Against Spyware Using CAPTCHA in Graphical Password Scheme

Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

[1]  Uwe Aickelin,et al.  Against Spyware Using CAPTCHA in Graphical Password Scheme , 2010 .

[2]  Wes Ames,et al.  Understanding Spyware: Risk and Response , 2004, IT Prof..

[3]  Desney S. Tan,et al.  Spy-resistant keyboard: more secure password entry on public touch screen displays , 2005, OZCHI.

[4]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[5]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[6]  Cormac Herley,et al.  How to Login from an Internet Cafe Without Worrying about Keyloggers , 2006 .

[7]  David C. Feldmeier,et al.  UNIX Password Security - Ten Years Later , 1989, CRYPTO.

[8]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[9]  J. Kase Graphical Passwords , 2008 .

[10]  Jeff Yan,et al.  Usability of CAPTCHAs or usability issues in CAPTCHA design , 2008, SOUPS '08.

[11]  Gabriel Moy,et al.  Distortion estimation techniques in solving visual CAPTCHAs , 2004, Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2004. CVPR 2004..

[12]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[13]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme , 2006, IACR Cryptol. ePrint Arch..

[14]  Bill Cheswick Johnny Can Obfuscate: Beyond Mother's Maiden Name , 2006, HotSec.

[15]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[16]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[17]  Cormac Herley,et al.  KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[18]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[19]  Bogdan Hoanca,et al.  Password Entry Scheme Resistant to Eavesdropping , 2008, Security and Management.

[20]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[21]  Stefan Saroiu,et al.  Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.

[22]  Dawei Hong,et al.  A Graphical Password Scheme Strongly Resistant to Spyware , 2004, Security and Management.

[23]  L.D. Paulson Taking a graphical approach to the password , 2002, Computer.

[24]  Daniele D. Giusto,et al.  An Association-Based Graphical Password Design Resistant to Shoulder-Surfing Attack , 2005, 2005 IEEE International Conference on Multimedia and Expo.

[25]  Andreas Jacobsson,et al.  Exploring Spyware Effects , 2004 .

[26]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[27]  George Kurtz,et al.  Hacking Exposed , 2005 .

[28]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[29]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[30]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract) , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[31]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[32]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[33]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).