New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

Bulganmaa Togookhuu, Wuyungerile Li, Yifan Sun and Junxing Zhang

## Abstract

Security of authentication is needed to be provided superlatively to secure users' personal and exchange information, since online information exchange systems have been developed according to internet speed. Therefore, aim of the chapter is to develop current graphical password scheme based on recall, create and implement a new graphical password scheme composed of three layer verification. We programmed our scheme in order to use in section of anonymous information exchange system and user's registration of trading chat room. While we conducted survey on user by accessing participant to our system lied in participants' local network and we analyzed in accordance with the average length of their created password and statistical significant of entropy bit. From the survey of total participants, our scheme has statistical significance, furthermore it was proved that it can secure form a variety of attacks as entropy bit was high.

Keywords: graphic password, user authentication, QBP scheme and implementation

## 1. Background

Textual password mechanisms are the most commonly used, however with known weaknesses. The weaknesses include user fallibility in memorizing long or complicated passwords and the security risks posed by the use of short simple passwords.

One motivation for examining the application of graphical schemes is that humans have a remarkable capability to remember pictures. Second background of category is that most of the recall-based graphical passwords systems developed.

In addition, another motivation for this research is "what we build is what we remember more". Current forms of commonly promoted graphical passwords can be divided into three general categories: recognition-based systems, cued-recall systems and recall-based systems.

**82**

*Computer Graphics and Imaging*

Available from: https://

Addison-Wesley; 1994

2018-06]

pp. 109-117

pp. 121-135

pp. 815-822

2016. 2016. pp. 9-16

[1] Data Visualization Definition.

searchbusinessanalytics.techtarget.com/ definition/data-visualization [Accessed:

[2] Foley JD, Van Dam A, Feiner SK, Hughes JF, Phillips RL. Introduction to Computer Graphics. Vol. 55. Reading:

[3] Ware C. Information Visualization: Perception for Design. Elsevier; 2012

[4] Roberts R, Tong C, Laramee R, Smith GA, Brookes P, D'Cruze T. Interactive analytical Treemaps for visualization of call centre data. In: Proceedings of the Conference on Smart Tools and Applications in Computer Graphics. Eurographics Association; 2016.

[5] Laramee RS, Schneider J, Hauser H. Texture-based flow visualization on isosurfaces. Constance, Germany: IEEE TCVG Symposium on Visualization (VisSym); 19-21 May 2004:85-90

[6] Garth C, Laramee RS, Tricoche X, Schneider J, Hagen H. Extraction and visualization of swirl and tumble motion from engine simulation data. In: Topologybased Methods in Visualization. Springer; 2007.

[7] Grundy E, Jones MW, Laramee RS, Wilson RP, Shepard EL. Visualization of sensor data from animal movement. In: Computer Graphics Forum. Vol. 28. No. 3. Wiley Online Library; 2009.

[8] Alharbi N, Laramee RS, Chavent M. Molpathfinder: Interactive multidimensional path filtering of molecular dynamics simulation data. In: The Computer Graphics and Visual Computing (CGVC) Conference. Vol.

### Computer Graphics and Imaging

1. For the recall-based category, Jermyn et al. proposed a scheme, called "draw-asecret (DAS)". A user asked to draw a simple picture on a 2D grid. During authentication, the user asked to re-draw the picture. If the drawing touches the same grids in the same sequence, the user is authenticated.

Hai Tao [5] draws the password using grid intersection points instead of grid cells. In addition, this scheme gave users a chance to select longer passwords and use colors, both resulting in greater password complexity than in DAS scheme. Hatching et al. [6] selected pass image one–by-one with the same sequence by drawing the curve starting from the given image (red rectangle) and ended the image marked with a green rectangle. While Thorpe et al. [7] set the selected location "X" marker near his or her previously chosen location, they used Google Maps and large

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

Numerous researchers are concentrating and writing research papers on authentication and security of contemporary information system. One of them is shoulder surfing attacks unlocking smart phone used for everyday life [8–10]. Users, however, can create strong entropy or password consisted of long bits in terms of any single system, which is difficult to remember. Thus, we have improved security of Pass-Go scheme, added secret questions, answers and background image, processed and implemented a new scheme to solve the problem. It called

Thus, we have improved security of Pass-Go scheme, added secret questions, answers and background image, processed and implemented a new scheme to solve

Main activity of CRS runs according to principle choosing node dots instead of partition, similarly Pass-Go scheme. It can be easy not only to use but also beneficial to remember while it may create strong and complex password because of inserting

Our CRS is consisted of triple verification parts to secure safety of password

3. Scheme of creating password-using drawing based on remembering

when user has created a password only generated a new version by adding the traditional scheme of question and answer contained password feature to scheme of a graphical password. It can be used in web site of information trading and authen-

To refer systems based on modern web using graphical password scheme rarely, graphical password scheme based on recognition (selecting Chinese characters and various images) is used in authentication section of large searching systems like Android OS for smart phone pattern lock, Google and Baidu. Some psychologists assume that human brain remember graphical information better than others [11]. One of the researches revealed that how authentication and unlocking process

In accordance with Dual Coding Theory, cognition is consisted of two different sections such as nonverbal and verbal systems [12, 13]. Thus, user will pass following steps to register using our scheme. After choosing questions and answers to them and inserting optional background image behind the grid, graphical password

3. CRS graphical password scheme and concepts

DOI: http://dx.doi.org/10.5772/intechopen.84156

"Questions-Background Image-Pattern (CRS)".

background image in the view, similar to BDAS pattern.

1. Scheme of secret question and answer based on text

2. Scheme of choosing image based on recognition

password space.

the problem.

85

superlatively. For instance:

tication phrase of trading chat room.

influence based on phone user's behavior.


One common problem for graphical passwords is the shoulder surfing problem: an on-looker can steal a user's graphical password by watching in the user's vicinity.

Therefore, the aim of this chapter is to develop existing graphical password scheme based on one's memory, create and implement a new graphical password scheme that is composed of three-layer verification.


We programmed our scheme in order to prove its superiority comparing with existing schemes. We attend on user survey that participants access to our system on local network. It was according to the average length of their created password and statistical significance of entropy bit. From the survey results of total participants, we find that our scheme is statistically significant, furthermore it was proved that it can secure a variety of attacks due to its high entropy.

