Persuasive Cued
Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based
Authentication Mechanism
ABSTRACT:
This paper presents an integrated
evaluation of the Persuasive Cued Click-Points graphical password scheme,
including usability and security evaluations, and implementation
considerations. An important usability goal for knowledge-based authentication systems
is to support users in selecting passwords of higher security, in the sense of
being from an expanded effective security space. We use persuasion to influence
user choice in click-based graphical passwords, encouraging users to select
more random, and hence more difficult to guess, click-points.
EXISTING
SYSTEM:
The problems of knowledge-based
authentication, typically text-based passwords, are well known. Users often create
memorable passwords that are easy for attackers to guess, but strong
system-assigned passwords are difficult for users to remember
DISADVANTAGES
OF EXISTING SYSTEM:
Although Pass Points is relatively
usable, security weaknesses make passwords easier for attackers to predict.
Hotspots are areas of the image that
have higher likelihood of being selected by users as password click-points.
Attackers who gain knowledge of these hotspots through harvesting sample
passwords can build attack dictionaries and more successfully guess Pass Points
passwords. Users also tend to select their click-points in predictable patterns
(e.g., straight lines), which can also be exploited by attackers even without knowledge
of the background image; indeed, purely automated attacks against Pass Points
based on image processing techniques and spatial patterns are a threat
PROPOSED
SYSTEM:
A password authentication system should
encourage strong passwords while maintaining memorability. We propose that
authentication schemes allow user choice while influencing users toward
stronger passwords. In our system, the task of selecting weak passwords (which
are easy for attackers to predict) is more tedious, discouraging users from
making such choices. In effect, this approach makes choosing a more secure
password the path of least resistance. Rather than increasing the burden on
users, it is easier to follow the system’s suggestions for a secure password—a
feature lacking in most schemes. We applied this approach to create the first
persuasive click-based graphical password system, Persuasive Cued
Click-Points (PCCP).
ADVANTAGES
OF PROPOSED SYSTEM:
This systematic examination provides a
comprehensive and integrated evaluation of PCCP covering both usability and
security issues, to advance understanding as is prudent before practical deployment
of new security mechanisms.
Results show that PCCP is effective at
reducing hotspots (areas of the image where users are more likely to select click-points)
and avoiding patterns formed by click-points within a password, while still
maintaining usability.
MODULES:
Create Password interface Module
Shuffles Module
Password Entry Times Module
Varying System Parameters Module
Usability Results Module
MODULES
DESCRIPTION:
Create
Password interface Module
PCCP encourages users to select less
predictable passwords, and makes it more difficult to select passwords where
all five click-points are hotspots. Specifically, when users create a password,
the images are slightly shaded except for a viewport. The viewport is
positioned randomly, rather than specifically to avoid known hotspots, since
such information might allow attackers to improve guesses and could lead to the
formation of new hotspots. The viewport’s size is intended to offer a variety
of distinct points but still cover only an acceptably small fraction of all
possible points. Users must select a click-point within this highlighted viewport
and cannot click outside of the viewport, unless they press the shuffle button
to randomly reposition the viewport. While users may shuffle as often as
desired, this significantly slows password creation. The viewport and shuffle
button appear only during password creation. During later password entry, the
images are displayed normally, without shading or the viewport, and users may click
anywhere on the images.
Shuffles
Module
During password creation, PCCP users may
press the shuffle button to randomly reposition the viewport. Fewer shuffles
lead to more randomization of click-points across users. The shuffle button was
used moderately. For example, since PCCP Lab passwords involved five images,
the mean number of shuffles per password would be 3 _ 5 ¼ 15. PCCP Lab study
users who shuffled a lot had higher login success rates than those who shuffled
little, and the result was statistically significant.
Password
Entry Times Module
Times are reported in seconds for
successful password entry on the first attempt. For login and recall, we also report
the “entry time”: the actual time taken from the first click-point to the fifth
click-point. The analogous measure was not recorded for text passwords. During
password creation, this can partially be explained by participants who used the
shuffle mechanism repeatedly. During recall, this may be because PCCP
participants had to recall different passwords (since by design, it is
impossible to reuse PCCP passwords), whereas over half of Text participants
reused passwords or had closely related passwords, suggesting a reduced memory
load.
Varying
System Parameters Module
Success rates were very high for login;
participants could successfully log in after a short time regardless of number
of click-points or image size.
Mean times for each condition are
generally elevated compared to times in the studies with smaller theoretical password
spaces. No clear pattern emerges in the times taken to create passwords. A
general increase in times can be seen in both the login and recall phases as
more click points or larger images are used. As should be expected, participants
took much longer to reenter their passwords after two weeks (recall),
reflecting the difficulty of the task.
Usability
Results Module
We first summarize the studies with
comparable theoretical password spaces (i.e., including PCCP 2wk S5). Overall, PCCP
has similar success rates to the other authentication schemes evaluated (CCP,
PassPoints, and text). PCCP password entry takes a similar time to the other
schemes in the initial lab sessions, but the results indicate longer recall
times for PCCP when recalling passwords beyond the initial session. Users who
shuffled more had significantly higher success rates in the PCCP Lab study, but
the difference in success rates between high and low shufflers was not
statistically significant for the two-week or web studies. Furthermore, users
reported favorable opinions of PCCP in post-task questionnaires.
HARDWARE
REQUIREMENTS
•
SYSTEM : Pentium IV 2.4 GHz
•
HARD
DISK : 40 GB
•
FLOPPY
DRIVE : 1.44 MB
•
MONITOR : 15 VGA colour
•
MOUSE : Logitech.
•
RAM : 256 MB
•
KEYBOARD :
110 keys enhanced.
SOFTWARE
REQUIREMENTS
•
Operating system :- Windows XP
Professional
•
Front End :- Microsoft Visual Studio .Net 2008
•
Coding Language : - C# .NET.
•
Database :-
SQL Server 2005
REFERENCE:
Sonia Chiasson, Elizabeth Stobert, Alain
Forget, Robert Biddle, and Paul C. van Oorschot, “Persuasive Cued Click-Points:
Design, Implementation, and Evaluation of a Knowledge-Based Authentication
Mechanism”, IEEE TRANSACTIONS ON
DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012.