Monday, 14 May 2018





##### ######## ###### 






Supervised by: ###. ###### #.#. 








Chapter one: Introduction 

1.1 Background of study------------------------------------------------------------------------------------8 

1.2 Problem statement---------------------------------------------------------------------------------------8 

1.3 Aims and Objectives------------------------------------------------------------------------------------9 

1.4 Scope of study-------------------------------------------------------------------------------------------9 

1.5 Justification of study-----------------------------------------------------------------------------------10 

1.6 Limitations----------------------------------------------------------------------------------------------10 

1.7 Glossary-------------------------------------------------------------------------------------------------10 

1.8 Organization of chapters------------------------------------------------------------------------------11 

Chapter two: Literature review---------------------------------------------------------------------------12 

Chapter three: Findings 

3.1 Why graphical passwords----------------------------------------------------------------------------14 

3.2 Classification of current authentication methods-------------------------------------------------14 

3.2.1 Token based authentication------------------------------------------------------------------------14 

3.2.2 Biometric based authentication--------------------------------------------------------------------14 

3.2.3 Knowledge-based authentication------------------------------------------------------------------15 Recognition based---------------------------------------------------------------------------------15 Recall based----------------------------------------------------------------------------------------15 

3.2.4 Hybrid systems---------------------------------------------------------------------------------------16 

3.3 Traditional authentication methods------------------------------------------------------------------16 

3.4 Locimetric passwords----------------------------------------------------------------------------------17 

3.4.1 Passpoints----------------------------------------------------------------------------------------------17 

3.4.2 Cued click points-------------------------------------------------------------------------------------18 

3.5 Other graphical password authentication schemes-------------------------------------------------19 

3.5.1 Hash visualization technique------------------------------------------------------------------------19 

3.5.2 Draw A Secret-----------------------------------------------------------------------------------------19 

3.5.3 Passfaces-----------------------------------------------------------------------------------------------20 

3.6 Is a graphical password as secure as text-based password? ---------------------------------------21 

3.6.1 Brute force search-------------------------------------------------------------------------------------22 

3.6.2 Dictionary attacks-------------------------------------------------------------------------------------22 

3.6.3 Guessing-----------------------------------------------------------------------------------------------22 

3.6.4 Spyware-----------------------------------------------------------------------------------------------22 

3.6.5 Shoulder surfing--------------------------------------------------------------------------------------23 

3.6.6 Social engineering-----------------------------------------------------------------------------------23 

3.7 Advantages---------------------------------------------------------------------------------------------23 

3.8 Disadvantages------------------------------------------------------------------------------------------23 

Chapter four: Conclusion and recommendation 

4.1 Summary-----------------------------------------------------------------------------------------------24 

4.2 Recommendation-------------------------------------------------------------------------------------24 

4.3 Conclusion---------------------------------------------------------------------------------------------24 



I, ##### ######## ######, hereby declare that this Seminar report on GRAPHICAL PASSWORD AUTHENTICATION was been documented and presented by me, and it is a record of my research work. This particular piece of work has never been presented in any previous application for a degree program. All sources of data in this research are duly acknowledged. 

(Student) Signature Date 


………….….……….......... ......…………………… 

### ########-### ………….….……….... ......…………………… 

(Supervisor) Signature Date 

### ########-### …………......…………… …………………......…. 

(Head of Department) Signature Date 


This report is dedicated to all those who have helped me in one way or another to get to where I am in my educational career and also the almighty God who gives me strength in all my endeavours. 


This Seminar report was completed as a result of support from many people, although not all of them can be mentioned. 

I wish to express my sincere gratitude to God for his protection, providence, guidance and above all, for sustaining me. 

I am greatly indebted to my good supervisor ###. ###### #.#. for her useful and necessary observation, suggestions, contribution and corrections. I would not have been able to achieve anything in this research without your supervision. May God enrich you greatly in every area of life. 

Finally, I wish to express my appreciation to my parents for their love and support. 