## 2. Related work

Since it has been proved that images are easier to recall than text phrase, some people have been suggested graphical password as an alternate. Dirik et al. [1] classified the graphical password into three systems such as pure recall-based systems, recognition-based systems and cued recall-based systems [2]. People who use recall-based password system have to remember their password to access to system. Furthermore, one of the most famous studies of recall-based techniques was offered by Jermyn et al. [3].

The system of Govindarajulu et al. [4] that used doodles as recall-based systems, requires expensive equipment, such as a touchpad and digitizing tablet that are attached to a computer and users also need each time to learn how to use the system. Recognition-based graphical passwords systems lie in a variety of images used and user either chooses benefits provided by the system or provides their own images.

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation DOI: http://dx.doi.org/10.5772/intechopen.84156

Hai Tao [5] draws the password using grid intersection points instead of grid cells. In addition, this scheme gave users a chance to select longer passwords and use colors, both resulting in greater password complexity than in DAS scheme. Hatching et al. [6] selected pass image one–by-one with the same sequence by drawing the curve starting from the given image (red rectangle) and ended the image marked with a green rectangle. While Thorpe et al. [7] set the selected location "X" marker near his or her previously chosen location, they used Google Maps and large password space.

## 3. CRS graphical password scheme and concepts

Numerous researchers are concentrating and writing research papers on authentication and security of contemporary information system. One of them is shoulder surfing attacks unlocking smart phone used for everyday life [8–10]. Users, however, can create strong entropy or password consisted of long bits in terms of any single system, which is difficult to remember. Thus, we have improved security of Pass-Go scheme, added secret questions, answers and background image, processed and implemented a new scheme to solve the problem. It called "Questions-Background Image-Pattern (CRS)".

Thus, we have improved security of Pass-Go scheme, added secret questions, answers and background image, processed and implemented a new scheme to solve the problem.

Main activity of CRS runs according to principle choosing node dots instead of partition, similarly Pass-Go scheme. It can be easy not only to use but also beneficial to remember while it may create strong and complex password because of inserting background image in the view, similar to BDAS pattern.

Our CRS is consisted of triple verification parts to secure safety of password superlatively. For instance:

1. Scheme of secret question and answer based on text

2. Scheme of choosing image based on recognition

3. Scheme of creating password-using drawing based on remembering

when user has created a password only generated a new version by adding the traditional scheme of question and answer contained password feature to scheme of a graphical password. It can be used in web site of information trading and authentication phrase of trading chat room.

To refer systems based on modern web using graphical password scheme rarely, graphical password scheme based on recognition (selecting Chinese characters and various images) is used in authentication section of large searching systems like Android OS for smart phone pattern lock, Google and Baidu. Some psychologists assume that human brain remember graphical information better than others [11]. One of the researches revealed that how authentication and unlocking process influence based on phone user's behavior.

In accordance with Dual Coding Theory, cognition is consisted of two different sections such as nonverbal and verbal systems [12, 13]. Thus, user will pass following steps to register using our scheme. After choosing questions and answers to them and inserting optional background image behind the grid, graphical password

1. For the recall-based category, Jermyn et al. proposed a scheme, called "draw-asecret (DAS)". A user asked to draw a simple picture on a 2D grid. During authentication, the user asked to re-draw the picture. If the drawing touches

2. For the recognition-based scheme called pass point, users have to recognize their pass image on images when they see them again. When they register, the user either provides their own images or chooses from a collection provided by

3. In a recall-based system, the user has to recreate their pass image every time they log in. This is similar to a written signature used to sign documents. A cued recall-based system provides cues to users to help them repeat their initial

One common problem for graphical passwords is the shoulder surfing problem: an on-looker can steal a user's graphical password by watching in the user's vicinity. Therefore, the aim of this chapter is to develop existing graphical password scheme based on one's memory, create and implement a new graphical password

actions, such as selecting points in an image each time they log in.

3. Scheme of creating password using drawing based on remembering

We programmed our scheme in order to prove its superiority comparing with existing schemes. We attend on user survey that participants access to our system on local network. It was according to the average length of their created password and statistical significance of entropy bit. From the survey results of total participants, we find that our scheme is statistically significant, furthermore it was proved

Since it has been proved that images are easier to recall than text phrase, some people have been suggested graphical password as an alternate. Dirik et al. [1] classified the graphical password into three systems such as pure recall-based systems, recognition-based systems and cued recall-based systems [2]. People who use recall-based password system have to remember their password to access to system. Furthermore, one of the most famous studies of recall-based techniques was offered

The system of Govindarajulu et al. [4] that used doodles as recall-based systems,

requires expensive equipment, such as a touchpad and digitizing tablet that are attached to a computer and users also need each time to learn how to use the system. Recognition-based graphical passwords systems lie in a variety of images used and user either chooses benefits provided by the system or provides their own

scheme that is composed of three-layer verification.

1. Scheme of secret question and answer based on text

that it can secure a variety of attacks due to its high entropy.

2. Scheme of choosing image based on recognition

the same grids in the same sequence, the user is authenticated.

the system.

Computer Graphics and Imaging

2. Related work

by Jermyn et al. [3].

images.

84

#### Computer Graphics and Imaging

is created and appeared. Then user will create password by connecting points lying on the board and drawing shape using straight line.

question and answer based on a user, we should obey prohibited regulations of international telecommunications industry and the FCC's Customer Proprietary Network Information (CPNI) that do not contain questions about user's personal information. Password does not contain user's personal information such as e-mail address, surname, birth date, user's registration number and phone number. The password requires answers that are easy to memorize, adamant in terms of time, has feature to cover public, is difficult to guess and provides security. If attackers capture user's weak answer, they will experience trouble in every step to guess graphical password

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

• We are required consisted of long characters question and answer from user to provide answer security. Therefore, we decided that minimum of answer character is ≤4, maximum of accepting answer can be composed of ≤10–26 (letter, number and exclusive character) when answer using collocation.

