Captcha as graphical passwords - A new security primitive based on hard AI problems

IEEE Transactions on Information Forensics and Security

Volumn 9, Issue 6, 2014, Pages 891-904

  Zhu, Bin B ^a   Yan, Jeff ^b   Bao, Guanbo ^c   Yang, Maowei ^d   Xu, Ning ^a  

^a MICROSOFT RESEARCH ASIA   (China)

^b NEWCASTLE UNIVERSITY   (United Kingdom)

^c INSTITUTE OF AUTOMATION   (China)

^d SICHUAN UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

ELECTRONIC MAIL FILTERS;

GRAPHICAL PASSWORD; GUESSING ATTACKS; MATHEMATICAL PROBLEMS; ON-LINE SECURITIES; SECURITY AND USABILITIES; SECURITY PRIMITIVES; SECURITY PROBLEMS; WEAK PASSWORDS;

AUTHENTICATION;

EID: 84899893060     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2014.2312547     Document Type: Article

References (44)

1. R. Biddle, S. Chiasson, and P. C. van Oorschot, "Graphical passwords: Learning from the first twelve years," ACM Comput. Surveys, vol. 44, no. 4, 2012.
2. (2012, Feb.). The Science Behind Passfaces [Online]. Available: http://www.realuser.com/published/ScienceBehindPassfaces.pdf
3. I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, "The design and analysis of graphical passwords," in Proc. 8th USENIX Security Symp., 1999, pp. 1-15.
4. H. Tao and C. Adams, "Pass-Go: A proposal to improve the usability of graphical passwords," Int. J. Netw. Security, vol. 7, no. 2, pp. 273-292, 2008.
5. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "PassPoints: Design and longitudinal evaluation of a graphical password system," Int. J. HCI, vol. 63, pp. 102-127, Jul. 2005. (Pubitemid 40753495)
6. P. C. van Oorschot and J. Thorpe, "On predictive models and userdrawn graphical passwords," ACM Trans. Inf. Syst. Security, vol. 10, no. 4, pp. 1-33, 2008.
7. K. Golofit, "Click passwords under investigation," in Proc. ESORICS, 2007, pp. 343-358.
8. A. E. Dirik, N. Memon, and J.-C. Birget, "Modeling user choice in the passpoints graphical password scheme," in Proc. Symp. Usable Privacy Security, 2007, pp. 20-28. (Pubitemid 350229376)
9. J. Thorpe and P. C. van Oorschot, "Human-seeded attacks and exploiting hot spots in graphical passwords," in Proc. USENIX Security, 2007, pp. 103-118.
10. P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe, "Purely automated attacks on passpoints-style graphical passwords," IEEE Trans. Inf. Forensics Security, vol. 5, no. 3, pp. 393-405, Sep. 2010.
11. P. C. van Oorschot and J. Thorpe, "Exploiting predictability in clickbased graphical passwords," J. Comput. Security, vol. 19, no. 4, pp. 669-702, 2011.
12. T. Wolverton. (2002, Mar. 26). Hackers Attack eBay Accounts [Online]. Available: http://www.zdnet.co.uk/news/networking/2002/03/26/hackers-attack- ebay-accounts-2107350/
13. HP TippingPoint DVLabs, Vienna, Austria. (2010). Top Cyber Security Risks Report, SANS Institute and Qualys Research Labs [Online]. Available: http://dvlabs.tippingpoint.com/toprisks2010
14. B. Pinkas and T. Sander, "Securing passwords against dictionary attacks," in Proc. ACM CCS, 2002, pp. 161-170.
15. P. C. van Oorschot and S. Stubblebine, "On countering online dictionary attacks with login histories and humans-in-the-loop," ACM Trans. Inf. Syst. Security, vol. 9, no. 3, pp. 235-258, 2006. (Pubitemid 44728674)
16. M. Alsaleh, M. Mannan, and P. C. van Oorschot, "Revisiting defenses against large-scale online password guessing attacks," IEEE Trans. Dependable Secure Comput., vol. 9, no. 1, pp. 128-141, Jan./Feb. 2012.
17. L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, "CAPTCHA: Using hard AI problems for security," in Proc. Eurocrypt, 2003, pp. 294-311.
18. S. Chiasson, P. C. van Oorschot, and R. Biddle, "Graphical password authentication using cued click points," in Proc. ESORICS, 2007, pp. 359-374.