A graphical password authentication is a form of authentication that requires the recall and selection of an image or points in an image inputted during the registration stage in a graphical user interface. Passwords provide the security mechanism for authentication and protection of services against unwanted access to resources. A graphical based password is one promising alternative of textual passwords. The most common computer authentication method in use today is alphanumerical usernames and passwords. This method has been shown to have significant drawbacks. Users tend to choose memorable passwords that are easy for attackers to guess, but strong system-assigned passwords are difficult for users to remember. Using a graphical password, users click on images rather than type alphanumeric characters. Today, the most secure form of authentication is biometrically based but the problem with biometrics is that they are very expensive to use but an alternative which is less expensive and more secure is the use of graphical passwords. 



1.1 Background Of The Study: 

Computer systems and the information they store and process are valuable resources which need to be protected. Computer security systems must also consider the human factors such as ease of a use and accessibility. Current secure systems suffer because they mostly ignore the importance of human factors in security (Rachna Dhamija and Adrian Perrig., 2000). A key area in security research is authentication, the determination of whether a user should be allowed access to a given system or resource. Traditionally, alphanumeric passwords are used for authentication but they are known to have usability and security problems. A password authentication system should encourage strong and less predictable passwords while maintaining memorability and security. A password is a secret that is shared by the verifier and the user, they are simply secrets that are provided by the user upon request by a recipient and are often stored on a server in an encrypted form so that a penetration of the file system does not reveal password lists (, 2011). 

Graphical passwords (GP) use pictures (Parkinson, 2005) instead of texts and are partially motivated by the fact that humans can remember pictures more easily than a string of characters. The idea of graphical passwords was originally described by Greg Blonder in 1996 and since then several researchers have proposed different graphical password authentication schemes, in Blonder’s description of the concept an image would appear on the screen, and the user would click on a few chosen regions of it. If the correct regions were clicked in, the user would be authenticated. An important advantage of GP is that they are easier to remember than textual passwords. Human beings have the ability to remember faces of people, places they visit and things they have seen for a longer duration. An important advantage of Graphical Passwords is that they are easier to remember compared to textual passwords. Thus, graphical passwords provide a means for making more user-friendly passwords while increasing the level of security. 

1.2 Problem Statement: 

Graphical passwords introduce us to a whole new form of authentication. The most common form of authentication used today is the used of alphanumeric texts and this form of authentication has been proven to be prone to several forms of attacks such as guessing, social engineering, spyware, dictionary attacks, shoulder surfing and even hidden cameras. It can be frustrating to keep up with all the passwords since it is not a recommended that someone uses one password for more than one account or computer program or device. One of the main problems graphical passwords tend to solve is the problem of a user using a weak password so that he/she won’t forget it and at times when users are encouraged to use strong passwords, they tend to use it for all their accounts and also users keep their passwords where attackers can access because of the fact that they don’t want to memorize it. Since it is easier to remember pictures than text, graphical passwords tend to enhance security and at the same time make it easier for the user to use. 

1.3 Aims and objectives: 

One of the major issues in this modern day is security. The process of authentication tries to enhance security but the common means of authentication (use of alphanumeric passwords) today are known to have significant disadvantages. Attackers now have different means of accessing a particular system or account and because of this, other means of authentication are now becoming rampant. Biometric-based authentication is regarded to be the most secure means of authentication but unlike the text-based forms of authentication which are relatively inexpensive, biometric-based are very expensive to use. This is where the concept of graphical password authentication comes in, they are cheap, easy to use, offer more security (than text-based passwords) and also take into consideration, the user factor. The aim of this report is to create awareness that there is an alternative to using text-based passwords and this alternative is secure, cheap and relatively easy to use. 

1.4 Scope of the study: 

This report focuses on graphical password authentication and the different forms commonly used today. It also highlights the advantages graphical passwords have over text-based passwords and the forms of attack you can be prone to while using graphical passwords. This report does not delve deep into the traditional form of authentication (text-based) and biometric form of authentication. 

1.5 Justification Of Study: 

I selected this research topic because I’m interested in finding a more secure alternative to text-based passwords. The topic opens my eye to a totally different form of authentication that is easy to use and also more secure compared to text-based passwords. 

