GRID-IMAGE PASSWORD BASED SCHEME: ENHANCING MEMORABILITY FEATURES OF PASSWORDS

Password authentication has become a widely recognized element of computer security practices where human users are proven or confirmed as legitimate users for access to secure systems. Using this system, every user needs to recall its password correctly before access can be granted to an intended services or applications. Remembering the secure passwords is an everyday problem for users because of individual memory limitation. In an effort to solve this problem, graphical password was presented as one promising athentication alternative taking advantage of picture superiority over texts. The main objective of this study is to provide a comprehensive survey of array of graphical password schemes in different categories based on their common features with the primary aim of identifying the memorability features and propose a new graphical authentication system with enhanced memorability features


INTRODUCTION
Computer security is a critical issue with modern information systems because its valuable contents and diverse day-to-day applications, namely banking, accounting and others. Consiquently, they require some measures of control and protection to ensure reliability, integrity and other security goals. In order to achieve reasonable level of protection, username-password methods have been widely used as method of choice for identifying, authenticating and authorizing users by many banks, government and corporate bodies and even all websites on the internet. The user identification is employed to identify a user to the system while the authentication proves user's claimed identity as being right or wrong depending on username and corresponding password. In order to complete used authentication process, authorization deals with the users' right to access resources ones they are authenticated. Text-based password method was introduced in the 1960s as a security measure to restrict access of useful information to authorized users within a computer system setup or worldwide networked computers (Nielsen and Vedel, 2009).
Conversely, it is popularly known that text passwords are vulnerable and insecure for a number of problems (Biddle et al., 2012;Lashkari et al., 2009). For this reason, other factors are used to complement and improve the security of text password mechanisms (Karnan et al., 2011;Tiwari et al., 2011;Vu et al., 2007). The main problems of text-based passwords is that users find it difficult to remember secure passwords which are expected to be meaningless strings choosen from lower and upper case letters, digits and special symbols (Zhang et al., 2009). Intensive studies in this area have revealed that users tend to pick short passwords or passwords that are meaningful in favour of memorability (Biddle et al., 2012;Vu et al., 2007). Unfortunately, such meaningful strings are weak text passwords which can be easily guessed or broken, by an attacker who strives maliciously to obtain the legitimate user passwords through dictionary, keystroke logging, Science Publications AJAS phishing, eavesdropping, shoulder surfing and other threats (Bonneau, 2012;Forget et al., 2010;Hafiz et al., 2008;Owens and Matthews, 2008).
Moreover, another easy method that can be used to restrict access of information to the legitimate users through knowledge-based authentication mechanism which does not require additional hardware is graphical passwords where pictures are drawn via mouse or stylus to register passwords instead of texts to lessen the passwords being forgotten. This advantage is caused by the capability of humans memory which retains graphical representations longer than texts. In 1996, the idea of Graphical passwords was conceaved by Blonder as an alternative to text-based password for user identification (Almuairfi et al., 2011;Chiasson et al., 2007;Zhang et al., 2009). In this system, an image appears on the screen, then user clicks with the help of mouse or stylus on one or more chosen regions of the displayed image to create a password. A user can only be authenticated if correct regions are clicked at later stage.

