Analysis of Recognition based Authentication system hybrid with text based password mix

with random generated password

Manish Giri Divakar SinghDept. of Computer Science HOD of CSEBUIT, Bhopal, M. P. BUIT, Bhopal, M.P.India Indiagoswami.manishgiri@gmail.com divakar_singh@rediffmail.com

Abstract: Graphical passwords are good alternative of traditional alphanumeric with symbolic passwords because pictures are good alternative and easy to memorize than alphanumeric password. In this extend approach, we propose a analysis of hybrid approach for user authentication system based on recognition based graphical password system and text based password mix with random generated password at each time of authentication.

Keywords: graphical password, authentication, security, random password.

1. INTRODUCTION

Authentication, secure operations and development of secure system; these are the most important areas for human computer interaction [1]. In the paper, our main focus is on authentication problem. Submission of username and password is the basic authentication process which is not very secure in this era. Researches shows that the remembering the passwords are the main problem with text based password which are either simple name any of person, place, lovable thing or any dictionary word that can be easy to memorize, but these passwords can be easy to guess or break, a cracker can break these passwords by dictionary attack and brute force attacks within 30 seconds [2]. Another password is combination of alphabets, number and special symbols, but this type of passwords are difficult to memorize different passwords for different accounts.

In the literature, several techniques have been proposed to overcome the limitations of alphanumeric with special symbol text password.

In this extended abstract, we propose a graphical password authentication system. The system combines the graphical and text based mixed with random generated text passwords trying to achieve the best of both worlds.

1.1 Overview of authentication methods

Basically authentication methods can be subdivided into three parts:

i. Token based authentication,

ii. Biometric based authentication and

iii. Knowledge based authentication.

In these days Token based techniques are widely used the main examples of the token based technique are the smart cards, bank card and key cards. These token based authentications techniques also use the knowledge based techniques. For example ATM cards use a PIN number. Examples of Biometric based authentication techniques, such as fingerprints, iris scan, of facial recognition, are not yet widely adopted. The major drawback of this technique is that such systems can be expensive [3]. However, this type of approach provides the highest level of security. Knowledge based techniques are the

most widely used authentication techniques and include both text based and picture based passwords. Here we are using the knowledge based authentication in graphical passwords scheme [4].

1.2 Graphical password authentication

Human can remember pictures better than the txt based passwords or the combination of alphanumeric with symbolic passwords so the proposal is to graphical passwords are the alternative to the text based password schemes and it is more easy to use and more secure than text based password[5]. In this scheme user has to select a click points (co ordinates) on images and a secret password at the time of registration (Fig1 2 3).

Fig. 1 “Registration Part 1”

Fig. 2 “Click on a Picture”.

Fig 3. “Click on a picture of each row”

After completion of registration (Fig. 1, 2, 3) whenever user want to login then he/she has to enter user name(Fig 4)

Fig 4. “Log In Page”

after verifying the valid Id he has to enter the text password with a random generated password and click on one image (Fig. 5,6).

Fig. 5 “Enter password with random password”

Fig. 6 “Click on a picture of each row”

If the correct regions clicked and correct password entered, User would be authenticated.

2. KNOWLEDGE BASED AUTHENTICATION

Knowledge based authentication approach can be used in both text based and picture based passwords techniques. Here our approach is picture based passwords for authentication. Knowledge based authentication means to remember the password to the computer user either text password (simple text password of combination of alphanumeric with symbol) or graphical picture based password. Knowledge based authentication can be divided in two main sub categories. First technique is recognition based and second is recall based graphical authentication techniques. In recognition based techniques, user select some images and choose some points or pixel position on the images, at the time of authentication user click on the images, if the clicked points are matched with the right points, then authentication process become success.

Second approach is recall based authentication, in which user create or selected an image which he has selected previously at the time of

registration. If the reproduce thing is same as the previous thing the user become authenticated.

2.1 Recognition based techniques

In the recognition based authentication techniques, at the time of registration user select a set of images and click on the images one-by-one and these click points or coordinate of images become the password. Whenever user wants login then first he/she has to click on the same images and same points, if the points are match with the points which are choose at the time of registration, then the authentication process become success.

After applying these techniques the result are obtained that 90% of all users successfully authenticated with these techniques, while only 70% succeeded using text based passwords [4].

3. OUR WORK

Knowledge based graphical password scheme can be classified into two techniques i.e. recognition based approach and recall based approach. We have mix text based password approach with recognition based approach. It is a hybrid approach for authentication. In our analysis we have selected a group of 30 students and permitted them to generate their password by recall based approach and by our upgraded approach. After a successful authentication we found that there are some differences between two techniques in respect of password character sticks and security[4].

4. Results: The results generated by the analysis are classified into two portions i.e. the password character sticks and the security of passwords as follows [4].

4.1 Password Generation (Time): The password generation in time means the required time to generating the passwords from both the approaches. Table (a) shows that the mean time for generating the password in seconds and the graph shows the comparison result between them. We have taken the group of 30 students and analyze the time taken by them for generating the password form both

techniques. Table (a) represents the time taken by each user in seconds.

