Graphical Password Authentication

By | February 4, 2017

Noway days people do not go to a bank to make a transaction, do not go to an Electric board to pay bill, do not go to railway station to make a train reservation and what not. All these time consuming and non productive tasks are simplified because of Internet (Read more on How Internet works?). To carry out these tasks everyone hits respective portals/sites or make use of a smartphone app. There are many such areas where we need human interaction with computers and these systems should be secured against CyberCrime (Read more on CyberCrime). User authentication is the most fundamental component in all computer security systems.

Security practitioners and researchers have made their efforts to protect systems and correspondingly, individual users’ digital assets. Because of increasing threats over the internet or networked computer systems, there is great need for preventions of such activities. We use alphanumerical usernames and passwords for authentication purpose but studies shows that user can only remember a limited number of passwords. They tend to note them down somewhere or will use the same passwords for different accounts. In some cases, to avoid the complexity, users often pick passwords that is simple and easy to remeber.

Biometrics is one of the various alternatives to increase the security but it requires lot of investments. To increase security to next level, some researchers have developed authentication methods that use pictures as passwords or a second level of authentication. So, in this article we will deal with another alternative: using image as passwords. The below image is used for spam prevention as a second level of authentication.

Graphical password authentication

Mark five blocks where mountain is visible

Problems with Passwords:
Users have difficulty remembering complex, random passwords over time for their long term memory limitation. A user is likely to forget a password that is not used regularly as the memory is not “refreshed” or “activated” sufficiently. Having multiple passwords, the user may either jumble the elements of the different passwords or confuse them of which system it corresponds to. Users normally deal with the password memory problems by decreasing the complexity and number of passwords, which reduces password security. A secure password should be 8 characters or longer, random, with upper-case characters, lowercase characters, digits, and special characters. Users ignore such password recommendations, using instead short, simple passwords that are relatively easy to discover using dictionary attacks. Recent surveys have shown that users often choose, short, alphabetic-only passwords consisting of personal names of family or friends, pets, etc. Users typically write down their passwords, sometime share the passwords with others, or use the same password for multiple systems.


Graphical passwords were first introduced by BLONDER in 1996. A graphical password is an authentication system which allows the users to select from images, in a specific order, presented in a graphical user interface (GUI). Graphical passwords can be easily remembered, as users remember images better than words. Graphical passwords techniques are categorized into two main techniques:  recall-based and recognition-based graphical techniques.

  • Recognition Based System

        In recognition-based techniques, Authentication is done by challenging the user to identify image or images that the user had selected during the registration stage. Another name for recognition-based systems is search metric systems. It is generally require that users memorize a number of images during password creation, and then to log in, must identify their images among them. Humans have unique ability to identify images previously seen, even those which has been viewed very briefly. Recognition based systems have been proposed using usability and security considerations, and offers usability. In some graphical password schemes, Knowledge of some details of the shared secret must be retained by the system, i.e., user specific profile data e.g. in recognition schemes, the system must know which images belong to a user’s portfolio in order to display them.

Sobrado and Birget Scheme is recognition based system that displays a number of pass-objects (pre-selected by user) among many other objects, user click inside the convex hull bounded by pass-objects. In Pass face scheme human faces are used as password. And in Dhamija and Perrig Scheme Pick several pictures out of many choices, identify them later in authentication.

Recognition Based authentication System

  • Recall Based System

In recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage. Recall-based graphical password systems are occasionally referred as draw metric systems since a secret drawing is recalled and reproduced by the user. In these systems, users typically draw their password either on a blank canvas or on a grid. You can secure your password using various techniques in graphical authentication.

                  To authenticate, we use a grid based approach by using image as a reference. Draw-A-Secret (DAS) Scheme User draws a simple picture on a 2D grid, the coordinates of the grids occupied by the picture are stored in the order of drawing. Redrawing has to touch the same grids in the same sequence in authentication. Then certain grids are selected by the user to set his/her password as shown in the figure below a major drawback of graphical password authentication is shoulder surfing.

Another one is Pass Point Scheme which allows users to click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in the correct sequence. Signature scheme is another graphical user authentication conducted by having the user drawing their signature using a mouse.

  • Implementation and Discussion

Graphical Password can be implemented in authenticating several systems and websites. The implementation has few focuses:

  • Password: Contain image as reference & encryption algorithm.
  • Login: Contains username, images, Graphical password and related methods.
  • SSR shield: Contains shield for Shoulder surfing.
  • Grids: Contains unique grid values and grid clicking related methods.

Advantages of graphical authentication method:

  • The security of the system is very high.
  • Graphical password schemes provide a way of making more human-friendly passwords.
  • Dictionary attacks and brute force search are infeasible.


  • Require much more storage space than text based passwords.
  • Password registration and log-in process take too long.
  • Shoulder Surfing: As the name implies, shoulder surfing is watching over people’s shoulders as they process information. Because of their graphic nature, nearly all graphical password schemes are quite vulnerable to shoulder surfing.


Suggested articles for you:

16 thoughts on “Graphical Password Authentication

  1. Peter Mulenga

    Very nice topic…Could you please send the source code for this and related documents.

  2. Srinu

    I had understand vvry well with u r graphical passwords.Sir will u please send the information about blue eyes and iot

  3. Shalini Thakur

    Thank you sir for providing much information about graphical password authentication. I chose same topic for my college presentation. But couldn’t make it possible.I would be very grateful if you add some more information about it.

  4. Rajesh Bandakkanavar

    Good topic….would like to know more info…abt this topic

  5. Subi

    Sir could you suggest a good topic for IT branch for paper presentation?

  6. C DEEPA

    Sir! could you please suggest good topic for a cse (second year) student to give paper presentation in technical fest?


    Nice sir. Thank you sir and I am eee student soo is related to my branch only sir I don’t know exactly sir so iam asking and I also want some more two topics plz send me sir


Did it help? Comment here..