Towards a metric for recognition-based graphical password security

Recognition-based graphical password (RBGP) schemes are not easily compared in terms of security. Current research uses many different measures which results in confusion as to whether RBGP schemes are secure against guessing and capture attacks. If it were possible to measure all RBGP schemes in a common way it would provide an easy comparison between them, allowing selection of the most secure design. This paper presents a discussion of potential attacks against recognition-based graphical password (RBGP) authentication schemes. As a result of this examination a preliminary measure of the security of a recognition-based scheme is presented. The security measure is a 4-tuple based on distractor selection, shoulder surfing, intersection and replay attacks. It is aimed to be an initial proposal and is designed in a way which is extensible and adjustable as further research in the area develops. Finally, an example is provided by application to the PassFaces scheme

Password Cracking and Countermeasures in Computer Security: A Survey

With the rapid development of internet technologies, social networks, and other related areas, user authentication becomes more and more important to protect the data of the users. Password authentication is one of the widely used methods to achieve authentication for legal users and defense against intruders. There have been many password cracking methods developed during the past years, and people have been designing the countermeasures against password cracking all the time. However, we find that the survey work on the password cracking research has not been done very much. This paper is mainly to give a brief review of the password cracking methods, import technologies of password cracking, and the countermeasures against password cracking that are usually designed at two stages including the password design stage (e.g. user education, dynamic password, use of tokens, computer generations) and after the design (e.g. reactive password checking, proactive password checking, password encryption, access control). The main objective of this work is offering the abecedarian IT security professionals and the common audiences with some knowledge about the computer security and password cracking, and promoting the development of this area.Comment: add copyright to the tables to the original authors, add acknowledgement to helpe

A Protected Single Sign-On Technique Using 2D Password in Distributed Computer Networks

Single Sign-On (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Recently, a new SSO scheme providing well-organized security argument failed to meet credential privacy and soundness of authentication. The main goal of this project is to provide security using Single Sign-On scheme meeting at least three basic security requirements, i.e., unforgetability, credential privacy, and soundness. User identification is an important access control mechanism for client–server networking architectures. The concept of Single Sign-On can allow legal users to use the unitary token to access different service providers in distributed computer networks. To overcome few drawbacks like not preserving user anonymity when possible attacks occur and extensive overhead costs of time-synchronized mechanisms, we propose a secure Single Sign-On mechanism that is efficient, secure, and suitable for mobile devices in distributed computer networks. In a real-life application, the mobile user can use the mobile device, e.g., a cell phone, with the unitary token to access multiservice, such as downloading music; receive/reply electronic mails etc. Our scheme is based on one-way hash functions and random nonce to solve the weaknesses described above and to decrease the overhead of the system. The proposed scheme is more secure with two types of password scheme namely, Text password and Graphical Password referred as 2D password in distributed computer networks that yields a more efficient system that consumes lower energy. The proposed system has less communication overhead. It eliminates the need for time synchronization and there is no need of holding multiple passwords for different services

Combating shoulder-surfing: a hidden button gesture based scheme

This project describes an authentication technique that is shoulder-surfing resistant. Shoulder surfing is an attack in which an attacker can get access to private information by observing the user’s interaction with a terminal, or by using recording tools to record the user interaction and study the obtained data, with the objective of obtaining unauthorized access to a target user’s personal information. The technique described here relies on gestural analysis coupled with a secondary channel of authentication that uses button pressing. The thesis presents and evaluates multiple alternative algorithms for gesture analysis, and furthermore assesses the effectiveness of the technique.Universidade da Madeir

Charpattern : Rethinking android lock pattern to adapt to remote authentication

Android “Şekilli Ekran Kilidi, mobil cihazları nı n ekranları kilitlemede yaygı n olarak kullan ılması na rağmen doğrudan Internet kimlik doğrulamas ında kullanı lamamaktadı r. Bu tezde, Android “Şekilli Ekran Kilidini özenli bir şekilde güncelleyerek uzaktan kimlik doğrulama için uygun bir hale getirdik ve yeni bir şekil tabanlı kimlik doğrulama olarak charPattern ismini verdiğimiz sistemi önerdik. Geliştirilen yeni metot, çift giriş (parola yazma ve şekil çizme) imkanı vererek kullan ıcı lara aynı zamanda hem fiziksel klavye ile hem de dokunmatik ekranda oturum açmaya olanak sağlamaktadı r. Bu metot, 10^6 seviyesine kadar saldı rı lara karşı güçlü şifreler oluşturmak için ikna etme teknolojisini (persuasive technology) kullanı r (çoğu uzman bunun çevrimiçi sald ırı lara karşı yeterli olduğunu düşünmektedirler). Yeni yöntemin kullan ılabilirliğini değerlendirmek amacı yla bir hibrit laboratuvar ve web çal ışması yapı larak, mobil cihazlarda charPattern ile oturum açman ın metin şifreleri ile olanlardan çok daha h ızlı olduğu gözlemlenmiştir.Android Lock Pattern is popular as a screen lock method on mobile devices but it cannot be used directly over the Internet for user authentication. In this thesis, we carefully adapt Android Lock Pattern to satisfy the requirements of remote authentication and introduce a new pattern based method called charPattern. Our new method allows dual mode of input (typing a password and drawing a pattern) hence accommodate users who login alternately with a physical keyboard and a touchscreen device. It uses persuasive technology to create strong passwords which withstand attacks involving up to 10^6 guesses; an amount many experts believe su cient against online attacks. We conduct a hybrid lab and web study to evaluate the usability of the new method and observe that logins with charPattern are signi cantly faster than the ones with text passwords on mobile devices

PALPAS - PAsswordLess PAssword Synchronization

Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES 201