, 2017. [10] V. Venkateswara Rao and A. S. N. Chakravarthy, “Analysis and bypassing of pattern lock in android smartphone,” IEEE Int. Conf. Comput. Intell. Comput. Res. ICCIC, pp. 1–3, 2017. [11] B. B. Zhu, J. Yan, Guanbo Bao, Maowei Yang, and Ning Xu, “Captcha as graphical passwords: a new security primitive based on hard AI problems,” IEEE Trans. Inf. Forensics Secur., vol. 9, no. 6, pp. 891–904, 2014. [12] A. Khan, &A. G. Chefranov, “A new secure and usable captcha-based graphical password scheme,” In International Symposium on Computer and Information Sciences, Springer, Cham., September, 2018, pp. 150- 157. [13] H. Tao and C. Adams, “Pass-Go: A proposal to improve the usability of graphical passwords,” Int. J. Netw. Secur., vol. 7, no. 2, pp. 273–292, 2008. [14] S. Furnell, W. Khern-am-nuai, R. Esmael, W. Yang, and N. Li, “Enhancing security behaviour by supporting the user,” Comput. Secur., vol. 75, pp. 1–9, 2018. [15] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, “PassPoints: Design and longitudinal evaluation of a graphical password system,” Int. J. Hum. Comput. Stud., vol. 63, no. 1–2, pp. 102–127, 2005. [16] B. Togookhuu and J. Zhang, “New graphic password scheme containing questions-background-pattern and implementation,” Procedia Comput. Sci., vol. 107, pp. 148–156, 2017. [17] A. D. Jermyn, I., Mayer, A. J., Monrose, F., Reiter, M. K., & Rubin, “The design and analysis of graphical passwords,” Proc. 8th USENIX Secur. Symp. Washingt. D.C. USA, August 23-26, pp. 23–26, 1999. [18] P. Dunphy and J. Yan, “Do background images improve ‘draw a secret’ graphical passwords?,” Proc. 14th ACM Conf. Comput. Commun. Secur. - CCS ’07, pp. 36-47, October 2007. [19] S. Chiasson, P. C. van Oorschot, and R. Biddle, “Graphical password authentication using cued click points,” pp. 359–374, 2007. [20] W. E. Burr, D. F. Dodson, and W. T. Polk, “Electionic authentication guidelines,” 800-63 Ver. 1.0 (Withdrawn), June 30, 2004. [21] M. Tang, H. Gao, Y. Zhang, Y. Liu, P. Zhang, and P. Wang, “Research on deep learning techniques in breaking text-based captchas and designing image-based captcha,” IEEE Trans. Inf. Forensics Secur., vol. 13, no. 10, pp. 2522–2537, 2018. [22] X. Wu, S. Dai, Y. Guo, & H. Fujita, “A machine learning attack against variable-length chinese character captchas,” Applied Intelligence, vol. 49, no. 4, pp 1548-1565, 2019. [23] J. Zhang, X. Hei, & Z. Wang, “Typer vs. captcha: private information based captcha to defend against crowdsourcing human cheating,” arXiv preprint arXiv:1904.12542, 2019. [24] Y. W. Chow, W. Susilo, & P. Thorncharoensri, “Captcha design and security issues,\\\" In Advances in Cyber Security: Principles, Techniques, and Applications, Springer, Singapore, pp. 69-92, 2019. [25] V. D. Nguyen, Y. W. Chow, and W. Susilo, “A captcha scheme based on the identification of character locations,” Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 8434 LNCS, pp. 60–74, 2014. [26] German Software development and Analytics, “GSA captcha breaker,” 2018, https://www.gsa-online.de/en/, accessed 10 October 2018. [27] Captcha-Sniper, “Captcha sniper,” 2018, http://www.captchasniper. com/, accessed 10 October 2018. [28] H. Gao, M. Tang, Y. Liu, P. Zhang, and X. Liu, “Research on the security of microsoft’s two-layer captcha,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 7, pp. 1671–1685, 2017. [29] John the Ripper Password Cracker, “http://www.openwall.com/john/,” accessed 2 January 2019. [30] Openwall Wordlists Collection, “http://www.openwall.com/wordlists/,” accessed 2 January 2019.

Copyright

Copyright © 2023 Medha Sapkal, Ninaad Sarulkar, Kaif Shaikh, Prathmesh Sarode, Prof. A. A Shirode . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.