Graphical Password Authentication Systems
Today, many graphical password systems which require use of visual information to identify users are available in many forms and to some extent, they provide features required to overcome passwords memorability problem for users in user-friendly environments provided by the same graphical systems (Almuairfi et al., 2011). This is possible due to psychological theories that humans have a momentous competence to recall and to recognize visual information or images. In addition to making passwords easy to remember, graphical password methods must provide desirable level of security to resist some basic attacks such as dictionary and brute attacks, an attacker must construct a bigger dictionary than conventional textual passwords before these attacks can be successful (Zhao and Li, 2007).
Over the last decade, several graphical password systems have been proposed with intensive studies on them. The available graphical password schemes are categorized in diverse forms. Table 1 below discusses a number of schemes that are relevant to our study in two categorizations. In a grid-based graphical system, user typically draws and reproduces their password on a drawing grid to verify its identity (Nali and Thorpe, 2004;Tyagi et al., 2011). This approach is alphabet independent and as such making it equally accessible for users of any language (Jermyn et al., 1999). These systems exist in different forms as illustrated in Table 1 below. The Figure 1 shows Drawing-A-Secret (DAS) scheme. Other implementation alternatives of DAS scheme Lin et al., 2007;Tao and Adams, 2008;Thorpe and Van Oorschot, 2004) are also represented in Fig. 1. While in an image-based graphical system, users typically draw and reproduce their passwords over some portion or the entire picture/image for the purpose of authentication. These systems are in different forms (Wiedenbeck et al., 2005) as illustrated in Table 1. PassPoints system is the image-based scheme adapted in our scheme and illustrated in Fig. 2. Where it was shown that a PassPoints password is a number of points, selected by a user in an image that is displayed on the screen.

Merits and Demerits of Grid-Based
Graphical Passwords: • Grid of size NxN is a simple and ordered structure consisting of equal cells and each cell is denoted by two-dimensional discrete coordinates (x,y) which is a member of [1,N]x[1,N] • Grid-based systems are recall-based algorithms, as such they rely on users' memory to provide the passwords correctly, without any cue from any image if background image is not provided • A user study conducted by reaveled that it is difficult for users to draw their passwords with mouse or stylus in 2D grid coordinates and maintaining the sequence at the same time • Perfect drawings with mouse or stylus without comiting fussy boundary prolem is difficult • Identifying the starting point for some drawing may be hard Grid-based schemes Image-based schemes Drawing-A-Secret (DAS), is the first of its kinds. It was In 1996, Blonder pioneered the idea of graphical passwords scheme. In this developed by Jermyn in the year,1999 as a graphical scheme, the user clicks with a mouse or other device like stylus on a few passwords on grid background. In this system, passwords chosen regions in a single image-based background that appears on the are pictures drawn on cell of a 5×5 grid and identified by screen and a password is a number of clicks on these locations in a particular their coordinates of the cells.
order. The scheme was limited to one pre-proccessed image. Passdoodle algorithm was proposed by Christopher et al. (2004). Dhamija and Perrig (2000) proposed Déjà Vu system for the purpose of The scheme was based on the idea of hand written designs or user authentication based on Hash Visualization technique. Its design involved words, drawn with a pen onto a sensitive screen. Users are the use of random or non-describable abstract images, rather than photographs. validated by tracing a doodle over a touch screen, which is In this scheme, the user selects a specific number of images from a larger then accepted or rejected by the system. set of images presented by a server. The user has to identify the pre-selected images for him or her to be authenticated. In 2004, grid selection was proposed by Thorpe and Van Passpoint is scheme that uses any kind of image provided by the Oorschot to strengthen security and increasing the size of system or chosen by user as an improvement over Blonder's scheme. password space of DAS technique. The method together with This authentication scheme was developed by Wiedenbeck et al. (2005). zoom feature enable the user to select a drawing grid. In this In Passpoints, the image gives a cue and provides large technique, a large scale grid is offered and a user is required password space. to choose a small drawing grid and then draw the password. Multi-grid scheme was designed by  as an Passlogix V-GO system is one of password schemes based on the improvement of DAS. In this scheme, grid-squares not identical Blonder's technique developed by Passlogix and Microsoft in large in size and shape, where user draws a design on a display grid scale. To create a password with V-GO, a user can click on a number whose coordinates are used as the password. The aim of this of items in a single image in a particular sequence. schemeis to decrease the password centering effect and to increase the password strength in user-friendly environment of the scheme Pass-Go was motivated by an old Chinese game, Go. The scheme "Passfaces" is a graphical password technique developed by Real User was proposed by Tao in 2006 as an improvement of the DAS. User Corporation. In the scheme, the users are expected to choose just any selects intersections instead of cells on a 9*9 grid as in the case four images of human faces from a face database as their future of DAS. The use of intersections as against cells allows the password. The user is authenticated if he/she correctly identifies the user to use password from greater password space (256 bits for four faces in four different rounds. the most basic scheme) and provides better usability than DAS. Qualitative Draw-A-Secret (QDAS) was made by Lin et al. (2007) Story scheme was proposed by (Davis et al., 2004) as an improvement of DAS to solve shoulder surfing (Tyagi et al., is an improvement over passfaces. In Story's scheme, a user's password is a 2011). QDAS introduces qualitative spatial descriptions of strokes sequence of k images selected by the user to make a story. The scheme and the use of dynamic grid transformations that distinguish it offered better security because user select random images that not from its DAS counterpart. With these features, users could set related to them unlike human faces. strong secrets that do not impose load on long-term memory and to be resistant to shoulder surfing.
• They are vulnerable to shoulder surfing attack when used in an open place • The password space is almost infinity in DAS. The total number of possible passwords is larger than that of image-based systems

Merits and Dismerits of Image-Based Graphical Passwords
• Conducted study reveals that image-based schemes are very easy to remember due to the fact that users have competency to remember images. Image-based methods provide superior set of memorability features, especially those ones that make meaning to users • Users could be biased in making their passwords which was highly influenced by their gender, race and attractiveness of image in use • A low-detail image could have scanty clickable points which ultimately results to small password space making the system vulnerable to password brute-force and guessing attacks. While an image with high-detail scene has hundreds of clikable points which translate to larger password space and make a chosen password difficult to guess and observe • Image-based graphical passwords require techniques for controling the tolerance error in order to avoid mis-selected click points or passwords and to have an efficient system • Every image has some regions that are more attractive than the others and user tend to click on such regions to form their passwords. Any image with too many attrative locations may cause hotspot, dictionary and targeted attacks

Proposed Scheme
To enhance graphical passwords, we have developed a system grid-image-based graphical password system. The system involves two 5×5 matrices which adapted from image and grid-based methods and the technique is aiming at enhancing the graphical authentication in terms of memrability and better security by reducing the posibility of occurrence of shoulder surfing problem. Our adaptation is influenced by taking the merits of both methods and Science Publications AJAS possibility of enhancement. This new system involves two main steps, namely registration and authentication phases and each phase has activities that should be peformed. In the first step, users are required to select one event from a list of ten everyday events which then appears over the grid. The event provides autobiographical memory (Adebola et al., 2013) which serves as a cue to see whether users can set more complicated passwords and to know whether the event helps user to remember them during authentication phase . The grid divides the image into 5×5, which is 25 parts where passwords are drawn. In the second step of this phase, users enter their username and click their passwords on the grid, then save the passwords to a MySQL database over an extended period of time. Figure 3 illustrates the activities during registration phase.  During the login process, the user will be presented with Fig. 4 from the database after entering the usename correctly. The user enters any five cells corresponding to his/her passwords via on-screen pad without touching the screen to avoid shoulder surfing because the image in the grid and passwords are directly seen by anxious and malicious observers when they are being used. Figure 4 illustrates a user entering "24533163613" from the randomly generated digits as his password. The passwords selected must correspond to the selected cells highlighted in Fig. 4. Once that happens the login is successful otherwice the login is unsuccessful.

CONCLUSION
Today, good number of graphical password schemes are available but they have their advantages and limitations. In this study, we have conducted a comprehensive survey of existing password techniques in two main classifications to identify their strengths and weaknesses. From the study, we have proposed a graphical authentication system which is based on users day-to-day events to improve memorability of any chosen passwords on this system and reduce the users' memory load. The present study is limited to system implementation while our future action plan is to conduct the system comparative evaluation and users satisfaction survey.

ACKNOWLEDGMENT
The researchers would like to express their appreciation to Universiti Teknologi Malaysia, (UTM) for providing enabling environment for research.