document4

IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

International Journal of Research in IT & Management 29 http://www.mairec.org

COMBINING CAPTCHA AND GRAPHICAL PASSWORDS FOR USER

AUTHENTICATION T. S. Ravi Kiran*

Y. Rama Krishna**

ABSTRACT Text passwords have been widely used for user authentication, however, it is well-known that

text passwords are insecure for a variety of reasons .Graphical password schemes are

believed to be more secure and more resilient to dictionary attacks than textual passwords,

but more vulnerable to shoulder surfing attacks. Many recognition-based graphical password

schemes alone, in order to offer sufficient security, require a number of rounds of

verification, introducing usability issues. In this paper we suggest a hybrid user

authentication approach combining CAPTCHA (Completely Automated Public Turing tests

to tell Computers and Humans Apart) and graphical passwords to provide increased

security.

Keywords: CAPTCHA, Graphical Passwords, User Authentication, Phishing, Security

*Lecturer, Department of Computer Science, P.G.Centre, P.B.Siddhartha College of Arts &

Science, Vijayawada.

**Assistant Professor, KITE Womens College of Professional Engineering Sciences,

Shabad, India.



INTRODUCTION Authentication is indeed at the heart of any secure system; a user has to be authenticated

before he/she can be involved in online transactions, enter a secured vault, open a safe or

reach his/her email account[1]. If sensitive information or unauthorized access is given to a

wrong identity, the entire security of one system will collapse. Generally, the most common

and convenient authentication method is the traditional alphanumeric password. However,

their inherent security and usability problems [2, 3] led to the development of graphical

passwords as an alternative. To date, there have been several graphical password schemes,

such as [4, 5, 6, 7, 8]. They have overcome some drawbacks of traditional password schemes,

but most of the current graphical password schemes remain vulnerable to spyware attacks.

Most current graphical password schemes require users to enter the password directly,

typically by clicking or drawing. Hence, passwords are easily exposed to a third party who

has the opportunity to record a successful authentication session CAPTCHA (Completely

Automated Public Turing tests to tell Computers and Humans Apart) is a program that

generates and grades tests that are human solvable, but beyond the capabilities of current

computer programs [9]. CAPTCHA is now almost a standard security mechanism for

addressing undesirable or malicious Internet bot programs and major web sites such as

Google, Yahoo and Microsoft all have their own CAPTCHAs. The rest of the paper is

organized as follows. Section 2 briefly reviews related work. Sections 3 present our scheme.

Conclusions and future work are addressed in section 4.

RELATED WORKS There are many different ways a user can be authenticated by a system. This section looks at

a number of different authentication systems to analyze their strengths and weakness.

Alphanumeric Passwords

An alphanumeric password is an authentication mechanism that utilizes letters, upper and

lower case, numbers and some special characters such as exclamation marks and pound signs.

A combination of all of these is used to form a string the user enters into a computer to

authenticate themselves. Passwords of this nature are generally held to follow two guidelines;

they must be memorable allowing the user to authenticate quickly and easily and that they

must be secure [10].Alphanumeric passwords utilize recall which from the statement above is

much harder for a user to remember their password. This means that in general users will be

inclined to create an easily remembered password, which again reduces the security of the



system. This point is further highlighted by the need to regularly change passwords to

effectively 'reset' any attempts to steal a user's password

Biometrics

One alternative to the use of alphanumeric passwords is the use of biometrics. Biometrics is

the utilization of uniquely and personally identifiable biological and physical information

[11]. This authentication method does not rely on user password selection so does not fall

foul of the failings described above. Also, as this mechanism makes use of the personal

attributes of the user as opposed to a password it is not possible to shoulder surf this

technology. There are many biometric systems in place today such as the use of finger prints

or voice recognition. Authentication takes place by comparing previously stored information

against the information a user provides when they wish to authenticate. To many this may

seem like the logical choice when it comes to replacing alphanumeric passwords with a far

more secure system, but it too has flaws

Graphical Passwords

Graphical passwords can be largely classified into three categories: recognition-based, cued-

recall, or recall-based. In recognition-based graphical passwords, users are required to

recognize and then select a set of preselected images from a larger set. In cued-recall, the

images cue the user, for example, to click a set of points on an image. In recall-based, users

are required to recall a password without any cues, a graphical password is the use of a

picture, a part of a picture or several pictures together to authenticate a user. Graphical

passwords have by in large been attributed to Blunder [12, 13] his system required a user to

click several points on an image, the points were then compared with the stored version and

the user was authenticated or the authentication failed and the user was rejected. Whilst

alphanumeric passwords rely on a single stage many graphical passwords systems require the

user to pass a number of stages or challenges to authenticate. This raises an important issue

relating to how long it takes to authenticate and how long a user feels is too long to

authenticate.

PassFaces

This system was developed by Real User Corporation [14] and makes use of the human

ability to recognize faces. To register with the system the user selects four faces from a large

bank of available choices. When a user wishes to authenticate themselves they are presented

with an array of nine faces, arranged in three rows of three. One of the faces is part of the

user's password while the other eight all act as decoys. The user then touches the face to

select it and the system then displays the next set of faces. The challenges continue until the



user has selected four faces, it is at this point that the user passes or fails authentication.

There are a number of issues with this system; some relate to security and others relate to

usability. The main usability concern, which is becoming more and more redundant as

network speeds increase, is the time it could take to load the faces. This issue is particularly

relevant when the authenticating server is based in a remote location, as is likely to be the

case with public space interactions.

Draw-a-Secret

Unlike the PassFaces system this is a recall based authentication method. To log in using this

method the user must reproduce an image on a grid which is displayed on the screen. The

system registers pen down and pen up events and the order in which the parts of the grid are

touched between these events occurring which the author of refers to as a stroke [15]. The

'password' that is stored by the system is not the drawing itself but is instead the record of

strokes the user has performed. As the system does not record the exact drawing but instead a

representation of the drawing it is possible to inexactly reproduce the image but still achieve

authentication.

