10-04-2010, 08:50 PM
[attachment=3131]
Abstract
The vulnerabilities of the textual password have been well known. Users tend to pick short passwords or pass- words that are easy to remember, which makes the pass- words vulnerable for attackers to break. Furthermore, tex- tual password is vulnerable to shoulder-surng, hidden- camera and spyware attacks. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder- surng. In this paper, we propose a Scalable Shoulder- Surng Resistant Textual-Graphical Password Authentica- tion Scheme (S3PAS). S3PAS seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surng, hidden-camera and spyware attacks. It can replace or coexist with con- ventional textual password systems without changing ex- isting user password proles. Moreover, it is immune to brute-force attacks through dynamic and volatile session passwords. S3PAS shows signicant potential bridging the gap between conventional textual password and graphical password. Further enhancements of S3PAS scheme are pro- posed and briey discussed. Theoretical analysis of the se- curity level using S3PAS is also investigated.
Base paper Presented By:
Huanyu Zhao and Xiaolin Li
Scalable Software Systems Laboratory
Department of Computer Science
Oklahoma State University, Stillwater, OK 74078, USA
Introduction
The most common user authentication method is the text-based password scheme that a user enters a login name and a password. The vulnerabilities of this method have been well known. Users tend to pick short passwords or passwords that are easy to remember, which makes the passwords vulnerable for attackers to break. To resist bruteforce search and dictionary attacks, users are required to use long and random passwords. Unfortunately, such passwords are hard to remember. Furthermore, textual password is vulnerable to shoulder-surfing, hidden-camera and spyware attacks. Graphical password schemes have been proposed as a possible alternative to text-based schemes, motivated partially by the fact that humans can remember pictures better than text .In addition, the possible password space of a graphical password scheme may exceed that of textbased schemes and thus presumably offer higher level of security. It is also difficult to devise automated attacks for graphical passwords. As a result, graphical password schemes provide a way of making more human-friendly passwords while increasing the level of security. Due to these advantages, there is a growing interest in graphical password. However, existing graphical passwords are far from perfect. Typically, system requirements and communication costs for graphical passwords are significantly higher than text-based passwords. In addition, few graphical systems support keyboard inputs. More importantly, most current graphical passwords are more vulnerable to shoulder-surfing attacks than textual passwords.
Read full report
http://s3lab.cs.okstate.edu/publication/ubisafe07.pdf