Draw a Secret

Last updated

Draw a Secret (DAS) is a graphical password input scheme developed by Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter and Aviel D. Rubin and presented in a paper at the 8th USENIX Security Symposium in Augusts 1999. [1]

Contents

The scheme replaces alphanumeric password strings with a picture drawn on a grid. Instead of entering an alphanumeric password, this authentication method allows users to use a set of gestures drawn on a grid to authenticate. The user's drawing is mapped to a grid on which the order of coordinate pairs used to draw the password are recorded in a sequence. New coordinates are inserted to the recorded "password" sequence when the user ends one stroke (the motion of pressing down on the screen or mouse to begin drawing followed by taking the stylus or mouse off to create a line or shape) and begins another on the grid.

Overview

In DAS, a password is a picture drawn free-form on a grid of size N x N. Each grid cell is denoted by two-dimensional discrete coordinates (x, y) ∈ [1, N] × [1, N]. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret. [2]

The predominant argument in favor of graphical over alphanumeric passwords is use of the Picture superiority effect which describes the improved performance of the human mind in recalling images and objects over strings of text. This effect is utilized through DAS, as complex drawings are less difficult for the human mind to memorize than a long string of alphanumeric characters. This allows for the user to input stronger and more secure sequences through graphical password input schemes than conventional text input with relative ease.

Variations

Background Draw a Secret (BDAS)

This variation on the original DAS scheme is meant to improve both the security of the scheme and the ease of verification by the user. The same grid is used as the original Draw a Secret, but a background image is simply shown over the grid. The background image aids in the reconstruction of difficult to remember passwords. This is because when using the original system, the user must not only remember the strokes associated with the password, but also the grid cells that the strokes pass through. This may introduce difficulty as all the grid cells are alike and have no uniqueness. With BDAS, the user can choose an image to place over the grid, which has unique features to aid in correct placement of the drawing.

A study done at Newcastle university showed that with a background image, participants in the study tended to construct more complex pass phrases (e.g. with a larger length or stroke count) than others that had used DAS, though the rate of recall after a one-week period showed an almost identical percentage of participants having the ability to recall DAS sequences over BDAS sequences. [2]

Rotational Draw a Secret (R-DAS)

R-DAS is a variation on the original Draw a Secret system, whereby the user is allowed to rotate the drawing grid either between strokes in the sequence or after the entire sequence has been inputted and the "secret" has been drawn. After one rotation is done, any following rotations in the same direction, without a counter rotation in a different direction between them, are treated as one rotation. [3]

An example of the added password strength is shown below: [3]

If the original password is entered as follows (Presented as the sequence of strokes through the grid):

(1,1)(2,1)(3,1)(4,1)(5,1)(6)(5,1)(5,2)(5,3)(5,4)(5,5)(6)(1,1)(1,2)(1,3)(1,4)(1,5)(6)(3,1)(3,2)(3,3)(6)

With R-DAS, multiple directional changes can be inserted to increase security:

(1,1)(2,1)(3,1)(4,1)(5,1)(6) (-90) (5,1)(5,2)(5,3)(5,4)(5,5)(6) (+90)(-45) (1,1)(1,2)(1,3)(1,4)(1,5)(6) (+225) (3,1)(3,2)(3,3)(6) (+180)

Security Issues

Multiple Accepted Passwords

The encoding of a particular secret has a one-to-many relationship with the possible drawings it can represent. This implies that more than one drawing may in fact be accepted as a successful authentication of the user. [2] This is especially true with a small number of cells in the N x N grid.

To resolve this issue, more cells can be included in the grid. This process makes it more difficult to cross through all of the cells required to fulfill the password sequence. The cost of this added security is an increase in difficulty to reproduce the password by the actual user. The more cells that are present in the grid, the more accurate the user must be when entering the password to stroke through all of the required cells in the correct order.

Graphical Dictionary Attacks

Through the use of common "hotspots" or "Points-of-interest" in a grid or background image, a graphical dictionary attack can be initiated to guess users' passwords . [4] Other factors such as similar shapes and objects in the background image also form "click order" vulnerabilities as these shapes may be clumped together and used in a sequence . [5] These attacks are far more common to the Background variation of Draw a Secret as it utilizes an image that can used to exploit the vulnerabilities explained above. A study in 2013 [6] also showed that users have the tendency to go through similar password selection processes across different background images.

Shoulder Surfing Attacks

This form of an attack is initiated by a bystander watching the user enter their password. This attack is present in most input schemes for authentication, but DAS schemes are especially vulnerable as the users strokes are displayed on the screen for all to see. This is unlike alphanumeric text input where the characters entered are not actually displayed on screen.

