A Survey of Possible Attacks on Text & Graphical Password Authentication

International Journal of Scientific Research in ______Survey Paper . Computer Science and Engineering Vol.6, Special Issue.1, pp.77-80, January (2018) E-ISSN: 2320-7639

A survey of Possible Attacks on Text & Graphical Password Authentication Techniques

Sanjay E. Pate Bhojaraj H. Barhate

Department of Computer Science, Department of Computer Science Nanasaheb Y.N.Chavan Arts,Science & Commerce Bhusawal Arts, Science & P.O.Nahata Commerce College, College,Chalisgaon, Dist.Jalgaon Bhusawal

Abstract- The process of verifying a user's identity is typically referred to as user authentication. Information Security and Authentication is now a key issue in the world. Gradually end users of Internet improved. General uses of the Internet are searching, e-mail, social networking, e-banking, e-governance, etc. User Authentication is the process of determining whether the user should be authorized to access information or not. Alphanumeric or text passwords are mostly used mechanism for authentication. But these are susceptible to a dictionary, brute force and guessing attacks. Resolution is to use Graphical Password, is more secure, reliable technique for authentication. Graphical passwords allow users to remember pictures/images instead of text which helps them to remember the passwords easily. But these are also vulnerable to the dictionary, brute force and guessing attacks. In this paper, Text-based password and graphical password techniques for Authentication are just discussed, and possible attacks on them are summarized.

KEYWORDS: Phishing, bots, OCR, PIN uses who you are? Single, measurable characteristic of an Introduction: individual (e.g., Iris, fingerprint) [15,5]. Passwords are the way used most frequently for Among the three techniques, the knowledge-based technique authenticating computer users, but this method has often is widely used for authentication because it is well known to shown insufficient in preventing unauthorized access to all areas of users and easy to implement. computer resources when used as the only means of Token-based and Biometric based authentications are more authentication. In public and private computer networks secure than knowledge-based authentication but, those including the Internet, authentication is done through the use techniques have their limitations. In the case of Token based of Login IDs (user name) and passwords. User authentication, the token should always be carried for authentication means that allows a device to verify the locating the service, and there is a possibility of missing the identity of someone who connects to a network resource. token or the token being stolen by somebody. To bypass the Natures of Authentications: usage of stolen tokens, an expansive token based There are three basic methods for authentication – authentication uses PIN (Personal Identification Number) in a. Knowledge-based authentication addition to tokens for authentication. Biometric b. Token-based authentication authentication is not but adopted for all applications because c. Biometric-based authentication [7,11,6]. of the expenditure involved in maintaining the special devices. For authentication, Knowledge-based authentication In common, the three techniques can be used for various technique uses something the user knows (e.g., text types of applications based on the security requirements. In passwords, graphical passwords, etc.), Token-based the present situation, every user has to maintain the number authentication technique uses something the user has (e.g., of user accounts either for office work or private work. smart card) and Biometric based authentication technique Biometrics or Tokens can be used for applications with high- security requirements, and knowledge-based authentication can be used for other applications.

