Survey Paper on Graphical Password Authentication System In Terms of

Usability and Security Attribute

1
Prajwal Tangawar,2Zeenat Shaikh, 3Dnyaneshwari Waghmare,4Shakshi Randive,5Prof .Sujata Mali
Sinhgad Institute of Technology and Science, Pune 411041, Maharashtra, India.

Abstract
In today's digital era, safeguarding computer systems and information is a paramount challenge. The primary goal is to ensure
that only authorized individuals have access to the systems and data. Authorization can’t occur without authentication. For this
authentication various techniques are available. Among them the most popular and easy is the password technique. A password
is a way to control access to computers or information, ensuring that only those with permission can view or use them. The
traditional approach involves using textual passwords (alphanumeric), but these can be vulnerable to different types of attacks.
In response to these weaknesses, a graphical password technique has been developed as a more secure alternative. As name
suggests in this technique images (pictures) are used as a password instead of text.[3] Graphical passwords are an alternative
to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings [1].
The graphical password system is replacement for the conventional alphanumeric username and password authentication
mechanism, are the subject of this article. The latter has been shown to have a great disadvantages, such as users' propensity to
select the simple passwords and forget difficult ones. Images are used as passwords in graphic password systems, and this page
gives a thorough description of the approaches currently being used in this field. The methods are divided into two groups:
approaches based on detection and those based on memory [4]. A novel option in password security is the use of graphic-based
passwords, and there is a rising preference for such a method. Research in human psychology indicates that people tend to find
it simpler to recall images compared to words. The graphical password scheme involves two key elements: security and
usability. This study undertakes a thorough examination of the existing Recognition-Based graphical password schemes.

1. Introduction: -

A graphical password is a method used for includes many different security concerns, which are related
authentication in computer systems. computer security is to privacy, and on the other hand, smart cards need a specific
create a safe zone for this digital devices. Graphical PIN because they may be lost. So still, passwords remain the
password is a one of the processes to provide security of main authentication process. When viewed from a usability
digital device or important information [6]. Alphanumeric perspective, traditional passwords exhibit certain drawbacks,
passwords have conventionally served as the primary means and these issues have direct implications for security concerns.
to establish a user's authenticity. Despite the availability of Those users who did not select secure and strong passwords
alternative identification techniques like smart cards and made the authentication process very insecure and gave
biometrics, the use of password systems is likely to remain opportunities to attackers to gain access to the passwords [1].
prevalent due to concerns related to security, user- It is known that human brain can easily store or recall an image
friendliness, privacy, and the reliability of other approaches or image-based password. So, this is the propose graphical
[5]. The traditional approach to passwords involves using a password for user that can register random with highly secure
combination of letters, numbers, and special symbols, where there is no difficulty to recall the graphical password
forming a textual (alphanumeric) password. But it has [6]. As implied by its name, this method utilizes various
various limitations. For ease of memorization, passwords shapes and images as a password. Additionally, scientists
are often kept short and simple, incorporating familiar argue that the human brain finds it easier to remember pictures
elements such as personal names, family member names, compared to text. The human brain can easily process images.
birth dates, pet names, phone numbers, and similar easily An image-based password system offers resistance against
recalled information. However, while this practice dictionary attacks, keyloggers, social engineering, and similar
facilitates remembering passwords, it can also introduce threats. In the contemporary digital landscape, users often
security risks if the chosen information is easily guessable manage more than one accounts for various purposes such as
or publicly available. and it is unprotected to various types personal computers, social networks, emails, and online
of attacks like easy to guess, dictionary attack, brute force, transactions. To simplify the memorization process, users may
shoulder surfing, hidden camera, social engineering and resort to using the same password across all accounts.
malicious software like keylogger, spyware etc. [3] In However, this practice poses a security risk as a compromise
defining the authentication process, it is a process that in one account could potentially lead to vulnerabilities across
verifiy that one user can be allowed access to the specific multiple accounts [2] So to reduce the shortcomings of textual
system or data or he/she is not allowed. Traditional passwords a new technique is developed which is a Graphical
passwords are used widely for authenticating users Password Users will find this system to be secure and simple
nowadays, but other alternatives also are available such as to remember. In general, graphical password systems provides
biometric systems, smart cards, and so on. Anyway, there more advantageous substitute for text passwords and
are many issues in using these substitutions also. Biometrics conventional authentication methods [4].