Three techniques have been designed for protecting DAS and BDAS systems from shoulder surfing attacks: [7]

  1. Decoy Strokes - the use of strikes which are inputted simply to confuse potential onlookers, they may be differentiated by colors chosen by the user. [7]
  2. Disappearing Strokes - each stroke is removed from the screen after it is inputted by the user. [7]
  3. Line Snaking - an extension of the disappearing strokes method, where shortly after a stroke is started, the end of the stroke begins disappearing shortly after, giving the appearance of a "line snaking" [7]

Implementations

The initial implementation of DAS was on PDAs (Personal digital assistant). Recently with the release of Windows 8, Microsoft included the option of switching to a "picture password". This is essentially an implementation of BDAS (as it requires the choice of a picture in the background) but is only limited to a three gesture sequence to set a password reducing the actual security that BDAS provides over conventional alphanumerical passwords. [8]

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. It acts like an electronic key to access something. Examples of security tokens include wireless keycards used to open locked doors, or a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

A rainbow table is a precomputed table for caching the outputs of a cryptographic hash function, usually for cracking password hashes. Passwords are typically stored not in plain text form, but as hash values. If such a database of hashed passwords falls into the hands of an attacker, they can use a precomputed rainbow table to recover the plaintext passwords. A common defense against this attack is to compute the hashes using a key derivation function that adds a "salt" to each password before hashing it, with different passwords receiving different salts, which are stored in plain text along with the hash.

Object hyperlinking is a term that refers to extending the Internet to objects and locations in the real world. Object hyperlinking aims to extend the Internet to the physical world by attaching tags with URLs to tangible objects or locations. These object tags can then be read by a wireless mobile device and information about objects and locations retrieved and displayed.

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

GrIDsure was a personal identification system which extends the standard ‘shared-secret’ authentication model to create a secure methodology whereby a dynamic ‘one-time’ password or PIN can be generated by a user. It was invented by Jonathan Craymer and Stephen Howes in November 2005. It has received positive media reception.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

<span class="mw-page-title-main">Smudge attack</span> Discerning a password via screen smudges

A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.

A graphical password or graphical user authentication is a form of authentication using images rather than letters, digits, or special characters. The type of images used and the ways, in which users interact with them vary between implementations.

Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems. Examples of web authentication systems are passwords, federated identity systems, email-based single sign-on (SSO) systems, QR code-based systems or any other system used to authenticate a user's identity on the web. Even though the usability of web authentication systems should be a key consideration in selecting a system, very few web authentication systems have been subjected to formal usability studies or analysis.

<span class="mw-page-title-main">Thermal attack</span> Type of computer security breach

A thermal attack is an approach that exploits heat traces to uncover the entered credentials. These attacks rely on the phenomenon of heat transfer from one object to another. During authentication, heat transfers from the users' hands to the surface they are interacting with, leaving heat traces behind that can be analyzed using thermal cameras that operate in the far-infrared spectrum. These traces can be recovered and used to reconstruct the passwords. In some cases, the attack can be successful even 30 seconds after the user has authenticated.

References

  1. Jermyn, Ian; Alain Mayer; Fabian Monrose; Michael K. Reiter; Aviel D. Rubin (1999). The Design and Analysis of Graphical Passwords.
  2. 1 2 3 Dunphy, Paul; Yan, Jeff. "Do Background Images Improve "Draw a Secret" Graphical Passwords?" (PDF). Archived from the original (PDF) on 2010-02-15.{{cite journal}}: Cite journal requires |journal= (help)
  3. 1 2 Chakrabarti, Saikat; Landon, George; Singhal, Mukesh. "GRAPHICAL PASSWORDS: DRAWING A SECRET WITH ROTATION AS A NEW DEGREE OF FREEDOM" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  4. Thorpe, Julie; P.C. van Oorschot. "Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  5. Oorschot, Van; Thorpe, Julie. "Exploiting Predictability in Click-based Graphical Passwords" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  6. Zhao, Ziming; Ahn, Gail-Joon; Seo, Jeong-Jin; Hu, Hongxin. "On the Security of Picture Gesture Authentication" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  7. 1 2 3 4 Zakaria, Nur Haryani; Griffiths, David; Brostoff Sacha; Yan Jeff. "Shoulder Surfing Defence for Recall-based Graphical Passwords" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
  8. Lynch, Jim (2014-01-30). "Use a picture password to sign into Windows 8.1". Computerworld. Retrieved 2021-02-27.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.