The traditional method used for knowledge-based password complexity depends on the number and the length authentication is textual passwords. of the strokes in the password. But it is difficult to remember the order of the multiple strokes in random shape passwords. Drawing a password with the mouse is inconvenient. 1. Textual passwords: Cued recall systems are useful in memorability. Cues help A textual password is a conventional method used for user the users to retrieve the passwords from memory without authentication. It remains the most widely used method writing anywhere. The security of passwords in cued recall because it is simple, inexpensive compared to other system depends on the image selected for authentication. techniques and easy to implement [8,2]. Users are likely to Images will be having the limited number of clickable points select short and straightforward passwords to remember for password selection which reduces the password space, easily. It is effortless for the interloper to break these simple and in turn, passwords are vulnerable to password guessing attacks. These are vulnerable to password capturing attacks passwords. Random and lengthy passwords are hard to because entire password or user’s portfolio will be displayed remember. The main problem with the traditional textual for every login which can be observed by the intruders. method is that passwords selected for many applications are Password creation and login times are more compared to either weak and memorable or secure but difficult to recall systems. recognize [13,9]. Some users even use the name of the system as password [12]. The lengthy passwords provide II. Literature Review: more security but, it is difficult to remember several such Security of passwords can be specified in relations of long passwords. It is a tendency that users use the same resistance to various types of attacks. An attack is an attempt password for many accounts to reduce the load on the to deed vulnerabilities in the passwords. memory which makes interloper’s job easy [1,3]. It is easy Attacks can be categorized into password guessing attacks to capture the textual password either by shoulder surfing or and password capturing attacks. Password guessing attacks by malware. So the textual passwords are vulnerable to include brute force, dictionary and (personalized) guessing dictionary, (personalized) guessing and capturing attacks. To attacks. Password capturing attacks include shoulder surfing, address the problems of textual passwords, Graphical hidden camera, social engineering and malware attacks. passwords are introduced. Password guessing attacks has been resisted by having a 2. Graphical Passwords: large password space and strong passwords. Password Graphical passwords can be categorized into three methods capturing attacks can be resisted by introducing recognition based, recall based and cued recall based on the authentication techniques which depend on the secret cognitive load on the user in retrieving the passwords from entered by the user as well as the login interface. Security memory [16, 15, and 6]. may be increased by adding multiple rounds in the Recognition based techniques are useful in memorability; authentication technique at the cost of usability. Though it is users can remember and recognize the passwords desirable to have higher values for security and usability, successfully. The server has to maintain the large number of images or faces and for every round of authentication server due to the tradeoff between them, an optimal solution will be has to prepare the challenge set for every user. Due to the selected depending on the application. limited number of images in the challenge set and few I. Attacks on Text and Graphical password : rounds used for authentication, the password space is less in A. Brute Force Attack: recognition based techniques and turn these are vulnerable to Success of this attack depends on the set of predefined password guessing attacks. The Password capturing attacks values. If it is larger, it will take more time, but there is require multiple logins to get the complete portfolio of the better probability of success.However, GUA proves to be user. The password creation time and login times are more, more resistant to brute force attacks since the attack software compared to recall based techniques. needs to produce all possible mouse motions to imitate passwords especially when trying to recall the graphical Recall based techniques have large password space and are passwords [4]. secure against password guessing attacks. There is no need B.Dictionary Attack : to maintain a large number of images or faces by the server This creative attack uses words found in the dictionary to and no requirement of forming the challenge set. The check if any were used as passwords by the users. Many Password creation and login times are less than the other two users use weak passwords which make it easier for attackers techniques. The recall based techniques are vulnerable to to guess the password using the graphical dictionary attack password capturing attacks because in a single session or by [10]. Because of graphical password method of using mouse only observation the intruder may get the password. The input type recognition, using the dictionary attack on GUA

© 2018, IJSRCSE All Rights Reserved 78 Int. J. Sci. Res. in Computer Science and Engineering Vol.6(1), Jan 2018, E-ISSN: 2320-7639 would be a waste of time. Dictionary attacks against D. Shoulder-Surfing Attack recognition and cued-recall graphical password systems As the name implies, passwords can be identified by looking require more effort than against text passwords or recall- over a person’s shoulder. This type of attack is more based graphical passwords, since attackers must first collect common in crowded areas where it is not uncommon for one or more of a set of images. Images referred from one people to stand behind another queuing at ATMs. There are system Images cannot be used in attacks for another system, also cases where the ceiling and wall cameras placed near unless both systems use the same image set. During the ATMs are used to record keyed pin numbers. The best way recall, it is more difficult and complicated to use the to avoid pin numbers being recorded or remembered by automated dictionary method to produce all possibility of a attackers is to adequately shield the keypad when entering single user click of an image than a text-based attack the pin number [19,20]. [10,14,17].

C. Spyware Attack This attack uses an application installed on a user’s computer to record raw data during mouse movement or key press. This form of malware secretly store this information and then reports back to the attacker's system. With some E. Guessing attack exceptions, these key-loggers and listening spyware are As many users try to select their password based on their unproven in identifying mouse movement to crack graphical private information like the name of their pets, passport passwords. Even if the change is recorded, it is still not number, family name and so on, the attacker also attempts to certain in identifying the graphical password. Other guess passwords by trying these possible passwords. information is needed for this type of attack namely window Password guessing attacks can be broadly classified into size and position as well as the timing [18]. online password guessing attacks and offline dictionary attacks. In an online password guessing attack, an attacker tries a guessed password by manipulating the inputs of one or more visions. In an offline dictionary attack, an attacker exhaustively searches for the password by managing the data of one or more visions.

II. Popular tools for brute-force, dictionary and cryptanalysis attacks: S.N Tool Description Website 1 Aircrack-ng Popular wireless password-cracking http://www.aircrack-ng.org/ John the Automatically detect the type of hashing used in a 2 http://www.openwall.com/john/ Ripper password Generates rainbow tables for using while performing http://project-rainbowcrack.com/ 3 Rainbow Crack the attack. cracking passwords by performing brute-forcing 4 Cain and Abel http://www.oxid.it/cain.html attacks, dictionary attacks, and cryptanalysis attacks http://www.l0phtcrack.com/ 5 L0phtCrack Known for its ability to crack Windows passwords. cracks Windows password by using LM hashes http://ophcrack.sourceforge.net/ 6 Ophcrack through rainbow tables http://www.crypticide.com/alecm/soft 7 Crack password-cracking tool for the UNIX system. ware/crack/c50-faq.html

Be the fastest CPU based password cracking tool, supports various hashing algorithms LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, https://www.hashcat.net/ Hashcat 8 MySQL, Cisco PIX. It supports Brute-Force attack,

Combinator attack, Dictionary attack, Fingerprint attack, Hybrid attack, Mask attack, Permutation attack, Rule-based attack, Table-Lookup attack and

Toggle-Case attack.