Electronic copy available at: https://ssrn.com/abstract=4709737

2. Literature Survey:

From the paper [1] A Novel Graphical Password to access the Homepage, For accessing the homepage, users are
Authentication Scheme with Improved Usability. The provided with three options: "Register," "Login," and "About
primary goal of this study is to assess the usability Developer. If you wish to register, click on the "Register"
characteristics of recognition-based graphical passwords, option. This action will lead you to a registration page where
aligning with both ISO standards and general usability you are prompted to input essential information, including your
attributes. The study involves a comparison of usability first name, last name, email, password, and a security question.
attributes and their sub-features to identify new elements, Once this information is provided, proceed to the next page.On
which are then considered and incorporated into the the second page of the registration process, you will be asked to
proposed novel graphical password scheme. The proposed create a color-based graphical password. Choose a password
scheme was performed as a representation and a usability based on colors, and remember the sequence associated with
evaluation towards the planned scheme was conducted to each color. Clicking "Next" will then redirect you to the image-
measure its usability and practicality as the alternative user based password page, where you are required to select multiple
authentication scheme. The findings from the images to form your password. Ensure to save the chosen
questionnaire survey and user feedback regarding the images. After successfully completing the registration process,
entire system and the usability attributes of the proposed return to the homepage and click on the "Login" option. This
scheme indicate that all percentage results are described as will allow you to access the login page and proceed to enter
very good. This suggests, from a usability standpoint, that your registered credentials to log into your account. Enter your
the new graphical password scheme is highly acceptable to username and the correct text-based password. If successful,
users. you will have logged in using a text-based password.
Subsequently, you will be prompted to enter the color-based
From the paper [2] An Effective Graphical Password password. If correct, you will successfully access your account
Authentication Method in Health Care Sectors This study with a color-based password. Following this, you will
introduces the design of a webpage that enables users to encounter the image-based password page, requiring you to
register and log in to their accounts using a graphical select images corresponding to your password. If entered
password, building upon the existing features of Pass correctly, you will have successfully logged in using an image-
Faces. The developed system allows users to register by based password. Finally, after navigating through these steps,
choosing a set of pictures related to doctors. A group of 10 you will be redirected to the main page.
master's students participated in the evaluation of the
proposed system. The results of the evaluation indicate From the paper [6], The Shoulder Surfing Resistant Graphical
promising success rates for users in accessing their Password Authentication It is observed that most of the
accounts using the graphical password method. graphical passwords are vulnerable to shoulder surfing attack
but our system provides strong security against it also. In step-
The paper [3] presents Evaluation of Graphical Password I , the set of 25 images are shown to the user for authentication.
Schemes in Terms of Attack Resistance and Usability. This The security features of our system are designed to provide
study conducts a thorough investigation into various robust protection against various attacks. In the image-based
graphical password schemes, evaluating each scheme in password step, the size of each image is set to thumbnail size,
two key areas: attack resistance and usability. Finally, the and their positions vary with each login. Consequently, the
study aims to answer the question: "Are graphical intersection images used as a session password change
passwords more secure than alphanumerical passwords?" dynamically, making it challenging for an observer to guess or
by synthesizing the findings from the comprehensive crack the password by observing it once. In the second
research. authentication step, the order of question numbers is
randomized with each login, presented as a single three-digit
In the paper [4], Authentication Using Graphical number. This further enhances the complexity of the password.
Passwords: Effects of Tolerance and Image Choice Thirty- The randomization in both steps makes it difficult for potential
two undergraduate students, ranging from their first year to attackers to memorize the password details, adding an extra
their last year of studies, participated in the experiment. layer of confusion and resistance against unauthorized access,
Ten were female and 22 were male. The mean age of specifically in the case of shoulder surfing attacks. Moreover,
participants was 22.7 (SD=1.33). Most of the participants our system incorporates a forget password option for user
were majoring in information systems. They all used PCs convenience. In the event of a forgotten password, the system
frequently. The Pass Points system used in this study was securely emails the password details to the user's registered
the same as in [33, 34], except that it used a different email address after verifying their authenticity. This additional
image. The interface included the image used for testing layer of security ensures that only authorized users can recover
and several buttons. The single image used in this their password through the forget password option. Attempting
experiment depicted a colorful scene of children painting ,unauthorized access by guessing or observing both step-I and
murals in a room. The size of an image was about 451 х step-II passwords simultaneously is practically impossible due
331 pixels. Two tolerances around the click points were to the randomized and dynamic nature of our system. Even if
used: 14 х 14 pixels, and 10 х 10 (Table 1). In our earlier an attacker opts for the forget password option, correctly
study of Pass Points [33, 34] we used a tolerance of 20 х answering the secret question becomes an additional obstacle.
20 pixels and found that users were quite successful. This feature enhances the security of our system and ensures
ease of use for authorized users seeking to recover forgotten
The focus of the paper [5] is on Graphical Password
passwords.
Authentication System In this project when any user tries
Electronic copy available at: https://ssrn.com/abstract=4709737
3.Objectives:

Introduce Recognition Based Graphical Password

Algorithms: The first objective of the project is to provide
a clear and concise overview of Recognition-Based
Graphical Password Algorithms. This includes explaining
the concept, rationale, and benefits of using graphical
elements for password authentication. The audience should
gain a fundamental understanding of this innovative
approach to authentication. Explore Different Recognition-
Based Approaches -The second objective is to delve into
various Recognition-Based Graphical Password
Algorithms. To showcase and compare different methods,
such as image-based, sketch-based, and grid-based
approaches, highlighting their strengths, weaknesses, and
suitability for different use cases.