1.6 Limitations Of Study: 

The main limitation of using a graphical password is that they are more vulnerable to shoulder surfing than the traditional text-based passwords. An attacker can capture a password by direct observation or by recording the individual’s authentication session while inserting passwords in public. This is referred to as shoulder-surfing. Another limitation is that the login process is slow when graphical passwords are used and this can sometimes annoy the user. 

1.7 Glossary: 

i. Password Hardening: Password hardening is any one of a variety of measures taken to make it more difficult for an intruder to circumvent the authentication process. Password hardening may take the form of multifactor authentication, by adding some component to the username/password combination or maybe policy-based. 

ii. PassPhrase: A passphrase is a string of characters longer than the usual password (which is typically from four to 16 characters long) that is used in creating a digital signature or in an encryption or a decryption of a message. Passphrases are often up to 100 characters in length. 

iii. Shoulder Surfing: This can be said to be the process of an attacker capturing a user’s password by direct observation (such as looking over one’s shoulder) or by recording the user’s authentication session. 

iv. Attacker: This can be anyone who tries to gain access to someone’s account without the knowledge of the user either with a good or a bad motive. 

v. Tolerance value: It is the value which indicates the degree of closeness to the actual click point. 

Vi. Tolerance region: The area around an original click point accepted as correct since it is unrealistic to expect the user to accurately target an exact pixel. 

vii. Success rate: It is the rate which gives the number of successful trails for a certain number of trials. The success rates are calculated as the number of trails completed without errors or restarts. 

1.8 Organization of chapters: 

Chapter one introduces the concept of graphical password authentication. It contains a brief history on the concept of graphical password authentication, a background study on the study (graphical password authentication), the areas of graphical password authentication this research covers, what this research is aimed at achieving and also some of the limitations of using graphical passwords. 

Chapter two highlights some of the researchers who have made a big impact in order to make graphical passwords reach the heights it has reached today. This chapter contains different expert views on the concept of graphical password authentication. 

Chapter three contains all my findings during the course of the research. This chapter tries to explain what graphical password is all about and also some of the different forms of authentication used today. It also highlights the advantages graphical passwords have over text-based passwords and also the security problems one is likely to face with the use of graphical passwords. 

Chapter four contains a brief summary of the key points in this research and it also contains a recommendation for future researchers on the concept of graphical password authentication. 



For over a century, psychology studies have recognized the human brain’s apparently superior memory for recognizing and recalling visual information as opposed to verbal or textual information. The most widely accepted theory explaining this difference is the dual-coding theory (Pavio, 2006), suggesting that verbal and non-verbal memory (respectively, word-based and image-based) are processed and represented differently in the mind. Images are mentally represented in a way that retains the perceptual features being observed and are assigned perceived meaning based on what is being directly observed. The text is represented symbolically, where symbols are given a meaning cognitively associated with the text, as opposed to a perceived meaning based on the form of the text. 

A generally accepted fact in graphical password authentication is that graphical passwords are prone to shoulder surfing attacks. Because of this, several researchers have studied the graphical password scheme and come up with techniques that reduce the shoulder surfing problem. Another drawback graphical passwords have is that they can be guessed if the attacker is persistent to try all possible inputs. In order to make the password hard to guess; 

(Sobrado.L and Birget.J.C, 2002) suggested using 1000 objects, which makes the display very crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller password space since the resulting convex hull can be large. In their second algorithm, a user moves a frame (and the objects within it) until the pass object on the frame lines up with the other two pass-objects. 

The authors also suggest repeating the process a few more times to minimize the likelihood of logging in by randomly clicking or rotating. The main drawback of this algorithm is that the log in process can be slow. 

A shoulder-surfing resistant graphical password scheme
Figure 2.1 A shoulder-surfing resistant graphical password scheme (Sobrado.L and Birget.J.C, 2002) 

(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) proposed another shoulder-surfing resistant algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass-object has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each scene contains several pass-objects (each in the form of a randomly chosen variant) and many decoy-objects. The user has to type in a string with the unique codes corresponding to the pass-object variants present in the scene as well as a code indicating the relative location of the pass objects in reference to a pair of eyes. The argument is 

that it is very hard to crack this kind of password even if the whole authentication process is recorded on video because there is no mouse click to give away the pass-object information. However, this method still requires users to memorize the alphanumeric code for each pass-object variant. 