It supports various attacking methods including Mask SAMInside attack, Dictionary attack, Hybrid attack and Attack http://www.insidepro.com/ 9 with Rainbow tables.

This tool supports both dictionary attacks and https://github.com/octomagon/davegro DaveGrohl 10 incremental attacks hl

Password-cracking tool for cracking network 11 Ncrack authentications https://nmap.org/ncrack/

THC Hydra Crack passwords of network authentications https://www.thc.org/thc-hydra/ 12

[10] Chiasson, S., et al., Multiple Password Interference in Text Conclusion: Passwords and Click-Based Graphical Passwords. ACM,2009 In this paper Text & Graphical based authentication [11] Suo, X., Zhu, Y. and Owen, G., Graphical passwords: A survey. techniques are discussed also discussed the possible attacks Annual Computer Security Applications Conference (ACSAC), December 2005 on these authentication techniques .There is scope for future [12] Vu, K.-P. L., Proctor, R., Bhargav-Spantzel, A., Tai, B.-L., Cook, researches to develop new authentication techniques which J., andSchultz, E.2007.Improving password security and avoids above possible attacks. memorability to protectpersonal and Organizational information.International Journal of Human-Computer Studies 65, References: 744–757. [13] Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A. and Memon, [1] Adams, A., and Sasse, M. A., "Users are not the enemy: why N.,PassPoints: Design and longitudinal evaluation of a graphical userscompromise computer security mechanisms and how to take passwordsystem. International Journal of Human-Computer remedialmeasures," Studies, 63(1-2):102/127,2005.2):102/127,2005. Communications of the ACM, vol. 42, pp. 41-46, 1999. [14] Sonia Chiasson, P.C. van Oorschot, and Robert Biddle” Graphical [2] Herley, C., Van Oorschot, P. and Patrick, A., “Passwords: If We‟re Password Authentication Using Cued Click Points” So Smart,Why Are We Still Using Them?” in Financial [15] Jain, A., Ross, A. and Pankanti, S., “Biometrics: a tool for Cryptography and DataSecurity, LNCS 5628, Springer, 2009. information security,” Transactions on Information Forensics and [3] Ives, B., Walsh, K.R., Schneider. H., The domino effect of Security (TIFS), vol. 1,no. 2, pp. 125–143, 2006. password reuse,Communications of the ACM 47, 75-78, 2004. [16] Monrose, F. and Reiter, M. Graphical passwords. Security and [4] Hayashi, E. and N. Christin, Use Your Illusion: Secure Usability: Designing Secure Systems That People Can Use, L. Authentication Usable Anywhere, in Proceedings of the 4th Cranor and S. Garfinkel, Eds. O‟Reilly Media, Chapter 9, 157– symposium on Usable privacy 174. 2005 and security (SOUPS).2008,ACM. [17] Arash Habibi Lashkari, Samaneh Farmand1”A new algorithm on [5] Lawrence O‟Gorman. Comparing Passwords, Tokens, and Graphical User Authentication(GUA) based on multi-linegrids Biometrics for User Authentication.Proceedings of the IEEE, Vol. [18] S. Chiasson, P. C. van Oorschot, and R. Biddle, “A second lookat 91, NO. 12, Pages 2022-2033.December 2003. the usability of click-based graphical passwords,” in Proc.3rd [6] Monrose, F. and Reiter, M. Graphical passwords. Security and Symp.Usable Privacy and Security (SOUPS), Pittsburgh,PA, Usability:Designing Secure Systems That People Can Use, L. 2007. Cranor and S. Garfinkel,Eds. O‟Reilly Media, Chapter 9, 157– [19] D. Davis, F. Monrose, and M. Reiter, “On user choice ingraphical 174. 2005. password schemes,” in 13th USENIX SecuritySymposium, 2004. [7] Renaud, K. “Evaluating authentication mechanisms,” Security and [20]Passlogix, "www.passlogix.com," last accessed in June 2005. Usability:Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel,Eds. O‟Reilly Media, 2005, ch. 6, pp. 103–128. [8] Renaud, K. “Guidelines for designing graphical authentication mechanisminterfaces”, International Journal of Information and Computer Security, vol.3, no. 1, pp. 60–85, June 2009. [9] Sasse, M., Brostoff, S., and Weirich, D., Transforming the ‟Weakest Link‟ - AHuman/Computer Interaction Approach to Usable and Effective Security. BTTechnology Journal, 19(3):122–131, 2001.