Shoulder Surfing Defence for Recall-based Graphical Passwords

In this paper, we study shoulder surfing defences for recall-based graphical password systems such as Draw-A-Secret (DAS) and Background Draw-A-Secret (BDAS). A DAS password is a free-form picture drawn on an N x N grid. The grid is denoted by discrete rectangular coordinates (x, y) which will be used to indicate the cells that are crossed by the user’s drawn secret (password). DAS password, which will be recorded by the system as a sequence of coordinate pairs: (2,2); (3,2); (3,3); (2,3); (2,2); (2,1); (5,5), where (5,5) is distinguished as a “pen-up” indicator. Here are the three techniques; in Decoy Strokes technique the user first draws the strokes on the screen for DAS. The method employed here is that when the user draws the strokes the user sees only the points in the screen. The points are intersection of strokes with the grid in the DAS screen along with starting and ending points in the stroke. The points are generated as the user draws the password. However this algorithm is not applied while the user setting his password. This algorithm is applied during the login session where the user enters this password for authentication. The disappearing stroke solution entails the user stroke being removed from the screen after it has been drawn. The idea behind this is that the password information of an individual stroke is removed, which gives the attacker less time to store the image to memory. This solution is designed for both passwords that have multiple strokes, and passwords of one long stroke, although it might work better for the former type of passwords. The stroke was designed to be wiped from the screen only after the user has finished drawing that particular stroke (i.e. when the stylus is removed from the screen). This was designed using a timer whose purpose was to remove the stroke after a certain period of time (after the pen up event). The line snake defence was designed to combat shoulder surfing for passwords containing long singular strokes. Hence, allowing stroke information to be removed from a long singular stroke, whilst the stroke is still being drawn. The variable factor for this solution was decided upon as being the speed at which the user stroke disappears (or snaking away) from the screen.

https://cups.cs.cmu.edu/soups/2011/proceedings/a6_Zakaria.pdf