• Questions will appear with original text as user selects question. However, answer was saved by cryptographic hash function. Users need to select a new question's pack again and create new one if they forget answer. If session idle both will warn to answer secret question within 3 minutes and move to next

questions like keywords will be revealed separately on three web guides from

• When user selects one image and copies location code (copy image address), the image will be the background image of our system and inserted behind grid. One advantage of this way helps to deceive attackers who want to obtain

• Board inserting background image should be 5 5 grids while user will select from 25 points on 2D board and draws by pen-up from start to endpoint under pen-drag

◦ Previous points can choose by concurring, if there is no neighbor point.

◦ It is impossible to select by jumping over next point without choosing

The fifth step improves Pass-Go scheme, solves haziness of graphical imagina-

Firstly, to select and answer to secret question; secondly, to create password

using drawing; thirdly, to create graphical password using secret drawing.

movement. User need to connect under following rule and mark as a line.

◦ It confirms to connect points using only straight line and mark.

◦ User can create number of optional images in free positions.

◦ User needs to select at least four points.

• Images which are appropriate to find using chosen three answers of

created by secret drawing or next step verification.

DOI: http://dx.doi.org/10.5772/intechopen.84156

step (verification step).

system base.

background image.

previous point.

tion and increases password space.

5. To verify secret drawing

87

Therefore, we processed scheme which secures safety of password, combined with practice and implemented as a result of studying graphical password space theory.

Our proposed idea is devoted to advertising web site of anonymous information trading containing feature of test-based and graphical password and authentication section of trading chat room that trades secured file to contract safely. CRS scheme can be protected from various attacks since there is no personal information about the users on the website. While designing the scheme, we established a graphical password scheme, which is easy to use, interesting and strong, integrated by adding both BDAS [20] based on recall and Pass-Go [5] graphical password scheme to password like traditional test-based having secret questions and answers.

In our CRS scheme, there are 25 points on the 5 5 board and user connects points and draws optional image on free position using straight line. It is possible to mark eight directions freely by striking at least more than four points. Drew path from start point to end will be numbered 1–25. When reproduce, user need to select point drawn in previous step correctly and draw to end by recall previous imagination. This requirement aimed at creating strong drawing graphical password, which provides system security. Our scheme, thus, is divided to 5 5 grids, developed like consisted of overall 25 points and implemented in authentication section of system based on web. User should register in accordance with following scheme. The CRS scheme flow diagram (Figure 1).

Figure 1.

Register, login process, questions and answers verification.

## 4. Main unit of the CRS graphical password scheme

User accesses authentication page of system, selects and answers three of variety questions. Using secret question and answer in system authentication section is responsible for increasing overall bits'size of password. In order to prepare secret

## New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation DOI: http://dx.doi.org/10.5772/intechopen.84156

question and answer based on a user, we should obey prohibited regulations of international telecommunications industry and the FCC's Customer Proprietary Network Information (CPNI) that do not contain questions about user's personal information.

Password does not contain user's personal information such as e-mail address, surname, birth date, user's registration number and phone number. The password requires answers that are easy to memorize, adamant in terms of time, has feature to cover public, is difficult to guess and provides security. If attackers capture user's weak answer, they will experience trouble in every step to guess graphical password created by secret drawing or next step verification.

	- User needs to select at least four points.
	- Previous points can choose by concurring, if there is no neighbor point.
	- It confirms to connect points using only straight line and mark.
	- It is impossible to select by jumping over next point without choosing previous point.
	- User can create number of optional images in free positions.

The fifth step improves Pass-Go scheme, solves haziness of graphical imagination and increases password space.

## 5. To verify secret drawing

Firstly, to select and answer to secret question; secondly, to create password using drawing; thirdly, to create graphical password using secret drawing.

is created and appeared. Then user will create password by connecting points lying

Therefore, we processed scheme which secures safety of password, combined with practice and implemented as a result of studying graphical password space

In our CRS scheme, there are 25 points on the 5 5 board and user connects points and draws optional image on free position using straight line. It is possible to mark eight directions freely by striking at least more than four points. Drew path from start point to end will be numbered 1–25. When reproduce, user need to select point drawn in previous step correctly and draw to end by recall previous imagination. This requirement aimed at creating strong drawing graphical password, which provides system security. Our scheme, thus, is divided to 5 5 grids, developed like consisted of overall 25 points and implemented in authentication section of system based on web. User should register in accordance with following scheme. The CRS

Our proposed idea is devoted to advertising web site of anonymous information trading containing feature of test-based and graphical password and authentication section of trading chat room that trades secured file to contract safely. CRS scheme can be protected from various attacks since there is no personal information about the users on the website. While designing the scheme, we established a graphical password scheme, which is easy to use, interesting and strong, integrated by adding both BDAS [20] based on recall and Pass-Go [5] graphical password scheme to password like traditional test-based having secret

on the board and drawing shape using straight line.

theory.

Figure 1.

86

questions and answers.

Computer Graphics and Imaging

scheme flow diagram (Figure 1).

4. Main unit of the CRS graphical password scheme

Register, login process, questions and answers verification.

User accesses authentication page of system, selects and answers three of variety

questions. Using secret question and answer in system authentication section is responsible for increasing overall bits'size of password. In order to prepare secret

#### Computer Graphics and Imaging

As a result of integrating cited-above sections, password containing long bit will be created. Bit size is different depending on choice of answer's character. The bit entropy has estimated by traditional test-based password (if it is ≤28 bits, they are greatly weak; if it ≤28–35 bits, they are weak; if it is ≤36–59 bits, they are probable; if it ≤60–127 bits, they are strong and if it ≤128+ bits, the greatly strong).

When users register to system firstly, they will pass following steps such as answering to secret question, inserting background image behind blank grid and creating password using drawing on it. To access, user reproduces previous 2 steps and verifies by reproducing previous secret drawing. After checking every step in any condition on system, user can access successfully, if every data is correct in verification steps. If access right was canceled after making over three attempts in any step, user needs to create from beginning. Although it is a strict requirement, it can provide security.

#### 5.1 Implementation and evaluation

We used JavaScript, node.js and developed in condition of Linux operating system. User ID, password and other associated data will be saved in SQLite database in server part. The proposed CRS can be used in website of information trading and user authentication section of trading chat room. We solved the problem and processed scheme, which is easy to use by improving current password scheme and providing security superlatively. Implementation step is consisted of following sections.

