08-11-2012, 03:10 PM
DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS BY USING PERSUASIVE CLICK POINTS
[attachment=38581]
Abstract
Usable security has unique usability challenges because the need for security often means that
standard human-computer-interaction approaches cannot be directly applied. An important usability goal
for authentication systems is to support users in selecting better passwords. Users often create memorable
passwords that are easy for attackers to guess, but strong system-assigned passwords are difficult for users
to remember. So researchers of modern days have gone for alternative methods wherein graphical
pictures are used as passwords. Graphical passwords essentially use images or representation of images as
passwords. Human brain is good in remembering picture than textual character. There are various
graphical password schemes or graphical password software in the market. However, very little research
has been done to analyze graphical passwords that are still immature. There for, this project work merges
persuasive cued click points and password guessing resistant protocol. The major goal of this work is to
reduce the guessing attacks as well as encouraging users to select more random, and difficult passwords
to guess. Well known security threats like brute force attacks and dictionary attacks can be successfully
abolished using this method.
INTRODUCTION
There has been a great deal of hype for graphical
passwords since two decade due to the fact that
primitive‟s methods suffered from an
innumerable number of attacks which could be
imposed easily. Here we will progress down the
taxonomy of authentication methods. To start
with we focus on the most common computer
authentication method that makes use of text
passwords. Despite the vulnerabilities, it‟s the
user natural tendency of the users that they will
always prefer to go for short passwords for ease
of remembrance [10] and also lack of awareness
about how attackers tend to attacks.
Unfortunately, these passwords are broken
mercilessly by intruders by several simple
means such as masquerading, Eaves dropping
and other rude means say dictionary attacks,
shoulder surfing attacks, social engineering
attacks [10][1].To mitigate the problems with
traditional methods, advanced methods have
been proposed using graphical as passwords.
The idea of graphical passwords
firstdescribedby Greg Blonder (1996). For
Blonder, graphical passwordshave a
predetermined image that the sequence and
the tapregions selected are interpreted as the
graphical password.
Hong’s Methods
Hong, et al. [7] proposed another
shoulder-surfing resistant algorithm. In this
approach to allow the user to assign their own
codes to pass-object variants. Figure 3: shows
the log-in screen of this graphical password
scheme. However, this method still forces the
user to memorize many text strings and therefore
suffer from the many drawbacks of text-based
passwords.
Cued Click Points (CCP)
CCP [1] was developed as an alternative
click based graphical password scheme where
users select one point per image for five images
Figure.5: The interface displays only one image
at a time; the image is replaced by the next
image as soon as a user selects a click point. The
system determines the next image to display
based on the user‟s click-point on the current
image. The next image displayed to users is
based on a deterministic function of the point
which is currently selected. It now presents a
one to-one cued recall scenario where each
image triggers the user‟s memory of the one
click-point on that image. Secondly, if a user
enters an incorrect click-point during login, the
next image displayed will also be incorrect.
Legitimate users who see an unrecognized
image know that they made an error with their
previous click-point. Conversely, this implicit
feedback is not helpful to an attacker who does
not know the expected sequence of images.
Dictionary attacks
Since recognition based graphical
passwords involve mouse input instead of
keyboard input, it will be impractical to carry
out dictionary attacks against this type of
graphical passwords. For some recall based
graphical passwords [11], it is possible to use a
dictionary attack but an automated dictionary
attack will be much more complex than a text
based dictionary attack. More research is needed
in this area Overall; we believe graphical
passwords are less vulnerable to dictionary
attacks than text-based passwords.
Proposed System
Now-a-days, all business, government,
and academic organizations are investing a lot of
money, time and computer memory for the
security of information. Online password
guessing attacks have been known since the
early days of the Internet, there is little academic
literature on prevention techniques. This project
deals with guessing attacks like brute force
attacks and dictionary attacks.
This project proposes a click-based
graphical password system. During password
creation, there is a small view port area that is
randomly positioned on the image.
Conclusion and future work
A major advantage of Persuasive cued
click point scheme is its large password space
over alphanumeric passwords. There is a
growing interest for Graphical passwords since
they are better than Text based passwords,
although the main argument for graphical
passwords is
that people are better at memorizing graphical
passwords than text-based passwords. Online
password guessing attacks on password-only
systems have been observed for decade‟s
.Present-day attackers targeting such systems are
empowered by having control of thousand to
million node botnets. In previous ATT-based
login protocols, there exists a security-usability
trade-off with respect to the number of free
failed login attempts (i.e., with no ATTs)
versus user login convenience (e.g., less
ATTs and other requirements). In contrast,
PGRP is more restrictive against brute force and
dictionary attacks while safely allowing a large
number of free failed attempts for legitimate
users. PGRP is apparently more effective in
preventing password guessing attacks (without
answering ATT challenges), it also offers more
convenient login experience, e.g., fewer ATT
challenges for legitimate users. PGRP appears
suitable for organizations of both small and large
number of user accounts.