(Hong.D, Man.S, Hawes.B, and Mathews.M, 2002) later extended this approach to allow the user to assign their own codes to pass-object variants. Figure 2.2 shows the log-in screen of this graphical password scheme. However, this method still forces the user to memorize many text strings and therefore suffer from the many drawbacks of text-based passwords. 

Another shoulder surfing resistant scheme
Figure 2.2 Another shoulder-surfing resistant scheme developed by (Hong.D, Man.S, Hawes.B, and Mathews.M, 2002). 

A challenge for designers is to identify memory aids for legitimate users, that cannot be leveraged by attackers to guess passwords. Furthermore, systems allowing some degree of user choice should encourage randomization of user-chosen sequences as well as individual items, to avoid divide and conquer guessing attacks. It remains an open question whether systems can be designed such that user choice does not significantly weaken security, or whether a successful combination of system suggestion and user choice can be devised. 



3.1 Why Graphical Passwords? 

Graphical password authentication is a means of authentication that requires the recall and selection of images or sections of an image inputted during the registration phase in a graphical user interface. Today, access to computer systems is most often based on the use of alphanumeric passwords. Though, users have difficulty remembering a password that is long and random-appearing. Instead, they create short, simple, and insecure passwords. Graphical passwords have been designed to try to make passwords more memorable and easier for people to use and, therefore, more secure. Using a graphical password, users click on images rather than type alphanumeric characters. 

3.2 Classification of Current Authentication Methods 

Due to recent events of thefts and terrorism, authentication has become more important for an organization to provide an accurate and reliable means of authentication. Currently, the authentication methods can be broadly divided into three main areas. Token-based, Biometric based, and Knowledge-based authentication. 

3.2.1 Token Based Authentication: 

It is based on “What You Possess”. For example Smart Cards, a driver’s license, credit card, a university ID card etc. It allows users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token (which offers access to a specific resource for a time period) to the remote site. Many token-based authentication systems also use knowledge-based techniques to enhance security. Token-based techniques, such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge-based techniques to enhance security. For example, ATM cards are generally used together with a PIN number. 

3.2.2 Biometric Based Authentication: 

Biometrics (ancient Greek: bios ="life", Merton ="measure") is the study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioural traits. It is based on “What You Are”. It uses physiological or behavioural characteristics like the fingerprint or facial scans and iris or voice recognition to identify users. A biometric scanning device takes a user's biometric data, such as an iris pattern or fingerprint scan, and converts it into digital information a computer can interpret and verify. Biometric-based authentication techniques, such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable. However, this type of technique provides the highest level of security. 

A biometric-based authentication system may deploy one or more of the biometric technologies: voice recognition, fingerprints, face recognition, iris scan, infrared facial and hand vein thermograms, retinal scan, hand and finger geometry, signature, gait, and keystroke dynamics. Biometric identification depends on computer algorithms to make a yes/no decision. It enhances user service by providing quick and easy identification. 

3.2.3 Knowledge-Based Authentication: 

Knowledge Based Authentication (KBA) is based on using “What You Know” to identify you. For example; a Personal Identification Number (PIN), password or passphrase. It is an authentication scheme in which the user is asked to answer at least one "secret" question. Knowledge-Based Authentication is often used as a component in multifactor authentication and for self-service password retrieval. Knowledge-based techniques are the most widely used authentication techniques and include both text-based and picture-based passwords. The picture-based techniques can be further divided into two categories: Recognition Based Graphical Techniques: With recognition-based techniques, a user is presented with a set of images and the user passes the authentication stage by recognizing and identifying the Images he or she selected during the registration stage. Recognition-based systems, also known as cognometric systems or locimetric systems, generally require that users memorize a portfolio of images during password creation, and then to log in, must recognize their images from among decoys. Humans have exceptional ability to recognize images previously seen, even those viewed very briefly. Recall Based Graphical Techniques: With recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage. Recall-based graphical password systems are occasionally referred to as drawmetric system because users recall and reproduce a secret drawing. In these systems, users typically draw their password either on a blank canvas or on a grid (which may arguably act as a mild memory cue). Recall is a difficult memory task because retrieval is done without memory prompts or cues. 