Here, bi is (n � 1) grams, bj is an arbitrary point which has not been chosen and

 ) is the N-gram probability of bi,j. It can be marked from upper left corner by representing "0" like modern android phone lock. For example, it will be expressed

CRS—graphical password user interface. (a) User selects questions and answers, (b) most frequently drawn

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

<sup>¼</sup> <sup>p</sup>ð Þ¼ }012} #of occurrences of trigram }012}

While guessing entropy, [22, 23] is one metric that can be used to measure the strength of a (password) distribution. The method determines possible connections

To create a password using our scheme, overall 25 points will connected and it will be marked by sequence of line. Thus, we will concentrate on N-gram and establish probability having the strongest feature. In general, it is assumed that N-gram having

For instance, when n = 2, we need to learn 25 � 24 = 600 values and we need to learn when n = 3 in terms of our scheme 25 � 24 � 23 = 13,800 (slightly less than). Users usually created secret drawing using 15-gram and 16-gram probability. It was observed that a number of points' choices were increased and image was drawn by

More than half of research participants (51.1%) started upper left or left side to choose start point. In addition, over half of our research participants chose upper left point as a start point and it is related to their mother language written from

enough probability is significant to estimate probability taken from [24].

enough long straight because of inserting background image.

sum of occurrences of all trigrams (2)

by following formula if bigram is bi = 01″ and bj = 02″.

points, (c) few drawn points and (d) average drawn points.

DOI: http://dx.doi.org/10.5772/intechopen.84156

p bi,j

from start point to the endpoint.

6.1 Point selection (N-grams)

6.2 Selecting start and end points

upper left point.

89

6. Used in research methodology

P bi,j

Figure 2.


#### 5.2 Implementation interface

Our scheme will select intersection of two-dimensional coordinate pairs based on recall instead of cell. In this section, we will study start and end of safe pattern and sub-pattern, and then estimate through Shannon's entropy. Mono-grams will be probability of selected N-point on overall pattern to estimate entropy of start and end point. To estimate N-gram, we have estimated probability of X point appearing in entropy pattern or Nth using N-1 point and used (Figure 2).

The conditional entropy is estimated by Shannon's formula [21] (FN: N-gram entropy).

$$F\_N = -\sum\_{i,j} p(b\_{i,j}) \log \text{zp}\left(b\_{i,j}\right) + \sum\_i p(b\_i) \log \text{zp}(b\_i) \tag{1}$$

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation DOI: http://dx.doi.org/10.5772/intechopen.84156


#### Figure 2.

As a result of integrating cited-above sections, password containing long bit will be created. Bit size is different depending on choice of answer's character. The bit entropy has estimated by traditional test-based password (if it is ≤28 bits, they are greatly weak; if it ≤28–35 bits, they are weak; if it is ≤36–59 bits, they are probable;

When users register to system firstly, they will pass following steps such as answering to secret question, inserting background image behind blank grid and creating password using drawing on it. To access, user reproduces previous 2 steps and verifies by reproducing previous secret drawing. After checking every step in any condition on system, user can access successfully, if every data is correct in verification steps. If access right was canceled after making over three attempts in any step, user needs to create from beginning. Although it is a strict requirement, it

We used JavaScript, node.js and developed in condition of Linux operating system. User ID, password and other associated data will be saved in SQLite database in server part. The proposed CRS can be used in website of information trading and user authentication section of trading chat room. We solved the problem and processed scheme, which is easy to use by improving current password scheme and providing security superlatively. Implementation step is consisted of following sections.

1. User can select three of optional questions and answer to them.

2. User finds image from search engine using answer like keyword.

4.A 5 � 5 grid consisted of 25 points, which will be inserted on background

6. Selected points will be estimated by probability of decreasing sequence.

5. For probability of selecting overall points, n-gram probability will be estimated

7. We program under scheme and estimate password strength according to user's

Our scheme will select intersection of two-dimensional coordinate pairs based on recall instead of cell. In this section, we will study start and end of safe pattern and sub-pattern, and then estimate through Shannon's entropy. Mono-grams will be probability of selected N-point on overall pattern to estimate entropy of start and end point. To estimate N-gram, we have estimated probability of X point appearing

The conditional entropy is estimated by Shannon's formula [21] (FN: N-gram

 <sup>þ</sup> <sup>∑</sup> i

p bð Þ<sup>i</sup> log <sup>2</sup>p bð Þ<sup>i</sup> (1)

log <sup>2</sup>p bi,j

3. User selects only one image and inserts background image.

in entropy pattern or Nth using N-1 point and used (Figure 2).

FN ¼ � ∑ i,j p bi,j

if it ≤60–127 bits, they are strong and if it ≤128+ bits, the greatly strong).

can provide security.

Computer Graphics and Imaging

image.

study.

entropy).

88

based on Markov model.

5.2 Implementation interface

5.1 Implementation and evaluation

CRS—graphical password user interface. (a) User selects questions and answers, (b) most frequently drawn points, (c) few drawn points and (d) average drawn points.

Here, bi is (n � 1) grams, bj is an arbitrary point which has not been chosen and P bi,j ) is the N-gram probability of bi,j. It can be marked from upper left corner by representing "0" like modern android phone lock. For example, it will be expressed by following formula if bigram is bi = 01″ and bj = 02″.

$$p(b\_{i,j}) = p(\text{"012"}) = \frac{\text{\*} \text{\*} of occurrences \text{ of } trigram \text{ \*} \text{"012"}}{\text{sum } \text{ of } occurrences \text{ \*} of \text{ all } trigonamus}} \tag{2}$$

While guessing entropy, [22, 23] is one metric that can be used to measure the strength of a (password) distribution. The method determines possible connections from start point to the endpoint.

## 6. Used in research methodology

#### 6.1 Point selection (N-grams)

To create a password using our scheme, overall 25 points will connected and it will be marked by sequence of line. Thus, we will concentrate on N-gram and establish probability having the strongest feature. In general, it is assumed that N-gram having enough probability is significant to estimate probability taken from [24].

