S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme

The vulnerabilities of the textual password have been well known. Users tend to pick short passwords or pass-words that are easy to remember, which makes the pass-words vulnerable for attackers to break. Furthermore, tex-tual password is vulnerable to shoulder-surfing, hidden-camera and spyware attacks. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder-surfing. In this paper, we propose a Scalable ShoulderSurfing Resistant Textual-Graphical Password Authentica-tion Scheme (S3PAS). S3PAS seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surfing, hidden-came ra and spyware attacks. It can replace or coexist with con-ventional textual password systems without changing ex-isting user password profiles. Moreover, it is immune to brute-force attacks through dynamic and volatile session passwords. S3PAS shows significant potential bridging the gap between conventional textual password and graphical password. Further enhancements of S3PAS scheme are pro-posed and briefly discussed. Theoretical analysis of the se-curity level using S3PAS is also investigated.