3.2.4 Hybrid systems: These can be described as the combination of two or more schemes, i.e the combination of recognition and recall based techniques or the combination of textual passwords with graphical password schemes. The process of withdrawing money from a bank with the use of an ATM is an example of a hybrid system. It combines knowledge based authentication methods with token based authentication, the ATM card is the token (something you have) and the PIN required is knowledge based (what you know). 


Authentication has traditionally centered on ‘what you know’. This concept has, in the past, been embodied in Personal Identification Numbers (PINs) and passwords. The fallibility of passwords and PINs is exemplified in several well-known shortcomings implicit in their use. For example, people share passwords; they have an inherent difficulty in remembering strong passwords (i.e. those consisting of upper-and-lowercase letters, numbers, and non-alphanumeric characters) and, as a consequence, often stick passwords to the desktop for everyone to see. 

The password problem arises largely from limitations of humans’ long-term memory (LTM). Once a password has been chosen and learned the user must be able to recall it to log in. But, people regularly forget their passwords. Decay and interference explain why people forget their passwords. Items in memory may compete with a password and prevent its accurate recall. A password that is not used frequently will be even more susceptible to forgetting. A further complication is that users have many passwords for computers, networks, and web sites. The large number of passwords increases interference and is likely to lead to forgetting or confusing passwords. Users typically cope with the password problem by decreasing their memory load at the expense of security. First, users write down their passwords. Second, when they have multiple passwords, they use one password for all systems or trivial variations of a single password. In terms of security, a password should consist of a string of 8 or more random characters, including upper and lower case alphabetic characters, digits, and special characters. A random password does not have meaningful content and must be memorized by rote, but rote learning is a weak way of remembering. As a result, users are known to ignore the recommendations on password choice. A survey carried out in the Madonna University Miami boys hostel shows that users choose short, simple passwords that are easily guessable. For example, “password,” personal names of family members, names of pets, and dictionary words. To users the most important issue is having a password that can be remembered reliably so they can get on with their real work. 

3.4 Locimetric Passwords: In locimetric systems, users identify and select specific locations within one or more images. The images act as memory cues to aid recall. Examples of such systems include passpoints and cued click points. 

3.4.1 PassPoints: 

In PassPoints, a password consists of a sequence of five click-points on a given image (see Figure3.2 ). Users may select any pixel(s) in the image as click-points for their password. To log in, they repeat the sequence of clicks in the correct order, within a system-defined tolerance square of the original click-points. The primary security problem is hotspots: different users tend to select similar click-points as part of their passwords. Attackers who gain knowledge of these hotspots through harvesting sample passwords or through automated image processing techniques can build attack dictionaries and more successfully guess PassPoints passwords. A dictionary attack consists of using a list of potential passwords (ideally in decreasing order of likelihood) and trying each on the system in turn to see if it leads to a correct login for a given account. Attacks can target a single account, or can try guessing passwords on a large number of accounts in hopes of breaking into any of them. 

passworded image

fig 3.2 password consists of five(5) ordered clicks of an image. 

3.4.2 Cued-Click Points: 

They were designed to reduce patterns and to reduce the usefulness of hotspots for attackers. Rather than five click-points on one image, CCP uses one click-point on five different images shown in sequence. The next image displayed is based on the location of the previously entered click-point (see Figure 3.3), creating a path through an image set. Users select their images only to the extent that their click-point determines the next image. Creating a new password with different click-points results in a different image sequence. 

The claimed advantages are that password entry becomes a true cued-recall scenario, where each image triggers the memory of a corresponding click-point. Remembering the order of the click-points is no longer a requirement on users, as the system presents the images one at a time. Cued Click Points also provides implicit feedback claimed to be useful only to legitimate users. When logging on, seeing an image they do not recognize alerts users that their previous click-point was incorrect and users may restart password entry. Explicit indication of authentication failure is only provided after the final click-point, to protect against incremental guessing attacks. In cued click points, pattern based attacks seem ineffective. Although attackers must perform proportionally more work to exploit hotspots, results showed that hotspots remained a problem. 

users select one click-point per image

Fig 3.3 users select one click-point per image. The next image displayed is determined by the current click-point. 

