Security

Good-bye weak passwords, hello GOTPass graphical authentication

Better password security and usability may be possible, thanks to GOTPass authentication. Read why researchers say the system is difficult to hack.

Image: iStock/eenevski

"Humans suck at choosing passwords," writes security pundit Graham Cluley. That is hard to argue according to SplashData (TeamsID), which reported on 2015's worst passwords, with 123456 and password ranking as the most commonly used passwords.

"In SplashData's fifth annual report, compiled from more than 2 million leaked passwords during the year, some new and longer passwords made their debut — perhaps showing an effort by both websites and web users to be more secure," mentions Morgan Sloan, CEO of SplashData. "However, the longer passwords are so simple as to make their extra length virtually worthless as a security measure."

More about IT Security

Tech Pro Research's Cybersecurity and Cyberwarfare Survey

What kind of data breaches have your organization scared, and what are you doing to fend them off? Tell us in this short survey and get a free copy of the research report.

To get humans out of the password-creating business, Cluley writes, "I recommend that people invest in a password management tool, capable of generating truly random, impossible to guess passwords, and then doing the important job of remembering them for you, so you don't need to reuse them for every site you access."

However, password managers are not perfect. For example, the popular LastPass password manager may be secure, but it has issues.

"On Saturday, January 16, security researcher Sean Cassidy gave a presentation at hacker convention Shmoocon demonstrating a phishing attack against LastPass," writes a spokesperson from LastPass. "In this attack, a user is directed to a malicious website, and the page generates a notification that looks like a LastPass notification. The fake notification tricks the user into thinking they were logged out of LastPass, then directs them to log in again by entering their master password, and their two-factor authentication data if they have it turned on."

The spokesperson then adds that this is not a vulnerability in LastPass. The company has published how to mitigate any risk of this particular attack.

SEE: Phishing gets more dangerous: Report analyzes the weapons of choice

What is the answer?

Researchers H. Alsaiari, M. Papadaki, P. Dowland, and S. Furnell from the Centre for Security Communication and Network Research (CSCAN), Plymouth University, UK feel they have a better idea. The introduction to the team's paper Secure Graphical One Time Password (GOTPass): An Empirical Study in the Information Security Journal: A Global Perspective reads, "A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans' memory for images is superior to text, which helps to improve password usability and security."

Graphical authentication is not new. Even though graphical authentication has gotten a less than enthusiastic reception in the marketplace, the team is optimistic. The researchers suggest their hybrid approach provides a secure and "simple to use" alternative to multi-factor authentication systems and one-time passwords. "GOTPass authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format," write the paper's authors.

As to why images are used instead of letters and numbers, the team cites several scientific studies including a 2009 paper by Karen Renaud and Antonella De Angeli that states, "[H]umans have a vast, almost limitless memory for pictures which they remember far better and for longer than words."

SEE: Password Management Policy from Tech Pro Research

How GOTPass works

The first step to setting up a GOTPass authentication system is selecting a username and drawing a shape on a pattern lock screen similar to Figure A. Next, the system creates four random themes containing 30 images. The user will select one pass image from each of the four themes. That's it.

Figure A

gotpass2.png
Image: University of Plymouth, H. Alsaiari, M. Papadaki, P. Dowland, and S. Furnell

To start, the person logging in enters a username and a pattern lock. The next step is interesting in that the researchers add a bit of deception. "Despite the supplied information being correct or not, the next step of the authentication will display a fresh image panel (Figure B) containing dummy images when the information of the previous step is incorrect," explains the report. "Otherwise, the panel will contain two random pass images out of the four previously chosen pass images, six distractor images that are associated with the pass images (three distractors for each pass image), and eight random decoy images."

Figure B

Image: University of Plymouth, H. Alsaiari, M. Papadaki, P. Dowland, and S. Furnell

Next, users must identify the two pass images from their previously selected image pool. "From the grid top and left axis, the user needs to locate and enter the codes associated with each pass image (the code should be entered in the correct format as previously assigned and shown in the registration phase)," explains the paper. Once the system ensures that all provided information is correct, the user is successfully authenticated and granted access."

Advantages of using GOTPass

Besides being easy to use, GOTPass offers the following security advantages:

  • shuffling images reduce the risk of observation attack;
  • system assigned themes decrease guessing caused by attacker knowledge of personal image preferences;
  • account lockout limits the number of consecutive incorrect attempts and applies a delay between login attempts to prevent excessive guessing tries and dictionary attack;
  • one-time passwords resist eavesdropping attacks and credential theft;
  • it's difficult to guess because of the following processes:
    - implementing multi-level authentication;
    - OTP is changeable every time; and
    - authentication feedback is only given at the end of the login session.

Initial testing

The researchers put the authentication system through extensive testing and report, "Initial tests have shown the system to be easy-to-remember for users, while security analysis showed just eight of the 690 attempted hackings were genuinely successful, with a further 15 achieved through coincidence."

Dr. Maria Papadaki, Lecturer in Network Security at Plymouth University and director of the study, adds, "For online security to be strong, it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that."

Something of particular interest to workers, especially travelers, who use one or more security tokens: GOTPass, according to the research team, is a low-cost, easy to use alternative.

Also see

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks