Since conventional password schemes are vulnerable to shoulder surfing, many shoulder surfing resistant graphical password schemes have been proposed. However, as most users are more familiar with textual passwords than pure graphical passwords, text-based graphical password schemes have been proposed. Unfortunately, none of existing text-based shoulder surfing resistant graphical password schemes is both secure and efficient enough. In this paper, we propose an improved text-based shoulder surfing resistant graphical password scheme by using colours.
In the proposed scheme, the user can easily and efficiently login system. Next, we analyze the security and usability of the proposed scheme, and show the resistance of the proposed scheme to shoulder surfing and accidental login. The shoulder surfing attack in an attack that can be performed by the adversary to obtain the user’s password by watching over the user’s shoulder as he enters his password. As conventional password schemes are vulnerable to shoulder surfing, Sobrado and Birget proposed three shoulder surfing resistant graphical password schemes. Since then, many graphical password schemes with different degrees of resistance to shoulder surfing have been proposed and each has its pros and cons.
The alphabet used in the proposes scheme contains 16 characters, including 8 lower case alphabets from a to h & 8 numerical from 1-8.
The proposed scheme involves two phases, the registration phase and the login phase, which can be described as in the following
- Registration Phase:
The user has to set his textual password K of length L (4=L=8) characters, and choose one colour as his pass-colour from 8 colours assigned by the system. The remaining 7 colours not chosen by the user are his decoy-colours. And, the user has to register an e-mail address for re-enabling his disabled account. The registration phase should proceed in an environment free of shoulder surfing. The system stores the user’s textual password in the user’s entry in the password table, which should be encrypted by the system.
- Login Phase:
The user requests to login the system, and the system displays a circle composed of 8 equally sized sectors. The colours of the arcs of the 8 sectors are different, and each sector is identified by the colour of its arc, e.g., the red sector is the sector of red arc. Initially, 16 characters are placed averagely and randomly among these sectors. All the displayed characters can be simultaneously rotated into either the adjacent sector clockwise by clicking the “clockwise” button once or the adjacent sector counter clockwise by clicking the “anti-clockwise” button once