3.5 Other Graphical Password Authentication Schemes : 

3.5.1 Hash Visualization Technique: 

This graphical password authentication scheme was based on the Hash Visualization. In this system, the user is asked to select a certain number of images from a set of random pictures generated by a program during the registration stage. Later, the user will be required to identify the preselected images in order to be authenticated. The average log-in time, however, is longer than the traditional approach of using alphanumeric passwords. A weakness of this system is that the server needs to store the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures from the picture database can be tedious and time consuming for the user. 

3.5.2 Draw A Secret (DAS): 

This is the first recall based graphical password authentication to be produced. It allows the user to draw their unique password (figure 3.4). A user is asked to draw a simple picture on a 2D grid. The coordinates of the grids occupied by the picture are stored in the order of the drawing. During authentication, the user is asked to re-draw the picture. If the drawing touches the same grids in the same sequence, then the user is authenticated. Jermyn, et al. suggested that given reasonable-length passwords in a 5 X 5 grid, the full password space of DAS is larger than that of the full text password space. 
Draw-A-Secret technique
Fig 3.4 Draw-A-Secret technique. 

3.5.3 Passface : 

“Passface” is a technique developed by Real User Corporation (Real User Corporation, 2006). The basic idea is as follows; the user will be asked to choose four images of human faces from a face database as their future password during registration. In the authentication stage, the user sees a grid of nine faces, consisting of one face previously chosen by the user and eight decoy faces (figure 3.5). The user recognizes and clicks anywhere on the known face. This procedure is repeated for several rounds. The user is authenticated if he/she correctly identifies the four faces. The technique is based on the assumption that people can recall human faces easier than other pictures. Studies have shown that Passfaces are very memorable over long intervals. With the use of passfaces, there are four(4) different rounds of authentication. During registration, the user selects four(4) faces as his/her password. At the authentication stage the user is presented with nine(9) different faces in each round of authentication. The user is only authenticated after the final round of selection. One significant drawback of using passface is the problem of shoulder surfing. 

Examples of
Fig 3.5 Examples of 

3.6 Is a graphical password as secure as text-based password? 

Very little research has been done to study the difficulty of cracking graphical passwords. Because graphical passwords are not widely used, in practice there is no report on real cases of breaking graphical passwords. Here, some of the possible techniques for breaking graphical passwords are examined and are compared with text-based passwords. These techniques include: 

3.6.1. Brute force search 

The main defence against brute force search is to have a sufficiently large password space. Text-based passwords have a password space of 94^N, where N is the length of the password, 94 is the number of printable characters excluding SPACE. Some graphical password techniques have been shown to provide a password space similar to or larger than that of text-based passwords. Recognition based graphical passwords tend to have smaller password spaces than the recall based methods. It is more difficult to carry out a brute force attack against graphical passwords than text-based passwords. The attack programs need to automatically generate accurate mouse motion to imitate human input, which is particularly difficult for recall based graphical passwords. Overall, we believe a graphical password is less vulnerable to brute force attacks compared to text-based password. 

3.6.2 Dictionary attacks 

Since recognition based graphical passwords involve mouse input instead of keyboard input, it will be impractical to carry out dictionary attacks against this type of graphical passwords. For some recall based graphical passwords, it is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text-based dictionary attack. More research is needed in this area. Overall, it is believed that graphical passwords are less vulnerable to dictionary attacks compared to text-based passwords. 

3.6.3 Guessing 

Unfortunately, it seems that graphical passwords are often predictable, a serious problem typically associated with text-based passwords. For example, studies on the Passface technique have shown that people often choose weak and predictable graphical passwords. Studies revealed similar predictability among the graphical passwords created with the DAS technique. More research efforts are needed to understand the nature of graphical passwords created by real-world users. 

