Catch me if you can: Using self-camouflaging images to strengthen graphical passwords

Abstract

In the last decade graphical passwords have been proposed as a viable alternative to the problematical password. One of the most popular of these is the recognition-based graphical password, where the user clicks secret images from one or more challenge sets of images, in order to authenticate. While these mechanisms have provable memorability advantages, they are easily as vulnerable to automated sniffing attacks, password-capturing and password computation mechanisms, as are passwords themselves. For example, an attacker can use software to automatically scrape the challenge set images, display these on a duplicate site, and then entice the genuine account owner to reveal the authentication secret. Here we propose a mechanism for addressing this particular weakness of recognition-based graphical passwords. We propose a constantly changing image set, implementing a kind of one-time-password (OTP), which will confound automated attacks by continuously changing the imprint of the secret images. It is vital to ensure that the displayable quality of the images is not compromised so that the genuine user can still authenticate without difficulty. Fortunately usability testing showed that the enhanced security model had no impact on the user authentication process. All the benefits of graphical passwords, such as ease of use and increased memorability, are preserved whilst resisting automated attacks.