Password Space Research Articles

Pivot: Panoramic-image-based VR User Authentication against Side-Channel Attacks

With metaverse attracting increasing attention from both academic and industry, the application of virtual reality (VR) has extended beyond 3D immersive viewing/gaming to a broader range of areas, such as banking, shopping, tourism, education, etc., which involves a growing amount of sensitive and private user data into VR systems. However, with current password-based user authentication schemes in mainstream VR devices, studies demonstrate that side-channel attacks can pose a severe threat to VR user privacy. To mitigate the threat, we propose a novel Panoramic-image-based VR user authentication system, i.e., Pivot , to defend against such attacks, yet maintain high usability. Specifically, in Pivot , we design an image-random-pivoting-based user interaction mechanism to assist users in quickly and securely selecting memorable points of interest in a panoramic image. Then an image region segmentation algorithm is designed to automatically scatter the points to regions to form the customized graphic password for the user, which could ensure a sufficiently large password space and also reduce the near-region point misclicks. Afterward, the region indexes are used to generate the hashed password for authentication. Both theoretical security analysis and extensive user studies demonstrate that Pivot is secure and user-friendly in practice.

PASS POINT SELECTION OF AUTOMATIC GRAPHICAL PASSWORD AUTHENTICATION TECHNIQUE BASED ON HISTOGRAM METHOD

Graphical passwords, as opposed to textual passwords, require the user to pick pictures or draw symbols rather than input written letters. They are an option that may be explored in order to get over the issues that are caused by the system of passwords that are based on text. It has been hypothesized that graphical passwords are more difficult to crack using a brute force technique or to figure out through guessing. This paper proposes an authentication system based on a graphical password method. The proposed system computes the password points using histogram arithmetic and encrypts the chosen password points using SHA512. The envisioned system has been realized as an android application and evaluated with existing research considering multiple measurements such as required login time, password space, and entropy. The findings reveal that the new suggested system outperforms the reference work by more than 85% in terms of login latency and more than 72% in terms of entropy results.

An Advanced Knowledge Based Graphical Authentication Framework with Guaranteed Confidentiality and Integrity

The information and security systems largely rely on passwords,which remain the fundamental part of any authentication process. The conventional authentication method based on alphanumerical username and password suffer from significant disadvantages. The graphical password-based authentication system has recently been introduced as an effective alternative. Although the graphical schemes effectively generate the passwords with better flexibility and enhanced security, the most common problem with this is the shoulder surfing attack. This paper proposes an effective 3D graphical password authentication system to overcome such drawbacks. The system is based on the selection of click points for generating passwords. The proposed work involved a training phase for evaluating the model in terms of the success rate. The overall evaluations of the model in terms of password entropy, password space, login success rates, and prediction probability in the shoulder surfing and guessing attacks proved that the model is more confidential and maintains a higher range of integrity than the other existing models.

CLOUDMOAP: Multilayer Security by Online Encryption and Auditing Process in Cloud

Each image is divided into squares by this module, from which the user selects one to serve as the pass-square. A 7 x 11 grid is used to split a picture. The password space increases as the discretized image size decreases. Yet, an excessively focused division might make it harder to operate the user interface on palm-sized mobile devices and cause problems with object detection. As 60 pixels is the optimal size for precisely selecting certain items on touch displays, a division was set at 60-pixel intervals in both the horizontal and vertical axes in our solution. Index Terms— Online Encryption, Hash Code, Shoulder Surfing, Randomized Image Selection, Cipher Key, Data Security.

A Captcha-Based Graphical Password with Strong Password Space and Usability Study

stract: Security for authentication is required to give a superlative secure users’ personal information. This paper presents a model of the Graphical password scheme under the impact of security and ease of use for user authentication. We integrate the concept of recognition with re-called and cued- recall based schemes to offer superior security compared to existing schemes. Click Symbols (CS) Alphabet combine into one entity: Alphanumeric (A) and Visual (V) symbols (CS-AV) is Captcha-based password scheme, we integrate it with recall- based n×n grid points, where a user can draw the shape or pattern by the intersection of the grid points as a way to enter a graphical password. Next scheme, the combination of CS-AV with grid cells allows very large password space (2.4 × 104 bits of entropy) and provides reasonable usability results by determining an empirical study of memorable password space. Proposed schemes support most applicable platform for input devices and promising strong resistance to shoulder surfing attacks on a mobile device which can be occurred during unlocking (pattern) the smartphone

An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.