For instance, when n = 2, we need to learn 25 � 24 = 600 values and we need to learn when n = 3 in terms of our scheme 25 � 24 � 23 = 13,800 (slightly less than). Users usually created secret drawing using 15-gram and 16-gram probability. It was observed that a number of points' choices were increased and image was drawn by enough long straight because of inserting background image.

#### 6.2 Selecting start and end points

More than half of research participants (51.1%) started upper left or left side to choose start point. In addition, over half of our research participants chose upper left point as a start point and it is related to their mother language written from upper left point.

For all points having the same probabilities, the entropy of start point is 2.35 bits to a maximum of log2 61.9 bits compared. For male participants, they selected car and football images, set them on background image and expressed chosen average 18 spaces of start and end with much longer. For female participants, they selected flower and a variety of brands, set them on the background image and chose few points (chosen point's average is 19.3). To observe choice of end point, they chose lower right points more than other and estimated probability is 2.75 entropy bit. From the survey, the most frequent path is upper left and bottom right point and it defined that we can estimate points' averages.

#### 6.3 Measure strength of password

Our password scheme is consisted of combination of character and graphical password and create strong password, which is longer over 128 bits by adding length of user's answered character. Many researchers aimed at measuring password strength using a variety of measuring methods. Thus, we measured password entropy established by text-based and graphical password separately.

$$H = \log\_2 N^L = L \log\_2 N = L \frac{\log N}{\log 2} \tag{3}$$

user can choose numerous points to create password and chance to guess by

worked and spent over 8 hours on computer-related internet environment.

login and verification system. Unlocking the devices, users on average spent 2.6 minutes each day as presented by Harbach et al. [26]. Thus, we assumed that 3 minutes are enough to pass trading chat room and verify based on the survey. Depending on ability of computer usage, we deducted participants who spent more

p<:02 significance and long secret has H(5) = 15:91, p<:04 significant.

participant who cannot pass access number exceeding is 16%.

password scheme based recall entropy bit (Figure 3).

We chose participants from foreign students living in school campus using collecting data method and gave instruction as how to execute work before

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

conducting on survey. Then participants accessed to system existed in local network and created graphical password will be used to pass to trading chat room. We indicated demographical survey of overall participant and creating graphical password. Total 50 participants aged from 25 to 55 were enrolled in our survey and they

We estimated average of spent overall time when total participants accessed to

In addition, the maximum of three answers that participants chose and answer to questions in the first step is 191.3 bits and the minimum of three questions is 23 bits. We divided participants' created password into long and short sections and we studied length of password using Kruskal-Wallis [27] tests method in terms of sufficiency changes of successful login. Consequently, short secret has H(5) = 19:31,

When classifying participants based on sex and comparing the length of straight drawing graphical secret, male created line with 18 average lengths whereas female created line with 19.3 average lengths. Participants chose 15-gram, 20-gram and created secret drawing and the maximum repeated of 15-gram is 14%. When estimated, the average of creating secret of participants is 1.08 sec. The maximum is

Due to the aggregate attempts from an individual, the success rate is determined on average with successful logins. During re-register and verifying 15 minutes after participants created secret successfully, different results were revealed. Total time to recall authentication is within 3 minutes and there are the maximum of threeaccess right to insert password three times in every verification sections. Total participants recall differently on three sections of verification: Recalling as one access is 38%, recalling as two accesses is 30%, recalling as three accesses is 16% and

The theoretical password space of a graphical password scheme is a security strength indicator defined by the total number of possible passwords. Recall schemes based on drawing shapes have been shown to suffer from tentative

In cited-above survey, we suggested that bit entropy must be high to secure password used in system from attackers. Therefore, we shown our new graphical

Table 1 shows the capacity of total bits of the graphical password based on traditional textual password and recalling by comparing them. For instance, when

attackers will be decreased.

DOI: http://dx.doi.org/10.5772/intechopen.84156

than 3 minutes from survey result.

2.5 minute while the minimum is 0.30 sec.

7.1 Login time

7.2 Success rate

7.3 Password strength

patterns [7, 28].

91

Password entropy measures condition that is impossible to predict and use longer password based on character (lowercase, uppercase and special characters). Optional password strength is measured by information entropy. Furthermore, possible password and number are expressed by log2 and every characters creating password will be processed independently. Therefore, information entropy of optional password is estimated by following [25] H-formula:

N is possible number of character, L is number of string (character) on the password and H is measurement of bit.

#### 6.4 To encode graphical password and full password space

User-drawn image will be encoded by sequence of intersections represented by two dimensional coordinate pairs. Points passed through intersection points using mouse will be numbered by value from 1 to 25.

The length of password is the number of coordinate pairs except pen-ups in the password encoding. Based on a password with length L, where adding one point (P2) or increasing the last through a unit of any directions of the least 3 and most 8, with length of L + 1, a new password will be made. When L = 1, the password has the minimal length.

$$PS \le \text{S1} + \text{S2} + \text{S3} + DP \text{ (n)}\tag{4}$$

PS is the size of the full password space, S1, S2 and S3 are sizes of the textual passwords from users' responses to random challenges, and DP(n) is the size of the graphical password space.

### 7. CRS-new graphical password scheme evaluation

Since it is difficult to assess security of graphical password, we studied usage part and indicated survey result by conducting survey on our scheme. Because of it, New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation DOI: http://dx.doi.org/10.5772/intechopen.84156

user can choose numerous points to create password and chance to guess by attackers will be decreased.

We chose participants from foreign students living in school campus using collecting data method and gave instruction as how to execute work before conducting on survey. Then participants accessed to system existed in local network and created graphical password will be used to pass to trading chat room. We indicated demographical survey of overall participant and creating graphical password. Total 50 participants aged from 25 to 55 were enrolled in our survey and they worked and spent over 8 hours on computer-related internet environment.

