Skip to content

Graphical Password Authentication

Noway days people do not go to a bank to make a transaction, do not go to an Electric board to pay bill, do not go to railway station to make a train reservation and what not. All these time consuming and non productive tasks are simplified because of Internet (Read more on How Internet works?). To carry out these tasks everyone hits respective portals/sites or make use of a smartphone app. There are many such areas where we need human interaction with computers and these systems should be secured against CyberCrime (Read more on CyberCrime). User authentication is the most fundamental component in all computer security systems.

Security practitioners and researchers have made their efforts to protect systems and correspondingly, individual users’ digital assets. Because of increasing threats over the internet or networked computer systems, there is great need for preventions of such activities. We use alphanumerical usernames and passwords for authentication purpose but studies shows that user can only remember a limited number of passwords. They tend to note them down somewhere or will use the same passwords for different accounts. In some cases, to avoid the complexity, users often pick passwords that is simple and easy to remeber.

Biometrics is one of the various alternatives to increase the security but it requires lot of investments. To increase security to next level, some researchers have developed authentication methods that use pictures as passwords or a second level of authentication. So, in this article we will deal with another alternative: using image as passwords. The below image is used for spam prevention as a second level of authentication.

Graphical password authentication
Mark five blocks where mountain is visible

Problems with Passwords:
Users have difficulty remembering complex, random passwords over time for their long term memory limitation. A user is likely to forget a password that is not used regularly as the memory is not “refreshed” or “activated” sufficiently. Having multiple passwords, the user may either jumble the elements of the different passwords or confuse them of which system it corresponds to. Users normally deal with the password memory problems by decreasing the complexity and number of passwords, which reduces password security. A secure password should be 8 characters or longer, random, with upper-case characters, lowercase characters, digits, and special characters. Users ignore such password recommendations, using instead short, simple passwords that are relatively easy to discover using dictionary attacks. Recent surveys have shown that users often choose, short, alphabetic-only passwords consisting of personal names of family or friends, pets, etc. Users typically write down their passwords, sometime share the passwords with others, or use the same password for multiple systems.


Graphical passwords were first introduced by BLONDER in 1996. A graphical password is an authentication system which allows the users to select from images, in a specific order, presented in a graphical user interface (GUI). Graphical passwords can be easily remembered, as users remember images better than words. Graphical passwords techniques are categorized into two main techniques:  recall-based and recognition-based graphical techniques.

  • Recognition Based System

        In recognition-based techniques, Authentication is done by challenging the user to identify image or images that the user had selected during the registration stage. Another name for recognition-based systems is search metric systems. It is generally require that users memorize a number of images during password creation, and then to log in, must identify their images among them. Humans have unique ability to identify images previously seen, even those which has been viewed very briefly. Recognition based systems have been proposed using usability and security considerations, and offers usability. In some graphical password schemes, Knowledge of some details of the shared secret must be retained by the system, i.e., user specific profile data e.g. in recognition schemes, the system must know which images belong to a user’s portfolio in order to display them.

Sobrado and Birget Scheme is recognition based system that displays a number of pass-objects (pre-selected by user) among many other objects, user click inside the convex hull bounded by pass-objects. In Pass face scheme human faces are used as password. And in Dhamija and Perrig Scheme Pick several pictures out of many choices, identify them later in authentication.

Recognition Based authentication System

  • Recall Based System

In recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage. Recall-based graphical password systems are occasionally referred as draw metric systems since a secret drawing is recalled and reproduced by the user. In these systems, users typically draw their password either on a blank canvas or on a grid. You can secure your password using various techniques in graphical authentication.

                  To authenticate, we use a grid based approach by using image as a reference. Draw-A-Secret (DAS) Scheme User draws a simple picture on a 2D grid, the coordinates of the grids occupied by the picture are stored in the order of drawing. Redrawing has to touch the same grids in the same sequence in authentication. Then certain grids are selected by the user to set his/her password as shown in the figure below a major drawback of graphical password authentication is shoulder surfing.

Another one is Pass Point Scheme which allows users to click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in the correct sequence. Signature scheme is another graphical user authentication conducted by having the user drawing their signature using a mouse.

  • Implementation and Discussion

Graphical Password can be implemented in authenticating several systems and websites. The implementation has few focuses:

  • Password: Contain image as reference & encryption algorithm.
  • Login: Contains username, images, Graphical password and related methods.
  • SSR shield: Contains shield for Shoulder surfing.
  • Grids: Contains unique grid values and grid clicking related methods.

Advantages of graphical authentication method:

  • The security of the system is very high.
  • Graphical password schemes provide a way of making more human-friendly passwords.
  • Dictionary attacks and brute force search are infeasible.


  • Require much more storage space than text based passwords.
  • Password registration and log-in process take too long.
  • Shoulder Surfing: As the name implies, shoulder surfing is watching over people’s shoulders as they process information. Because of their graphic nature, nearly all graphical password schemes are quite vulnerable to shoulder surfing.


16 thoughts on “Graphical Password Authentication”

Comments are closed.