Story-based authentication for mobile devices using semantically-linked images

We introduce SemanticLock, a simple, fast, and memorable single-factor graphical authentication approach for mobile devices. SemanticLock uses a set of graphical images as password tokens that allow the construction of a semantically memorable story representing the user’s password. Passwords are entered via the familiar and quick action of dragging and positioning user-defined images on the touchscreen. It is well known that for (un)locking mechanisms such as PIN or PATTERN, users tend to pick memorable passwords such as dates or simple (often regular) patterns. This practice by users significantly reduces the effective password space for these mechanisms. The authentication strength of SemanticLock is based on the large number of possible semantic constructs derived from the positioning of the image tokens and the type of images selected. While graphical passwords have been shown in some cases to have lower entropy than other password types, we avoid this problem by (1) performing a series of experiments and analyses to understand which images and image pairs users prefer and then (2) selecting images that avoid any type of explicit or implicit bias, resulting in an effective password space that is essentially the same as the total password space. Results of our study comparing SemanticLock against other authentication systems show that SemanticLock performs similarly to PIN and PATTERN in usability while having significantly increased memorability and security.

Graphical-based password for user authentication in internet of things

Internet of Things has become a significant and evolving technology that cannot be avoidable in most of the sectors. However, the Internet of Things security became a concern due to the huge amount of the sensitive data that transferring through IoT resources. Secure the users' authentication process of the IoT is the first line of defense to protect the users' data from violation. Typically, the alphanumeric-based password is the popular method to authenticate the users of the IoT. But it is a vulnerable mechanism that can be violated easily. For that, this research aims to develop a graphical-based password scheme to support the traditional text password in the IoT technology. The proposed scheme is a hybrid (Two-factor) approach, based on two types of Knowledge-based Authentication method (alphanumeric-based password and graphical-based password) naming as IoT-GP. IoT-GP aims to improve the users' authentication security considering the usability enhancement. The results obtain from the conducted field study indicated that IoT-GP significantly improved the security and the usability. The results of the password entropy and password space indicated that IoT-GP obtained a high rate comparing to another schemes, which reflected on the IoT-GP ability to resist the guessing and brute force attacks.

Algorithm of Encrypting Digital Image Using Chaos Neural Network

With the rapid development of digital communication technology, data and image encryption methods will get more and more in-depth research in these aspects. Although the original cipher method can keep the image confidential, because of the storage method of the image data, for the image with too high pixel value, the process of keeping the two-dimensional information confidential and decoding will bring a large amount of computation, and the accuracy of encryption and decryption cannot be guaranteed. This paper presents a visual image encryption algorithm based on the compressed sensing method of the Hopfield chaotic neural network. Different from the existing visual image encryption methods, our method can directly embed the noise like information after encryption into the alpha channel of the carrier image, thus increasing the visual stability of the computer. Finally, through the comparison and analysis of simulation experiments, we find that the image encryption algorithm proposed in this paper has the advantages of wide password space, low risk, good visual stability, good decoding effect, and good robustness.

RoundPIN: Shoulder Surfing Resistance for PIN Entry with Randomize Keypad

The security of a PIN is largely supported by the authentication process in ATM. Most authentication methods like traditional are based on using PIN as direct entry and this technique has been shown lots of drawbacks such as vulnerability to password space, and shoulder-surfing. In this paper, a new approach is proposed called RoundPIN depends on the appearance of the numerical password through one of the buttons after selecting it by the user and it is done through a number of rounds, the numbers are arranged randomly on the keypad. Due to the variable aspect of the chosen button and the random appearance of the numbers in each connection session and also the selection process will take place through three buttons three auxiliary, the proposed approach can maintain high secure session to enter the PIN to resist shoulder surfing, which is difficult for attackers to observe a user's PIN. The performance evaluation of the proposed approach is achieved in two parts, the first one is based on security analysis. Then a pilot study of thirty users is conducted to evaluate the useability of the proposed approach. It is noticed that the proposed approach can maintain a high level of security as well as acceptable level of useability and user satisfaction compared the conventional keypad system.

Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and Pointing

There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth’s usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69–3.5 s using controller tapping, 2.35–4.68 s using head pose and 2.39 –4.92 s using eye gaze, and highly resilient to observations: 96–99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45 n for an n -symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

AcSIS: Authentication System Based on Image Splicing

Text-based passwords are widely used for the authentication of digital assets. Typically, password security and usability is a trade-off, i.e. easy-to-remember passwords have higher usability that makes them vulnerable to brute-force and dictionary attacks. Complex passwords have stronger security but poor usability. In order to strengthen the security in conjunction with the improved usability, we hereby propose a novel graphical authentication system. This system is a picture-based password scheme which comprises of the method of image splicing. Authentication data were collected from 33 different users. The usability of the method was evaluated via a comparison between the number of correct and incorrect authentication attempts and time taken. Additionally, a comparison was made between our proposed method and a complex text-based password authentication method using the authentication success rate. Authentication using image splicing proved to be resilient to brute-force attacks since the processing of images consumes a voluminous password space. The evaluation of the usability revealed that graphical passwords were easy-to-remember, resulting in a higher number of correct attempts. The proposed method produced 50% higher success rate compared to the text-based method. Findings motivate the use of the proposed method for securing digital assets.

LocPass: A Graphical Password Method to Prevent Shoulder-Surfing

Graphical passwords are a method of authentication in computer security. Computer security is one of the disciplines of computer science. Shoulder-surfing attacks are a well-known threat to graphical passwords, although is getting commonly used especially in granting access for a secure system. Shoulder-surfing occurs when attackers skillfully capture important data/activities, such as login passwords, via direct observation or video recording methods. Many methods have been proposed to overcome the problem of shoulder-surfing attacks. After we reviewed some related works, we found out that most of the existing methods are still vulnerable to multiple observations and video-recorded shoulder-surfing attacks. Thus, we propose a new method to combat this problem. In our proposed method, we make used of two concepts to combat shoulder-surfing attacks. In the first concept, we used registered locations (something that only the users know) and 5 image directions (something that the users can see) to determine a pass-location (new knowledge). Secondly, the images used in our proposed method have higher chances to offset each other. The idea of offset could increase the password spaces of our proposed method if an attacker intended to guess the registered location used. By combining these two concepts, the pass-location produced by our proposed method in each challenge set could be varied. Therefore, it is impossible for the attackers to shoulder-surf any useful information such as the images/locations clicked by the user in each challenge set. A user study was conducted to evaluate the capabilities of the proposed method to prevent shoulder-surfing attacks. The shoulder-surfing testing results indicated that none of the participants were able to login, although they knew the underlying algorithm and they have been given sufficient time to perform a shoulder-surfing attack. Therefore, the proposed method has proven it can prevent shoulder-surfing attacks, provided the enrolment procedure is carried out in a secure manner.

A Pattern-Based Multi-Factor Authentication System

User authentication is an indispensable part of a secure system. The traditional authentication methods have been proved to be vulnerable to different types of security attacks. Artificial intelligence is being applied to crack textual passwords and even CAPTCHAs are being dismantled within few attempts. The use of graphical password as an alternate to the textual passwords for user authentication can be an efficient strategy. However, they have been proved to be susceptible to shoulder surfing like attacks. Advanced authentication systems such as biometrics are secure but require additional infrastructure for efficient implementation. This paper proposes a novel pattern-based multi-factor authentication scheme that uses a combination of text and images resulting for identifying the legitimate users. The proposed system has been mathematically analyzed and has been found to provide much larger password space as compared to simple text based passwords. This renders the proposed system secure against brute force and other dictionary based attacks. Moreover, the use of text along with the images also mitigates the risk of shoulder surfing.

DPPG: A Dynamic Password Policy Generation System

To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator , namely DPPG , to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Enhanced Textual Password Scheme for Better Security and Memorability

Traditional textual password scheme provides a large number of password combinations but users generally use a small portion of available password space. Complex textual passwords are difficult to remember, therefore most users choose passwords with small length and contain dictionary words. Due to the use of small password length and dictionary words, textual passwords become easy to crack through offline guessability attacks. Traditional textual passwords scheme is also weak against keystroke logger attacks because alphanumeric characters are directly inserted into the password field. In this paper, enhancements are proposed in the registration and login screen of the traditional textual password scheme for improving security against offline guessability attacks and keystroke logger attacks. The proposed registration screen also improve memorability of traditional textual passwords through visual cues or pattern-based approach. In the proposed login screen, passwords are indirectly inserted into the password field, to resist keystroke logger attacks. A comparative analysis between the passwords created in traditional and proposed pattern-based approach is presented. The testing results show that users create strong and high entropy passwords in the proposed pattern-based approach as compared to the traditional textual passwords approach.