Discuss Security and Usability Aspects: The next objective

is to address the critical aspects of security and usability
concerning Recognition-Based Graphical Password
Algorithms. This will examine potential vulnerabilities and
mitigation strategies, ensuring that users and organizations
can make informed decisions while adopting these
Figure 1: System Architecture of Graphical System.
authentication methods. Moreover, the discussion will
focus on user experience and convenience to strike a In this project when any user tries to access the Homepage, they
balance between security and usability, encouraging the will be provided with two options register and login. If user
adoption of these algorithms in real-world application. have not registered yet, then user have to click register option.1)
Then register page will appear, user have to provide first text
User-Friendly Authentication: Improve the user
base password and necessary information such as first name,
experience by introducing an intuitive and visually
then last name, email, password, etc.
engaging method, reducing the complexity and frustration
associated with traditional text-based passwords. 2) After that user have to select the images given by the system
in certain pattern.
4. Security Aspects and Attacks:
3) user have to remember the images as well as the pattern in
1.Dictionary Attack These attacks are attempted by
which user have selected the images.
recognizing passwords that will be most probably selected
and using them to hack the password systematically The 4) Then user have to register itself with that username and
hackers attempt to guess the password space successfully. password.
The ratio of success may be significantly increased by
decreasing the number of probable speculations to find it. 5)After registration user have to login in the system with the
help of username which user had register itself.
2.Brute Force (Exhaustive) Attack These threats can be
done similar to the dictionary attacks, but the difference is 6) Then again user have to select the images from the grid
that every possible password is generated and used to provided to login itself in the pattern and the same images
attack the original password. These options are prioritized which user selected at registration time
in much more strung threats to decrease the likelihood of
being picked, if these options can be predicted 7) The system will check the username and password if the
whatsoever. Analogous to the dictionary threats, the Brute username and password is correct then, Then main page will
force attacks may be attempted either online or offline. open.

3.Spyware Attack In this attack, first tools are installed on 8) If the credentials are wrong then it will give login failed
the computer of the user and sensitive data is logged. This message.
malware records any mouse or key movement. Then, the 5.Proposed Methodology:
recorded data without the user’s awareness is conveyed out
of the computer. Apart from a few circumstances, mere use Images Assigned by Users: Research on memorability
of key logging or key listening spyware does not crack highlights that users tend to have better recall when they are
visual passwords, because it is not verified whether a given the autonomy to choose their own passwords rather than
graphical password can be effectively cracked by the having passwords randomly assigned to them.
mouse spyware.
Images Category: Users should have the option to select images
from specific categories based on their preferences, adding a
personalized touch to their graphical passwords.