S. No.

Hybrid technique

Recall technique

1 20.2 11.62 25.7 6.73 22.6 7.94 29.4 13.35 24.5 16.16 21.9 9.47 25.2 6.68 19.9 9.69 23.4 15.510 26.8 16.811 25.1 10.212 25.9 8.913 20.7 9.414 25.2 11.415 22.3 14.316 29.7 12.617 21.6 11.818 24.7 12.519 19.6 9.920 26.6 8.721 25.2 7.222 23.7 6.923 21.3 10.324 20.5 12.725 26.8 7.726 30.3 14.727 32.6 6.628 29.6 5.229 27.4 14.330 28.8 5.4

Table (a) Time taken by each user to generate the

Password by both techniques in seconds

Our hybrid approach

Recall based approach

As the above graph shows us that the time in the recall based authentication approach is less than our hybrid recognition based techniques for maximum users. Normally user can identify the pictures easily but little slowly human can recall them. Here we have taken the hybrid approach of text based password and recognition based password approach that’s why password generation takes longs time that recall based password.

4.2 Password learning (Incorrect Submission): We have same 30 students and permit them to submit their passwords for authentication process and find the following result in terms or incorrect submission in the table (b).

S. No.

Hybrid technique

Recall technique

0 14 9

1 6 6

2 4 5

3 3 4

4 2 2

5 1 2

6 1

7 1

Table (b) Number of student making incorrect password submission in the learning phase.

Given table (b) shows the no. of incorrect submission in the learning phase in case of our hybrid recognition based approach 14 students has no incorrect submission 6 has 1 incorrect, 4 has 2 incorrect submission, 3 has 3 incorrect submission, 2 has 4 incorrect submission and 1 has 5 incorrect submission. In the case of recall based techniques 10 students had no incorrect submission and 6 had 1 incorrect submission and so on. These are all calculations based on survey in lab. It happens because the human can easily recognize the pictures but they are slow to recall them to submit their passwords in authentication phase.

4.3 Security from Graphical Password Attack:

A. Brute Force Attack

Brute force attack uses an algorithm that produces every possible combination of words to crack the password. Text based password contain 94^N number of space where 94 is the number of printable characters with space and N is the length. It has always proven successful against text based password because of its ability to check all possible combination of password [11]. That’s why users are

advised to select a stronger and complex password to prevent discovery from brute force attack. However, GUA proves more resistant to brute force attacks because attack software needs to produce all possible mouse motions to imitate passwords especially when trying to recall the graphical passwords [11]. But we have use a random password which generate each time of login and it mixed with users password so it is difficult to crack it by brute force attack.

Dictionary Attack

If any user uses a weak password that can be crack by dictionary attack after checking the word found in dictionary. Dictionary attack on GUA would be waste of time because graphical password is a method of using mouse input type recognition [12]. It is more difficult and complex to use the automated dictionary method to produce all possibility of a single user click of an image in recall based password attack than a text based attack [12-14]. Dictionary attack on graphical password with random password technique would be waste of time because it is the combination of both graphical password and text based password.

Spyware Attack

This type of attack uses a small application which installed on a user’s computer accidentally or secretly to record sensitive data during mouse movement or key press. This is a type of malware which secretly store this information and reports back to the attackers system. With a few exceptions, these key-loggers and listening spywares are unproven in identifying mouse movement to crack graphical passwords. Even if the movement is recorded, it is still not accurate in identifying the graphical password. Other information is needed for this type of attack namely window size and position as well as the timing [15].

Shoulder Surfing Attack

Password can be identified by looking over a person’s shoulder. This type of attack is more frequent in crowded areas where it is not infrequent for people to stand behind another queuing at ATM machines. There are some cases in which key pin number can be record using ceiling and wall cameras

placed near ATM machines. Properly shield the keypad when entering the pin number can be avoid pin numbers being recorded or remembered by attackers [16-18]. Here we are using random password in graphical password that is produce each time of login so that is very difficult to crack the random password using shoulder surfing Attack.

Physical Attack

When a user directly accesses to the data from the server then it is called physical attack. It makes a chance for attacker to bypass the authentication process and directly access to the resources [11]. There are two situation are created in graphical password b physical attack is possible to access the image gallery and password database. In the first situation, if image gallery is accessed by attacker, it is possible to change the images and make a miss functioning for the system in next login and registration processes. If attacker access to the password database then it is possible to login to the system by any user name [19-21]. But we are using random password which is produce each time of login, then attackers cannot get or very difficult to get that random password, so that attacker can change the image gallery but cannot login.

Conclusion: This paper represents the analysis of knowledge based authentication techniques for graphical passwords. There are two types of knowledge based authentication techniques that are recognition based and recall based. We have design a hybrid combination of recognition based authentication approach mixed with text password with a random password generated at each time of authentication. Both techniques are useful to generate a graphical passwords above result shown that in term or password character sticks the hybrid recognition based approaches are useful as it is little more time taking also easy to remember but if we talk about the security issues also then recognition based hybrid techniques are more effective. We conclude our analysis with the following table.