CMAPS: A Chess-Based Multi-Facet Password Scheme for Mobile Devices

It has long been recognized, by both security researchers and human–computer interaction researchers, that no silver bullet for authentication exists to achieve security , usability , and memorability . Aiming to achieve the goals, we propose a Multi-fAcet Password Scheme (MAPS) for mobile authentication. MAPS fuses information from multiple facets to form a password, allowing MAPS to enlarge the password space and improve memorability by reducing memory interference, which impairs memory performance according to psychology interference theory. The information fusion in MAPS can increase usability, as fewer input gestures are required for passwords of the same security strength. Based on the idea of MAPS, we implement a Chess-based MAPS (CMAPS) for Android systems. Only two and six gestures are required for CMAPS to generate passwords with better security strength than 4-digit PINs and 8-character alphanumeric passwords, respectively. Our user studies show that CMAPS can achieve high recall rates while exceeding the security strength of standard 8-character alphanumeric passwords used for secure applications.

Guessing Attacks on User-Generated Gesture Passwords

Touchscreens, the dominant input type for mobile phones, require unique authentication solutions. Gesture passwords have been proposed as an alternative ubiquitous authentication technique. Prior security analysis has relied on inconsistent measurements such as mutual information or shoulder surfing attacks.We present the first approach for measuring the security of gestures with guessing attacks that model real-world attacker behavior. Our major contributions are: 1) a comprehensive analysis of the weak subspace for gesture passwords, 2) a method for enumerating the size of the full theoretical gesture password space, 3) a design of a novel guessing attack against user-chosen gestures using a dictionary, and 4) a brute-force attack used for benchmarking the performance of the guessing attack. Our dictionary attack, tested on newly collected user data, achieves a cracking rate of 47.71% after two weeks of computation using 109 guesses. This is a difference of 35.78 percentage points compared to the 11.93% cracking rate of the brute-force attack. In conclusion, users are not taking full advantage of the large theoretical password space and instead choose their gesture passwords from weak subspaces. We urge for further work on addressing this challenge.

Leveraging 3D Benefits for Authentication

Devices with 3D capabilities are quickly gaining in popularity. In this paper, we propose to bring authentication into the third dimension. We define the concept of a 3D authentication scheme based on physical and psychological advantages of 3D. We implement an example of 3D authentication: 3DPass, to demonstrate the superiority of the 3D approach. Our security analysis of 3DPass demonstrates that 3DPass can exceed the password space of an 8 character alphanumeric password with just 6 choices. Our user study finds that 3DPass has superior memorability versus traditional alphanumeric passwords: 98% vs 83% recall rates after one week. We find that passwords in our scheme can be entered in 21 seconds on average when used with the Oculus Rift. We find that using the Oculus Rift improves entry time compared to a traditional 2D display, despite having no impact on presence (the feeling of “being there”) or user preference.

Evaluating the effect of multi-touch behaviours on Android unlock patterns

Purpose This paper aims to evaluate the effect of multi-touch behaviours on creating Android unlock patterns (AUPs) by realising that users can perform more actions in touch-enabled mobile phones. Design/methodology/approach The author conducted two user studies with a total of 45 participates and performed two major experiments in the main user study. Findings The user study indicates that the multi-touch behaviours can have a positive impact on creating patterns; however, there are only nine touchable points for the original AUPs, which may reduce the usability when performing a multi-touch movement. Research limitations/implications An even larger user study could be conducted to further analyse the patterns generated by users, that is, to analyse the specific password space by integrating the behaviours of multi-touch and to involve more types of multi-touch behaviours in creating an AUP. Practical implications This work explores the effect of multi-touch movement on creating AUPs. The results should be of interest for software developers and security researchers for exploring the effect of multi-touch behaviours on the creation of graphical passwords on mobile phones. Originality/value The author conducts two user studies with a total of 45 participants to investigate the impact of multi-touch behaviours on creating AUPs. In addition, to address the issue of usability, the author proposes two ways: increasing the number of touchable points and improve the rules of pattern creation.