Easy to Create: Ensuring a user-friendly experience involves

Electronic copy available at: https://ssrn.com/abstract=4709737
allowing users to create their graphical passwords authentication machines that authorize individuals within an
effortlessly, particularly during the registration process. organization. For instance, an employee in an organization uses
Complexity, such as multiple rounds of password creation, an ID card for identification. Before commencing duties, the
can impede user satisfaction. employee must authenticate themselves using their ID card,
enhancing physical security by preventing unauthorized
Fun to Use and Easy:The system should offer an engaging individuals from entering the premises. Physical identification
and straightforward platform for creating passwords. is crucial for organizational security, and examples include
Approaches like challenge-response or training sessions using ATM cards for transactions, where a combination of
can contribute to users perceiving the system as user- password and card identification ensures authentication without
friendly. storing sensitive information in the computer system.
Easily Executed:The usability of the system is enhanced C. Biometrics:
when users can seamlessly execute the algorithm,
especially during registration and login, by following Biometrics, derived from "bio" meaning human and "metric"
simple and straightforward steps. A streamlined process is meaning measurement, involves using human characteristics to
crucial, as multiple rounds of password creation can slow uniquely identify individuals. This form of authentication relies
down and complicate the user experience. Therefore, the on biological features such as voice, fingerprints, and eye
suggested algorithm for registration and login should retinas to establish and verify identity. Biometric authentication
ideally be executed in a single step. is a sophisticated security technique that leverages the
uniqueness of these human traits, offering a high level of
6.Background: accuracy and security in the verification process.
The graphical user interface (GUI) plays a crucial role in 8.Conclusion:
any graphical authentication system, serving as the
interface between the system and its users and Based on results of studies on human psychology, the graphical
encompassing essential usability features. In the context of passwords are more easily recalled by the human brain as
this study, the user interface operates on the client-side of compared to text-based passwords. Moreover, users can
the system's architecture, facilitating direct communication recognize pictorial passwords. This proposed system was
with users. This interface enables users to interact with the successfully implemented and tested. Conclusion drown from
server, which resides on the server-side of the architecture, the project is that a graphical password authentication system is
particularly with the database management system. The very efficient, secure, and adaptable. This system is also cost
design of the user interface relies on the HTML/CSS effective compared to a biometric system. By using a graphical
programming language, with JavaScript chosen for password system, user can minimize the risk of attacks, brute-
dynamic features like drag and drop. For robust backend force attacks, guessing attacks, and shoulder-surfing attacks,
support and secure database management, MySQL is among others.Because graphical representations are easier to
employed [1].While fingerprints are commonly utilized for remember than text based passwords, graphic passwords are a
authentication, there is a notable absence of statistical valuable tool [4]. Overall system is resistant to all other possible
theory concerning the uniqueness of fingerprint details. attacks also. This system can be used for highly secure
The impressions formed on a surface consist of composite applications and systems.
curve segments, resulting in the creation of a fingerprint.
Ridges, described as single curved pieces, and valleys, the
areas between neighboring ridges, form the ridge-valley
9.Future Scope:
features. Minutiae, which represent local discontinuities in
the ridge flow-pattern, provide detailed descriptions of In considering the future scope of the proposed graphical
ridge ends and bifurcations [4]. password system, there are several potential enhancements and
avenues for further development. One significant addition
7.Computer Authentication:
could involve implementing a password retrieval mechanism,
A. Passwords: allowing users to recover forgotten passwords. This feature
would entail sending the forgotten password to the user's
A password serves as a confidential alphanumeric registered email address and sending a notification to their
combination used for user authentication. It is a critical registered mobile number, ensuring convenient access to
security element for digital devices and online platforms, system updates even when offline.Furthermore, from a
requiring users to create a unique username and password usability standpoint, there is room for in-depth exploration of
to safeguard important information. The server stores these the impact of specific images used as graphical passwords,
credentials, and when a user attempts to access studying the speed and efficiency of skilled users within the
information, the provided username and password are system. Research efforts could also be directed towards
verified against the stored data. If there is a match, the identifying and mitigating bad practices associated with
system grants access to the requested information. insecure password creation, thereby improving overall
security.Looking beyond, the system could be extended to
B. Physical Identification: various domains such as mobile authentication, online banking,
and secure access to sensitive information. Additionally, there
Physical identification is employed in various
is potential for investigating advanced graphical authentication
organizational settings, including education departments
techniques and their integration with emerging technologies
and companies. Modern technology has introduced
Electronic copy available at: https://ssrn.com/abstract=4709737
like augmented reality, aiming to enhance both user
experience and security. Further research avenues may
include scalability, interoperability, and addressing
potential vulnerabilities within the graphical password
scheme, ensuring continuous improvement and
adaptability in the rapidly evolving landscape of
cybersecurity.

10. References:

[1]Touraj Khodadadi,Faranak Rabiei,Yashar Javadianasl's

"A NOVEL GRAPHICAL PASSWORD
AUTHENTICATION SCHEME WITH IMPROVED
USABILITY",DOI:10.1109/ISAECT53699.2021.966859
IEEE Dec 2021.

[2]susan Wiedenbeck Jim Waters,Jean-Camille

Birget,Alex Brodskiy, “Authentication Using Graphical
Passwords: Effects of Tolerance and Image Choice”.

[3] Mrs.Aakansha S. Gokhalea, Prof. Vijaya S.Waghmare's

"The Shoulder Surfing Resistant Graphical Password
Authentication Technique",7th International Conference on
Communication, Computing and Virtualization 2016.

[4]Vishal Saibanna Mali*1, Pravin Santosh Mishra,

Yashraj Mahesh Patil*3,SiddheshKhanvilkar
"GRAPHICAL PASSWORD AUTHENTICATION
USING BLOCKCHAIN TECHNOLOGY"DOI :
https://www.doi.org/10.56726/IRJMETS35541 ,apr-23.

[5]Touraj Khodadadi, A. K. M. Muzahidul Islam, Sabariah

Baharun, Shozo Komaki's "Evaluation of
RecognitionBased Graphical Password Schemes in Terms
of Usability and Security Attributes", December 2016, pp.
2939~2948 ISSN: 2088-8708, DOI: 10.11591/ijece.v6i6.
11227 .

[6] Pathik Nandi1 , Dr. Preeti Savant “Graphical Password

Authentication System”.ISSN: 2321-9653; IC Value:
45.98; SJ Impact Factor: 7.538 Volume 10 Issue IV Apr
2022.

Electronic copy available at: https://ssrn.com/abstract=4709737