#### 7.1 Login time

For all points having the same probabilities, the entropy of start point is 2.35 bits

football images, set them on background image and expressed chosen average 18 spaces of start and end with much longer. For female participants, they selected flower and a variety of brands, set them on the background image and chose few points (chosen point's average is 19.3). To observe choice of end point, they chose lower right points more than other and estimated probability is 2.75 entropy bit. From the survey, the most frequent path is upper left and bottom right point and it

Our password scheme is consisted of combination of character and graphical password and create strong password, which is longer over 128 bits by adding length of user's answered character. Many researchers aimed at measuring password strength using a variety of measuring methods. Thus, we measured password

<sup>H</sup> <sup>¼</sup> log <sup>2</sup>N<sup>L</sup> <sup>¼</sup> <sup>L</sup> log <sup>2</sup><sup>N</sup> <sup>¼</sup> <sup>L</sup> log <sup>N</sup>

Password entropy measures condition that is impossible to predict and use longer password based on character (lowercase, uppercase and special characters). Optional password strength is measured by information entropy. Furthermore, possible password and number are expressed by log2 and every characters creating password will be processed independently. Therefore, information entropy of

N is possible number of character, L is number of string (character) on the

User-drawn image will be encoded by sequence of intersections represented by two dimensional coordinate pairs. Points passed through intersection points using

The length of password is the number of coordinate pairs except pen-ups in the password encoding. Based on a password with length L, where adding one point (P2) or increasing the last through a unit of any directions of the least 3 and most 8, with length of L + 1, a new password will be made. When L = 1, the password has

PS is the size of the full password space, S1, S2 and S3 are sizes of the textual passwords from users' responses to random challenges, and DP(n) is the size of the

Since it is difficult to assess security of graphical password, we studied usage part and indicated survey result by conducting survey on our scheme. Because of it,

PS ≤S1 þ S2 þ S3 þ DP nð Þ (4)

entropy established by text-based and graphical password separately.

optional password is estimated by following [25] H-formula:

6.4 To encode graphical password and full password space

7. CRS-new graphical password scheme evaluation

61.9 bits compared. For male participants, they selected car and

log 2 (3)

to a maximum of log2

Computer Graphics and Imaging

defined that we can estimate points' averages.

6.3 Measure strength of password

password and H is measurement of bit.

the minimal length.

graphical password space.

90

mouse will be numbered by value from 1 to 25.

We estimated average of spent overall time when total participants accessed to login and verification system. Unlocking the devices, users on average spent 2.6 minutes each day as presented by Harbach et al. [26]. Thus, we assumed that 3 minutes are enough to pass trading chat room and verify based on the survey. Depending on ability of computer usage, we deducted participants who spent more than 3 minutes from survey result.

In addition, the maximum of three answers that participants chose and answer to questions in the first step is 191.3 bits and the minimum of three questions is 23 bits. We divided participants' created password into long and short sections and we studied length of password using Kruskal-Wallis [27] tests method in terms of sufficiency changes of successful login. Consequently, short secret has H(5) = 19:31, p<:02 significance and long secret has H(5) = 15:91, p<:04 significant.

When classifying participants based on sex and comparing the length of straight drawing graphical secret, male created line with 18 average lengths whereas female created line with 19.3 average lengths. Participants chose 15-gram, 20-gram and created secret drawing and the maximum repeated of 15-gram is 14%. When estimated, the average of creating secret of participants is 1.08 sec. The maximum is 2.5 minute while the minimum is 0.30 sec.

#### 7.2 Success rate

Due to the aggregate attempts from an individual, the success rate is determined on average with successful logins. During re-register and verifying 15 minutes after participants created secret successfully, different results were revealed. Total time to recall authentication is within 3 minutes and there are the maximum of threeaccess right to insert password three times in every verification sections. Total participants recall differently on three sections of verification: Recalling as one access is 38%, recalling as two accesses is 30%, recalling as three accesses is 16% and participant who cannot pass access number exceeding is 16%.

#### 7.3 Password strength

The theoretical password space of a graphical password scheme is a security strength indicator defined by the total number of possible passwords. Recall schemes based on drawing shapes have been shown to suffer from tentative patterns [7, 28].

In cited-above survey, we suggested that bit entropy must be high to secure password used in system from attackers. Therefore, we shown our new graphical password scheme based recall entropy bit (Figure 3).

Table 1 shows the capacity of total bits of the graphical password based on traditional textual password and recalling by comparing them. For instance, when

Total of 50 users have participated in this study, and analyzed their time spent in CRS graphical password creation, how long they could remember it and strength of the password. Thus, it can secure a variety of attackers such as traceability of fingerprint smudges, dictionary, shoulder attack, brute force attack and so on. We can use our scheme providing password security for checking mail, service of social network messenger, internet bank, website of trading organization, training

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

website and authentication of a variety of devices.

DOI: http://dx.doi.org/10.5772/intechopen.84156

Author details

Bulganmaa Togookhuu<sup>1</sup>

Ulaanbaatar, Mongolia

Inner Mongolia, China

93

, Wuyungerile Li<sup>2</sup>

2 College of Computer Science, Inner Mongolia University, Huhhot,

\*Address all correspondence to: junxing@imu.edu.cn

provided the original work is properly cited.

1 School of Engineering and Technology, Mongolian University of Life Sciences,

© 2019 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

, Yifan Sun<sup>2</sup> and Junxing Zhang<sup>2</sup>

\*

Figure 3. Recall entropy bits and user number.


#### Table 1.

Compare full graphical password bit space.

we choose a textual password that has maximum 28 characters, it is worth with 129 bit. Maximum capacity of DAS scheme based on recalling was 96.2 bit while maximum capacity of BDAS model was worth with 76 bit. Maximum capacity of Pass-go model developed by improving DAS model based on initial recalling is 256 bit. Our CRS scheme was developed by combining advantages of above-given models and its maximum capacity is worth 271 bit. As a result, it can help to reduce risk of attack.

From view, Table 1 proposed most bit-size for CRS scheme. We suggested that bit entropy must be high to secure password used in system from attackers.

## 8. Conclusions

This chapter provides introduction to graphical password, its study, new type of graphical password design, its implementation and its results. For large system, main problem is secret verification. Indeed, it is thing being developed to hammer out solution in any time. We proposed graphical password, based on user's habit and interest, is easy to use and created password consisted of strong entropy bit. Studied usability aspect of CRS graphical password by providing users with CRS graphical password and monitored their graphical password creation and their utilization.

