Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information

Traditionally, picture-based password systems employ password objects (pictures/icons/symbols) as input during an authentication session, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. Recent software-based approaches a...

Full description

Saved in:
Bibliographic Details
Main Authors: Peng Foong Ho, Yvonne Hwei-Syn Kam, Mee Chin Wee, Yu Nam Chong, Lip Yee Por
Format: Article
Language:English
Published: Wiley 2014-01-01
Series:The Scientific World Journal
Online Access:http://dx.doi.org/10.1155/2014/838623
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1850173103385083904
author Peng Foong Ho
Yvonne Hwei-Syn Kam
Mee Chin Wee
Yu Nam Chong
Lip Yee Por
author_facet Peng Foong Ho
Yvonne Hwei-Syn Kam
Mee Chin Wee
Yu Nam Chong
Lip Yee Por
author_sort Peng Foong Ho
collection DOAJ
description Traditionally, picture-based password systems employ password objects (pictures/icons/symbols) as input during an authentication session, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. Recent software-based approaches attempt to minimize this threat by requiring users to enter their passwords indirectly by performing certain mental tasks to derive the indirect password, thus concealing the user’s actual password. However, weaknesses in the positioning of distracter and password objects introduce usability and security issues. In this paper, a new method, which conceals information about the password objects as much as possible, is proposed. Besides concealing the password objects and the number of password objects, the proposed method allows both password and distracter objects to be used as the challenge set’s input. The correctly entered password appears to be random and can only be derived with the knowledge of the full set of password objects. Therefore, it would be difficult for a shoulder-surfing adversary to identify the user’s actual password. Simulation results indicate that the correct input object and its location are random for each challenge set, thus preventing frequency of occurrence analysis attack. User study results show that the proposed method is able to prevent shoulder-surfing attack.
format Article
id doaj-art-d145dc01ec7b4250a3c080ba186ff92c
institution OA Journals
issn 2356-6140
1537-744X
language English
publishDate 2014-01-01
publisher Wiley
record_format Article
series The Scientific World Journal
spelling doaj-art-d145dc01ec7b4250a3c080ba186ff92c2025-08-20T02:19:55ZengWileyThe Scientific World Journal2356-61401537-744X2014-01-01201410.1155/2014/838623838623Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ InformationPeng Foong Ho0Yvonne Hwei-Syn Kam1Mee Chin Wee2Yu Nam Chong3Lip Yee Por4Faculty of Computer Science and Information Technology, University of Malaya, 50603 Lembah Pantai, Kuala Lumpur, MalaysiaMultimedia University, Jalan Multimedia, 63100 Cyberjaya, Selangor, MalaysiaFaculty of Computer Science and Information Technology, University of Malaya, 50603 Lembah Pantai, Kuala Lumpur, MalaysiaFaculty of Computer Science and Information Technology, University of Malaya, 50603 Lembah Pantai, Kuala Lumpur, MalaysiaFaculty of Computer Science and Information Technology, University of Malaya, 50603 Lembah Pantai, Kuala Lumpur, MalaysiaTraditionally, picture-based password systems employ password objects (pictures/icons/symbols) as input during an authentication session, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. Recent software-based approaches attempt to minimize this threat by requiring users to enter their passwords indirectly by performing certain mental tasks to derive the indirect password, thus concealing the user’s actual password. However, weaknesses in the positioning of distracter and password objects introduce usability and security issues. In this paper, a new method, which conceals information about the password objects as much as possible, is proposed. Besides concealing the password objects and the number of password objects, the proposed method allows both password and distracter objects to be used as the challenge set’s input. The correctly entered password appears to be random and can only be derived with the knowledge of the full set of password objects. Therefore, it would be difficult for a shoulder-surfing adversary to identify the user’s actual password. Simulation results indicate that the correct input object and its location are random for each challenge set, thus preventing frequency of occurrence analysis attack. User study results show that the proposed method is able to prevent shoulder-surfing attack.http://dx.doi.org/10.1155/2014/838623
spellingShingle Peng Foong Ho
Yvonne Hwei-Syn Kam
Mee Chin Wee
Yu Nam Chong
Lip Yee Por
Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information
The Scientific World Journal
title Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information
title_full Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information
title_fullStr Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information
title_full_unstemmed Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information
title_short Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information
title_sort preventing shoulder surfing attack with the concept of concealing the password objects information
url http://dx.doi.org/10.1155/2014/838623
work_keys_str_mv AT pengfoongho preventingshouldersurfingattackwiththeconceptofconcealingthepasswordobjectsinformation
AT yvonnehweisynkam preventingshouldersurfingattackwiththeconceptofconcealingthepasswordobjectsinformation
AT meechinwee preventingshouldersurfingattackwiththeconceptofconcealingthepasswordobjectsinformation
AT yunamchong preventingshouldersurfingattackwiththeconceptofconcealingthepasswordobjectsinformation
AT lipyeepor preventingshouldersurfingattackwiththeconceptofconcealingthepasswordobjectsinformation