3.6.4 Spyware 

Except for a few exceptions, keylogging or key listening spyware cannot be used to break graphical passwords. It is not clear whether “mouse tracking” spyware will be an effective tool against graphical passwords. However, mouse motion alone is not enough to break graphical passwords. Such information has to be correlated with application information, such as window position and size, as well as timing information. 

3.6.5 Shoulder surfing 

Like text-based passwords, most of the graphical passwords are vulnerable to shoulder surfing. At this point, only a few recognition-based techniques are designed to resist shoulder-surfing. None of the recall-based based techniques is considered should-surfing resistant. 

3.6.6 Social engineering 

Comparing to text-based password, it is less convenient for a user to give away graphical passwords to another person. For example, it is very difficult to give away graphical passwords over the phone. Setting up a phishing website to obtain graphical passwords would be more time-consuming. 

Overall, it is believed graphical passwords are more difficult to break down using the traditional attack methods like brute force search, dictionary attack, and spyware. There is a need for more in-depth research that investigates possible attack methods against graphical passwords. 

3.7 Advantages 

i. A graphical password authentication system is relatively inexpensive to implement. 

ii. Graphical passwords provide a way of making user-friendly passwords. 

iii. Graphical passwords are not vulnerable to dictionary attacks. 

iv. It is less convenient for a user to give away graphical passwords to another person. 

3.8 Disadvantages 

i. Password registration and login process takes too long login process is slow 

ii. Most users are not familiar with the graphical passwords, they often find graphical passwords less convenient and time-consuming. 

iii. Graphical passwords are prone to shoulder surfing. This is because of their graphic nature, nearly all graphical password scheme is prone to shoulder surfing. 



4.1 Summary: 

The past decade has seen a growing interest in using graphical passwords as an alternative to the traditional text-based passwords. In this report is a comprehensive research on existing graphical password techniques. The current graphical password techniques can be classified into two categories: recognition-based and recall-based techniques. Although the main argument for graphical passwords is that people are better at memorizing graphical passwords than text-based passwords, the existing user studies are very limited and there is not yet convincing evidence to support this argument. My research suggests that it is more difficult to break graphical passwords using the traditional attack methods such as brute force search, dictionary attack, or spyware. However, since there is not yet wide deployment of graphical password systems, the vulnerabilities of graphical passwords are still not fully understood. 

4.2 Recommendation: 

Although the use of graphical passwords is not as secure as other forms of authentication like the use of biometric means of authentication (very expensive). Text-based passwords should be replaced with graphical passwords because they are more secure. My recommendation to future researchers is that other means of eliminating the shoulder surfing problem attached with the use of graphical passwords. 

4.3 Conclusion: 

In conclusion, I would like to highlight two major drawbacks of graphical passwords; its vulnerability to shoulder-surfing and its slow login process. Although several researchers have tried to fix these problems with graphical passwords. Despite those two major drawbacks, graphical passwords are considered to be more secure and easy to remember than text-based passwords. 


Hong.D, Man.S, Hawes.B, and Mathews.M (2002)." A password scheme strongly resistant to spyware". International conference on security and management. Las Vegas. 

Hong.D, Man.S, Hawes.B and Mathews.M (2003)." A shoulder-surfing resistant graphical password scheme". International conference on security and management. Las Vegas. 

Parkinson, M. (2005)." THE POWER OF VISUAL COMMUNICATION". 23-27. 

Pavio, A. (2006). Mind and Its Evolution: A Dual Coding Theoretical Approach. 

Rachna Dhamija and Adrian Perrig. (2000). Deja vu: A User Study. Using images for authentication. 

Real User Corporation. (2006). Retrieved October 3, 2015, from Real user: 

Sobrado.L and Birget.J (2002). Graphical Passwords, "An Electronic Bulletin for Undergraduate Research", vol.4. 

Saranga.K and Hutchings .R, 2008, "Order and entropy in picture passwords", Proceedings of graphics interface, Canadian Information Processing Society. 

(, 2013) 

Xiaoyuan.S and Ying Zhu.G (2005) Graphical passwords: a survey, 21st Annual Computer Security Applications Conference. 


  1. plese send me this report ....

  2. books that we get reference of graphical password authentication