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation DOI: http://dx.doi.org/10.5772/intechopen.84156

Total of 50 users have participated in this study, and analyzed their time spent in CRS graphical password creation, how long they could remember it and strength of the password. Thus, it can secure a variety of attackers such as traceability of fingerprint smudges, dictionary, shoulder attack, brute force attack and so on. We can use our scheme providing password security for checking mail, service of social network messenger, internet bank, website of trading organization, training website and authentication of a variety of devices.

## Author details

we choose a textual password that has maximum 28 characters, it is worth with 129 bit. Maximum capacity of DAS scheme based on recalling was 96.2 bit while maximum capacity of BDAS model was worth with 76 bit. Maximum capacity of Pass-go model developed by improving DAS model based on initial recalling is 256 bit. Our CRS scheme was developed by combining advantages of above-given models and its maximum capacity is worth 271 bit. As a result, it can help to reduce risk of attack. From view, Table 1 proposed most bit-size for CRS scheme. We suggested that

Bits 95<sup>28</sup> = 2129 296.2 276 2<sup>256</sup> ≤2271

) [13] DAS [28] BDAS [29] Pass-go [5] Proposed CRS scheme

bit entropy must be high to secure password used in system from attackers.

This chapter provides introduction to graphical password, its study, new type of graphical password design, its implementation and its results. For large system, main problem is secret verification. Indeed, it is thing being developed to hammer out solution in any time. We proposed graphical password, based on user's habit and interest, is easy to use and created password consisted of strong entropy bit. Studied usability aspect of CRS graphical password by providing users with CRS graphical password and monitored their graphical password creation and their utilization.

8. Conclusions

92

Figure 3.

Table 1.

Recall entropy bits and user number.

Computer Graphics and Imaging

Textual password (95<sup>n</sup>

Compare full graphical password bit space.

Bulganmaa Togookhuu<sup>1</sup> , Wuyungerile Li<sup>2</sup> , Yifan Sun<sup>2</sup> and Junxing Zhang<sup>2</sup> \*

1 School of Engineering and Technology, Mongolian University of Life Sciences, Ulaanbaatar, Mongolia

2 College of Computer Science, Inner Mongolia University, Huhhot, Inner Mongolia, China

\*Address all correspondence to: junxing@imu.edu.cn

© 2019 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

## References

[1] Dirik AE, Birget. Modeling User Choice in the PassPoints Graphical Password Scheme. In: Symposium on Usable Privacy and Security (SOUPS); 2007

[2] Delprato D. Mind and its evolution: A dual coding theoretical approach. The Psychological Record. 2009;59(2): 295-300

[3] Jermyn I et al. The design and analysis of graphical passwords. In: The 8th USENIX Security Symposium; Washington, USA. 1999. pp. 1-15

[4] Noor Ain R, Singh D. Early learning malay vocabulary using speech technology: Dual code theory approach. In: Proceedings of the International Conference on Electrical Engineering and Informatics. 2011

[5] Tao H. Pass-Go: A New Graphical Password Scheme. Canada: Master of Applied Science, Electrical and Computer Engineering, University of Ottawa; 2006

[6] Davis D, Reiter K. On user choice in graphical password schemes. In: USENIX Security Symposium. 2004

[7] Wagner P. Cryptanalysis of a cognitive authentication scheme (extended abstract). In: IEEE Symposium on Security and Privacy. 2007

[8] Oorschot J et al. Graphical dictionaries and the memorable space of graphical passwords. In: USENIX Security Symposium. 2004

[9] Shokarev A, Kostyuchenko E. User authorization in the picture password system with application of digital watermarks. In: 2016 Dynamics of Systems, Mechanisms and Machines (Dynamics). 2016

[10] Ventura N et al. An approach password graphic for access control web. In: Conference on Information Systems and Technologies (CISTI). 2016 [19] Thorpe J, Salehi-Abari A. Usability and security evaluation of geo pass, a geographic location-password scheme. In: Symposium on Usable Privacy and Security (SOUPS); Newcastle, UK.

DOI: http://dx.doi.org/10.5772/intechopen.84156

Shamir secret sharing. In: IEEE International Conference on Recent Trends in Electronics, Information & Communication Technology (RTEICT).

[29] Yang X, Xiao M. Verifiable secret sharing and distributed key generation based on hyperplane geometry. In: 2nd

Dependable Computing and Internet of

[30] Yingli Z. A Key Escrow Scheme to IOT Based on Shamir. ChengDu, China: Research Institute Electronic Science and Technology, University of Electronic Science and Technology of

International Symposium on

Things (DCIT). 2015

China; 2013

2016

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation

[20] Password Choosing and Using Security Questions. Available from:

[21] Shannon C. Prediction and entropy

https://www.owasp.org/

Security (CCS). 2007

background-pattern and

Science. 2017;107:148-156

application using public key

authentication using visual

(EESCO). 2015. pp. 1-6

Patent No. 6026163; 2000

95

1996;22(1):6-15

of printed english. Bell System Technical Journal. 1951;30(1):50-64

[22] Yan P. Do background images improve "draw a secret" graphical passwords? In: ACM Conference on Computer and Communications

[23] Bulganmaa T et al. New graphical password scheme containing questions-

implementation. Procedia Computer

[24] Needham M. Prudent engineering for cryptographic protocols. IEEE Transactions on Software Engineering.

[25] Karabey I, Akman G. A cryptographic approach for secure client—server chat

[26] Naman S, Khandelwal P. Two factor

cryptography and digital envelope in Kerberos. In: International Conference on Electrical Electronics Signals Communication and Optimization

[27] Micali S. Distributed split-key cryptosystem and applications, U.S.