Charact-eristics

Recognition based Approach

Recall based Approach

Authentication Process

Recognize the preregister images as well as have to enter the text password with a random password, so can talk a little more time[6].

Every time draw a signature or picture using mouse can be slow[7].

Memorability 1-User can select their favorite images so easy to memorize.

2-There are number of images so it is easy to recognize the preselected images[6].

1-Depend on whatever user draw studies showed that drawing sequence is hard to remember[8].

2-Some time easy to remember but some time difficult to remember[9].

Possible Attacks Brute force attack, guessing, dictionary attacks and shoulder surfing is easy but in our hybrid approach all attacks are difficult as compare to recall based approach

These attacks are possible but not very easy to break password[10].

Reference

[1] A.S. Patrick,A. C. Long and S. Flinn, “HCL and Security System” presented at CHI, Extended Abstracts (Workshops ). Ft. Lauderdale, Florida, USA. 2003.

[2] K. Gilhooly, “Biometrics: Getting Back to Business”, in Computerworld, May 09, 2005.

[3] Lin, P. L. and Huang, L. W. (2008), Graphical Passwords using Images With random Tracks of Geometric

Shapes, 2008 Congress on Image and Signal Processing, IEEE 2008, pp 27-31

[4] Gaurav Agrawal, Saurabh Singh, Ajay Indian, “Analysis of Knowledge based graphical password authenticaiton” SuperStar Virgo, Singapore, August 3-5, 2011.

[5] S. Akula and V. Devisetty, “Image Based Registration and Authentication System” in Proceedings of Midwest Instruction and Computer Symposium, 2004.

[6] T. Takada and H. Koike, “Awase-E: Image-based authentication for Mobile Phones using User’s Favorite Images,” in Human-Computer Springer-Verlag GmbH,2003, pp. 347-351.

[7] J. Thorpe and P. C. v. Oorschot, “Towards Secure Design Choices for Implementing Graphical Passwords,” in Proceeding of the 20th Annual Computer Security Application Conference. Tucson Arizona, 2004.

[8] D. Nail and J. Thorpe, “Analyzing User Choice in Graphical Passwords,” Technical Report, School of Information Technology and Engineering, University of Ottawa, Canada May 27 2004.

[9] A. F. Syukri, E. Okamoto and M. Mambo, ”A User Identification System Using Signature Written with Mouse,” in Third AustaralasianConference on Information Security and Privacy (ACISP): Spriger- Verlag Lecture Notes in Computer Science( 1438), 1998,pp. 403-441.

[10] Susan Wiedenbeck Drexel University, Philadelphia, PA Jim Waters Drexel University, Philadelphia, PA Leonardo Rutgers University at Camden, Camden, NJ-Jean Rutgers university at Camden, Camden, NJ Proceeding AVI ’06 Proceedings of the wording conference on Advanced visual interfaces ACM New York, NY, USA in 2006 ISBN:1-59593-353-0 “Design and Evaluation of Shoulder surfing resistant graphical password sheme”.

[11] Arash Habibi Lashkari, Azizah Abdul Manaf, Masin Masroom, “A Secure Recognition Based Graphical Password By Watermarking” in 11th IEEE International Conference on Computer and Information Technology, 2011

[12] Chiasson, S., et. al., “Multiple Password Interference in Text Password and Click-Based Graphical Passwords”, ACM, 2009.

[13] Wiedenbeck, S., J.-C. Birget, And A. Brodskiy, “Authentication Using Graphical Passwords: Effects of Tolerance and Image Choce, in Symposium On Usable Privacy and Security(SOUPS)”, 2005.

[14] Dhamija, R. and A. Perrrig, D’ej’a Vu; “A User Study. Using Images for Authentication, in The proceeding of the 9th USENIX security Symposium”, 2000, USENIX.

[15] Man S., et al., “A password scheme strongly resistant to spyware, in Int. Conf. on Security and Management” 2004: Las Vegas.

[16] Forget, A., S. Chiasson, and R. Biddle, Shoulder-Surfing Resistance with Eye –Gaze Entry in Cued-Recall Graphical Passwords. ACM, 2010

[17] Lashkari A.H., S.F., Omar Bin Zakaria and Rosli Saleh, Shoulder Surfing attack in graphical password authentication. 2009, International Journal of Computer Science and Information Security (IJCSIS).

[18] Man, S., D. Hong, and M. Mathews, A Shoulder-Surfing Resistant Graphical Password Scheme – WIW, in International conference on security and management. 2003: Las Vegas.

[19] CAPEC, Standard Abstraction Attack Pattern List (Release 1.6). 2011, Common Attack Patterns Enumeration and Classification (CAPEC): USA.

[20] Todorov, D., Mechanics of User Identification and Authentication. 2007: Auerbach Publications.

[21] Gordon, P., Data Leakage- Threats and Mitigation, in InfoSec Reading Room. 2007, SANS Institute.