19. S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot, "Influencing users towards better passwords: Persuasive cued click-points," in Proc. Brit. HCI Group Annu. Conf. People Comput., Culture, Creativity, Interaction, vol. 1. 2008, pp. 121-130.
20. D. Davis, F. Monrose, and M. Reiter, "On user choice in graphical password schemes," in Proc. USENIX Security, 2004, pp. 1-11.
21. R. Dhamija and A. Perrig, "Déjà Vu: A user study using images for authentication," in Proc. 9th USENIX Security, 2000, pp. 1-4.
22. D. Weinshall, "Cognitive authentication schemes safe against spyware," in Proc. IEEE Symp. Security Privacy, May 2006, pp. 300-306.
23. P. Dunphy and J. Yan, "Do background images improve 'Draw a Secret' graphical passwords," in Proc. ACM CCS, 2007, pp. 1-12.
24. P. Golle, "Machine learning attacks against the Asirra CAPTCHA," in Proc. ACM CCS, 2008, pp. 535-542.
25. B. B. Zhu et al., "Attacks and design of image recognition CAPTCHAs," in Proc. ACM CCS, 2010, pp. 187-200.
26. J. Yan and A. S. El Ahmad, "A low-cost attack on a microsoft CAPTCHA," in Proc. ACM CCS, 2008, pp. 543-554.
27. G. Mori and J. Malik, "Recognizing objects in adversarial clutter," in Proc. IEEE Comput. Society Conf. Comput. Vis. Pattern Recognit., Jun. 2003, pp. 134-141.
28. G. Moy, N. Jones, C. Harkless, and R. Potter, "Distortion estimation techniques in solving visual CAPTCHAs," in Proc. IEEE Comput. Soc. Conf. Comput. Vis. Pattern Recognit., Jul. 2004, pp. 23-28.
29. K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski, "Computers beat humans at single character recognition in reading-based human interaction proofs," in Proc. 2nd Conf. Email Anti-Spam, 2005, pp. 1-3.
30. K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski, "Building segmentation based human-friendly human interaction proofs," in Proc. 2nd Int. Workshop Human Interaction Proofs, 2005, pp. 1-10.
31. J. Elson, J. R. Douceur, J. Howell, and J. Saul, "Asirra: A CAPTCHA that exploits interest-aligned manual image categorization," in Proc. ACM CCS, 2007, pp. 366-374.
32. R. Lin, S.-Y. Huang, G. B. Bell, and Y.-K. Lee, "A new CAPTCHA interface design for mobile devices," in Proc. 12th Austral. User Inter. Conf., 2011, pp. 3-8.
33. N. Joshi. (2009, Nov. 29). Koobface Worm Asks for CAPTCHA [Online]. Available: http://blogs.mcafee.com/mcafee-labs/koobface-worm-asksfor-CAPTCHA
34. M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage, "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context," in Proc. USENIX Security, 2010, pp. 435-452.
35. M. Szydlowski, C. Kruegel, and E. Kirda, "Secure input for web applications," in Proc. ACSAC, 2007, pp. 375-384.
36. G. Wolberg, "2-pass mesh warping," in Digital Image Warping. Hoboken, NJ, USA: Wiley, 1990.
37. HP TippingPoint DVLabs, New York, NY, USA. (2011). The Mid-Year Top Cyber Security Risks Report [Online]. Available: http://h20195.www2.hp.com/v2/GetPDF. aspx/4AA3-7045ENW.pdf
38. S. Kim, X. Cao, H. Zhang, and D. Tan, "Enabling concurrent dual views on common LCD screens," in Proc. ACM Annu. Conf. Human Factors Comput. Syst., 2012, pp. 2175-2184.
39. S. Li, S. A. H. Shah, M. A. U. Khan, S. A. Khayam, A.-R. Sadeghi, and R. Schmitz, "Breaking e-banking CAPTCHAs," in Proc. ACSAC, 2010, pp. 1-10.
40. H. Gao, X. Liu, S.Wang, and R. Dai, "A new graphical password scheme against spyware by using CAPTCHA," in Proc. Symp. Usable Privacy Security, 2009, pp. 760-767.
41. L. Wang, X. Chang, Z. Ren, H. Gao, X. Liu, and U. Aickelin, "Against spyware using CAPTCHA in graphical password scheme," in Proc. IEEE Int. Conf. Adv. Inf. Netw. Appl., Jun. 2010, pp. 1-9.
42. J. Bonneau, "The science of guessing: Analyzing an anonymized corpus of 70 million passwords," in Proc. IEEE Symp. Security Privacy, Jun. 2012, pp. 20-25.
43. John the Ripper Password Cracker [Online]. Available: http://www. openwall.com/john/
44. Openwall Wordlists Collection [Online]. Available: http://www. openwall.com/wordlists/