[28] Sudha M, Thanuja T. Randomly tampered image detection and selfrecovery for a text document using

infrastructure (PKI). In: International Conference for Internet Technology and Secured Transactions (ICITST). 2016

[11] Skinner G. Cyber security for younger demographics, a graphic based authentication and authorisation framework. In: IEEE Region 10 Conference (TENCON). 2016

[12] Dunphy P, Yan J. Do background images improve draw-a-secret graphical passwords. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS); New York, USA. 2007

[13] Shannon C. Prediction and entropy of printed English. Bell System Technical Journal. 1951;30(1):50-64

[14] Cachin C. Entropy measures and unconditional security in cryptography [PhD dissertation]. https://cachin.com/ cc/papers/d.pdf

[15] Sebastian Uellenbeck MD. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns, Publication Security, Human Factors, ACM, 978-1-4503-2477-9/13/11; 2013

[16] Wikipedia. Password Strength. Available from: https://en.wikipedia. org/wiki/Password\_strength

[17] Marian H et al. A field study of smartphone (un)locking behavior and risk perception. In: Symposium on Usable Privacy and Security. Menlo Park, CA: USENIX Association; 2014

[18] Li L, Tsai M. Notice of retraction <br>a study on quality traceability of transmission assembling based on Kruskal-Wallis method. In: International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE). 2013

New Graphical Password Scheme Containing Questions-Background-Pattern and Implementation DOI: http://dx.doi.org/10.5772/intechopen.84156

[19] Thorpe J, Salehi-Abari A. Usability and security evaluation of geo pass, a geographic location-password scheme. In: Symposium on Usable Privacy and Security (SOUPS); Newcastle, UK.

References

2007

295-300

[1] Dirik AE, Birget. Modeling User Choice in the PassPoints Graphical Password Scheme. In: Symposium on Usable Privacy and Security (SOUPS);

Computer Graphics and Imaging

[10] Ventura N et al. An approach password graphic for access control web. In: Conference on Information Systems and Technologies (CISTI). 2016

[11] Skinner G. Cyber security for younger demographics, a graphic based authentication and authorisation framework. In: IEEE Region 10 Conference (TENCON). 2016

[12] Dunphy P, Yan J. Do background images improve draw-a-secret graphical passwords. In: Proceedings of the ACM

Communications Security (CCS); New

[13] Shannon C. Prediction and entropy

[14] Cachin C. Entropy measures and unconditional security in cryptography [PhD dissertation]. https://cachin.com/

Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns, Publication Security, Human Factors, ACM, 978-1-4503-2477-9/13/11;

[16] Wikipedia. Password Strength. Available from: https://en.wikipedia.

[17] Marian H et al. A field study of smartphone (un)locking behavior and risk perception. In: Symposium on Usable Privacy and Security. Menlo Park, CA: USENIX Association; 2014

[18] Li L, Tsai M. Notice of retraction <br>a study on quality traceability of transmission assembling based on Kruskal-Wallis method. In:

International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE). 2013

org/wiki/Password\_strength

Conference on Computer and

of printed English. Bell System Technical Journal. 1951;30(1):50-64

[15] Sebastian Uellenbeck MD.

York, USA. 2007

cc/papers/d.pdf

2013

[2] Delprato D. Mind and its evolution: A dual coding theoretical approach. The Psychological Record. 2009;59(2):

[3] Jermyn I et al. The design and analysis of graphical passwords. In: The 8th USENIX Security Symposium; Washington, USA. 1999. pp. 1-15

malay vocabulary using speech

and Informatics. 2011

Ottawa; 2006

2007

[4] Noor Ain R, Singh D. Early learning

technology: Dual code theory approach. In: Proceedings of the International Conference on Electrical Engineering

[5] Tao H. Pass-Go: A New Graphical Password Scheme. Canada: Master of Applied Science, Electrical and Computer Engineering, University of

[6] Davis D, Reiter K. On user choice in graphical password schemes. In: USENIX Security Symposium. 2004

[7] Wagner P. Cryptanalysis of a cognitive authentication scheme (extended abstract). In: IEEE

[8] Oorschot J et al. Graphical

(Dynamics). 2016

94

Symposium on Security and Privacy.

dictionaries and the memorable space of graphical passwords. In: USENIX Security Symposium. 2004

[9] Shokarev A, Kostyuchenko E. User authorization in the picture password system with application of digital watermarks. In: 2016 Dynamics of Systems, Mechanisms and Machines

[20] Password Choosing and Using Security Questions. Available from: https://www.owasp.org/

[21] Shannon C. Prediction and entropy of printed english. Bell System Technical Journal. 1951;30(1):50-64

[22] Yan P. Do background images improve "draw a secret" graphical passwords? In: ACM Conference on Computer and Communications Security (CCS). 2007

[23] Bulganmaa T et al. New graphical password scheme containing questionsbackground-pattern and implementation. Procedia Computer Science. 2017;107:148-156

[24] Needham M. Prudent engineering for cryptographic protocols. IEEE Transactions on Software Engineering. 1996;22(1):6-15

[25] Karabey I, Akman G. A cryptographic approach for secure client—server chat application using public key infrastructure (PKI). In: International Conference for Internet Technology and Secured Transactions (ICITST). 2016

[26] Naman S, Khandelwal P. Two factor authentication using visual cryptography and digital envelope in Kerberos. In: International Conference on Electrical Electronics Signals Communication and Optimization (EESCO). 2015. pp. 1-6

[27] Micali S. Distributed split-key cryptosystem and applications, U.S. Patent No. 6026163; 2000

[28] Sudha M, Thanuja T. Randomly tampered image detection and selfrecovery for a text document using

Shamir secret sharing. In: IEEE International Conference on Recent Trends in Electronics, Information & Communication Technology (RTEICT). 2016

[29] Yang X, Xiao M. Verifiable secret sharing and distributed key generation based on hyperplane geometry. In: 2nd International Symposium on Dependable Computing and Internet of Things (DCIT). 2015

[30] Yingli Z. A Key Escrow Scheme to IOT Based on Shamir. ChengDu, China: Research Institute Electronic Science and Technology, University of Electronic Science and Technology of China; 2013

## *Edited by Branislav Sobota*

Computer graphics development is so quick that it has expanded from devices designed for military and top industrial applications to equipment for schools and households as common information media for education and entertainment. Computer graphics helps to mass expand computers and remove the barriers that ordinary people experience when working with them. In this book, modern approaches, procedures, algorithms, as well as devices in the area of light and colors, shading and lighting, realistic and photorealistic imaging, definition of graphical scenes or objects, and security based on graphical objects are presented. Graphical transformations and projections, spatial imaging, curves and surfaces, filling and texturing, image filtering, and virtual reality are also covered.

Published in London, UK © 2019 IntechOpen © Komjomo / iStock

Computer Graphics and Imaging

Computer Graphics

and Imaging

*Edited by Branislav Sobota*