PassPoints

This system is a direct descendant of Blonder's system where the user has to touch several

points on the screen in order to gain access to the system. As with Draw-a-Secret a

background image is used to help the user remember the location of their points. This again is

a recall based method of authentication, with the twist that the image acts as a cue to assist

with the task of recollection [16]. This system effectively falls between a pure recognition

based and a pure recall based system. To register with the system the user must select an

image they wish to use and then select the points they wish to authenticate with. This again

brings the issue of allowing user selection as it has been shown that here too users are

inclined to choose images that they associate with. The other major issue is that the image

must not be too cluttered or too sparse.

PROPOSED SCHEME The proposed scheme is a combination of CAPTCHA and recognition-based graphical

password which is less subjective to phishing attack. Password can be created during user

registration or after registration and be changed any time after creation. A graphical password

policy is defined by displaying an interface which contains Random text CAPTCHAs and

images. Figure 1 illustrates the proposed interface.



Figure 1 Interface of proposed scheme

The users choose combination of CAPTCHA and images as their graphical passwords. For

each round of verification, the specified number of text CAPTCHAs and images are

randomly selected by the system from a database. A user then chooses a specified number of

text CAPTCHAs and images as her graphical password .This process repeats for the specified

number of rounds. If the user does not like a particular set of images, he may request a new

one or upload her own images to be included in the selection process. In the register phase,

users are required to select and remember CAPTCHAs and images as their password. To be

authenticated, users need to distinguish his/her CAPTCHA-images .The user must correctly

select all images (one or more) pre-registered for this account in each round of graphical

password verification. The user as usual enters a user name and authentication begins. In

password verification, the proposed scheme displays the interface of CAPTCHA and Images

and the user chooses out her preregistered combination of CAPTCHAs and Images. After the

user completes verification, if correct he is granted account access. Otherwise, access is

denied.

CONCLUSION Our proposed scheme offers some advantages in countering common attacks against text

passwords, such as naive key logging and phishing. In this paper, we have presented a new

approach to protect users password against spyware attack. Our main contribution is that we

introduce CAPTCHA into the realm of graphical passwords to resist spyware programs.

From a security viewpoint, this exploration is expected to advance the development of



graphical passwords. Our future work concentrates on improving the login time and

memorability.

REFERENCES [1] L. V. Ahn, M. Blum, Nicholas J. Hopper and J. Langford, CAPTCHA:CAPTCHA: Using

hard AI problems for security, In the Proceedings of Eurocrypt03, pp. 294-311, 2003,

available at: http://www. captcha.net/, Visited on Sep. 27, 2005.

[2] M. Akao, S. Yamanaka, G. Hanaoka, et al., Personal entropy fromgraphical passwords:

Methods for quantification and practical keygeneration, IEICE Trans. On Fundamentals of

Electronics Communications and Computer Sciences, E87A (10), pp. 2543-2554, Oct. 2004.

[3] D. Davis, F. Monrose, and M. K. Reiter, On User Choice in Graphical Password

Schemes. In the 13th USENIX Security Symposium, 2004.

[4] R. Dhamija and A. Perrig, Deja Vu: A User Study Using Images for Authentication. In

the 9th USENIX Security Symposium, 2000.

[5] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The Design and Analysis of

Graphical Passwords. In the 8th USENIX Security Symposium, 1999.

[6] D. Klein, Foiling the Cracker: A Survey of, and Improvements to, Password Security. In

the 2nd USENIX Security Workshop, pp. 514, 1990.

[7] M. Orozco and A. El Saddik, Signature Identification with Haptic devices, In proceedings

of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces,

and Measurement Systems, Giardini Naxos, Italy, Jul. 2005.

[8] J. Ortega-Garcia, J. Bigun, D. Reynolds, J. Gonzalez-Rodriguez, Authentication gets

personal with biometrics. In Signal Processing Magazine, IEEE Volume 21, Issue 2, pp. 50-

62, Mar. 2004.

[9] J. Ortega-Garcia, J. Fierrez-Aguilar, J. Martin-Rello, and J. Gonzalez-Rodriguez,

Complete signal modeling and score normalization for function-based dynamic signature

verification, In Proc. 4th Int. Conf. Audio and Video-Based Person Authentication, AVBPA

2003, LNCS 2688, pp. 658-667, Jun. 2003.

[10] B. Pinkas and T. Sander, Securing Passwords Against Dictionary Attacks. In

Proceedings of the ACM Computer and Security Conference (CCS 02), pp. 161-170. ACM

Press, Nov. 2002.

[11] R. Plamondon and S. N. Srihari, On-line and off-line handwriting recognition: A

comprehensive survey, IEEE Trans. Pattern Anal. MachineIntell.,vol. 22, no. 1, pp. 63-84,

Jan. 2000.



[12] Reachin Technologies, available at: http://www.reachin.se, Visited on Jan. 3rd, 2006.

[13]S. Chiasson. Usable Authentication and Click-Based Graphical Passwords. PhD thesis,

Carleton University, Ottawa, Canada, January 2009.

[14]S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot. Influencing Users Towards

Better Passwords: Persuasive Cued Click-Points. In Proc. of HCI08, September 2008.

[15]S. Chiasson, P.C. van Oorschot, and R. Biddle. Graphical Password Authentication Using

Cued Click Points. In Proc. of ESORICS07, volume 4734, pages 359374, September 2007.

[16]D. Davis, F. Monrose, and M. Reiter. On User Choice in Graphical Password Schemes.

In Proc. of 13th USENIX Security Symposium, August 2004.

document4

Documents