Comparison of a shoulder surfing resilient graphical password scheme to text-based authentication

Abstract

Text based passwords have been used as the main method of computer authentication for many years, despite their vulnerabilities being well known. Passwords should be easy to remember, yet secure enough to resist potential attacks. However, users tend to choose easy to remember passwords, which are also easy for attackers to guess. Moreover, users tend to perform bad practices such as writing passwords on paper. Systems which utilize graphical passwords have been proposed as an alternative. This approach is motivated by the fact that images tend to be more memorable than alphanumeric text. A thorough study was conducted on several graphical authentication systems that have been proposed. This project aims at researching dynamic session password techniques in graphical authentication, and to compare this approach to the use of text based passwords. A webpage was developed which implemented an example of both systems, and participants were recruited to help compare the two schemes. The implemented graphical password scheme resists shoulder surfing through the use of secret rules which obfuscate user input during authentication. Two sessions were held, and feedback was gathered through the use of questionnaires. The collected results were analysed using appropriate tests, and hypotheses were tested. It was clearly observed that the login process for the implemented graphical scheme was significantly harder than that for text passwords. The graphical password scheme was perceived to be more secure, specifically with regards to shoulder surfing. A significant difference was observed in the number of login attempts carried out for the two systems during the first session. However, no significant difference was observed a week later, thus it can be hypothesised that given enough practice; authentication to the graphical scheme could be carried out as efficiently as that for text passwords. However, further research in the area is required to better test the hypothesis.Text based passwords have been used as the main method of computer authentication for many years, despite their vulnerabilities being well known. Passwords should be easy to remember, yet secure enough to resist potential attacks. However, users tend to choose easy to remember passwords, which are also easy for attackers to guess. Moreover, users tend to perform bad practices such as writing passwords on paper. Systems which utilize graphical passwords have been proposed as an alternative. This approach is motivated by the fact that images tend to be more memorable than alphanumeric text. A thorough study was conducted on several graphical authentication systems that have been proposed. This project aims at researching dynamic session password techniques in graphical authentication, and to compare this approach to the use of text based passwords. A webpage was developed which implemented an example of both systems, and participants were recruited to help compare the two schemes. The implemented graphical password scheme resists shoulder surfing through the use of secret rules which obfuscate user input during authentication. Two sessions were held, and feedback was gathered through the use of questionnaires. The collected results were analysed using appropriate tests, and hypotheses were tested. It was clearly observed that the login process for the implemented graphical scheme was significantly harder than that for text passwords. The graphical password scheme was perceived to be more secure, specifically with regards to shoulder surfing. A significant difference was observed in the number of login attempts carried out for the two systems during the first session. However, no significant difference was observed a week later, thus it can be hypothesised that given enough practice; authentication to the graphical scheme could be carried out as efficiently as that for text passwords. However, further research in the area is required to better test the hypothesis.