[attachment=38581]
Abstract
Usable security has unique usability challenges because the need for security often means that
standard human-computer-interaction approaches cannot be directly applied. An important usability goal
for authentication systems is to support users in selecting better passwords. Users often create memorable
passwords that are easy for attackers to guess, but strong system-assigned passwords are difficult for users
to remember. So researchers of modern days have gone for alternative methods wherein graphical
pictures are used as passwords. Graphical passwords essentially use images or representation of images as
passwords. Human brain is good in remembering picture than textual character. There are various
graphical password schemes or graphical password software in the market. However, very little research
has been done to analyze graphical passwords that are still immature. There for, this project work merges
persuasive cued click points and password guessing resistant protocol. The major goal of this work is to
reduce the guessing attacks as well as encouraging users to select more random, and difficult passwords
to guess. Well known security threats like brute force attacks and dictionary attacks can be successfully
abolished using this method.
INTRODUCTION
There has been a great deal of hype for graphical
passwords since two decade due to the fact that
primitive‟s methods suffered from an
innumerable number of attacks which could be
imposed easily. Here we will progress down the
taxonomy of authentication methods. To start
with we focus on the most common computer
authentication method that makes use of text
passwords. Despite the vulnerabilities, it‟s the
user natural tendency of the users that they will
always prefer to go for short passwords for ease
of remembrance [10] and also lack of awareness
about how attackers tend to attacks.
Unfortunately, these passwords are broken
mercilessly by intruders by several simple
means such as masquerading, Eaves dropping
and other rude means say dictionary attacks,
shoulder surfing attacks, social engineering
attacks [10][1].To mitigate the problems with
traditional methods, advanced methods have
been proposed using graphical as passwords.
The idea of graphical passwords
firstdescribedby Greg Blonder (1996). For
Blonder, graphical passwordshave a
predetermined image that the sequence and
the tapregions selected are interpreted as the
graphical password.
Hong’s Methods
Hong, et al. [7] proposed another
shoulder-surfing resistant algorithm. In this
approach to allow the user to assign their own
codes to pass-object variants. Figure 3: shows
the log-in screen of this graphical password
scheme. However, this method still forces the
user to memorize many text strings and therefore
suffer from the many drawbacks of text-based
passwords.
Cued Click Points (CCP)
CCP [1] was developed as an alternative
click based graphical password scheme where
users select one point per image for five images
Figure.5: The interface displays only one image
at a time; the image is replaced by the next
image as soon as a user selects a click point. The
system determines the next image to display
based on the user‟s click-point on the current
image. The next image displayed to users is
based on a deterministic function of the point
which is currently selected. It now presents a
one to-one cued recall scenario where each
image triggers the user‟s memory of the one
click-point on that image. Secondly, if a user
enters an incorrect click-point during login, the
next image displayed will also be incorrect.
Legitimate users who see an unrecognized
image know that they made an error with their
previous click-point. Conversely, this implicit
feedback is not helpful to an attacker who does
not know the expected sequence of images.
Dictionary attacks
Since recognition based graphical
passwords involve mouse input instead of
keyboard input, it will be impractical to carry
out dictionary attacks against this type of
graphical passwords. For some recall based
graphical passwords [11], it is possible to use a
dictionary attack but an automated dictionary
attack will be much more complex than a text
based dictionary attack. More research is needed
in this area Overall; we believe graphical
passwords are less vulnerable to dictionary
attacks than text-based passwords.
Proposed System
Now-a-days, all business, government,
and academic organizations are investing a lot of
money, time and computer memory for the
security of information. Online password
guessing attacks have been known since the
early days of the Internet, there is little academic
literature on prevention techniques. This project
deals with guessing attacks like brute force
attacks and dictionary attacks.
This project proposes a click-based
graphical password system. During password
creation, there is a small view port area that is
randomly positioned on the image.
Conclusion and future work
A major advantage of Persuasive cued
click point scheme is its large password space
over alphanumeric passwords. There is a
growing interest for Graphical passwords since
they are better than Text based passwords,
although the main argument for graphical
passwords is
that people are better at memorizing graphical
passwords than text-based passwords. Online
password guessing attacks on password-only
systems have been observed for decade‟s
.Present-day attackers targeting such systems are
empowered by having control of thousand to
million node botnets. In previous ATT-based
login protocols, there exists a security-usability
trade-off with respect to the number of free
failed login attempts (i.e., with no ATTs)
versus user login convenience (e.g., less
ATTs and other requirements). In contrast,
PGRP is more restrictive against brute force and
dictionary attacks while safely allowing a large
number of free failed attempts for legitimate
users. PGRP is apparently more effective in
preventing password guessing attacks (without
answering ATT challenges), it also offers more
convenient login experience, e.g., fewer ATT
challenges for legitimate users. PGRP appears
suitable for organizations of both small and large
number of user accounts.
