PassGrid: Towards Graph-Supplemented Textual Shoulder Surfing Resistant Authentication

  • Teng Zhou
  • Liang LiuEmail author
  • Haifeng Wang
  • Wenjuan Li
  • Chong Jiang
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1095)


With the rapid development of intelligent mobile devices and network applications, user authentication plays an important role to help protect people’s privacy and sensitive information. A large number of authentication textual and graphical schemes have been proposed in the literature, but the majority of them are vulnerable to shoulder surfing attacks, or have to sacrifice usability. Motivated by this challenge, we propose a graph-supplemented textual shoulder surfing resistant authentication system, called PassGrid. With a series of one-time login indicators and cyclic movable blocks with textual elements, PassGrid prevents attackers from guessing the passwords even with the help of a camera. To reduce users’ workload, they only have to memorize one set of the password. Our user study shows that PassGrid can achieve good performance regarding security and usability, i.e., average login time consumption of 22s with a small password length.


Graphical authentication Textual password Shoulder surfing resistant User authentication Security and usability 


  1. 1.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A.: The design and analysis of graphical passwords. In: Proceedings of the 8th Conference USENIX Security Symposium, vol. 8 (1999)Google Scholar
  2. 2.
    Blonder, G.E.: Graphical passwords. United States Patent 5559961 (1996)Google Scholar
  3. 3.
    Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., Memon, N.: Passpoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63(1–2), 102–127 (2005)CrossRefGoogle Scholar
  4. 4.
    Sobrado, L., Birget, J.C.: Graphical passwords. The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4 (2002)Google Scholar
  5. 5.
    Meng, Y., Li, W., Kwok, L.-F.: Enhancing click-draw based graphical passwords using multi-touch on mobile phones. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 55–68. Springer, Heidelberg (2013). Scholar
  6. 6.
    Meng, W.: RouteMap: a route and map based graphical password scheme for better multiple password memory. Network and System Security. LNCS, vol. 9408, pp. 147–161. Springer, Cham (2015). Scholar
  7. 7.
    Meng, W.: Evaluating the effect of multi-touch behaviours on android unlock patterns. Inf. Comput. Secur. 24(3), 277–287 (2016)CrossRefGoogle Scholar
  8. 8.
    Meng, W., Li, W., Wong, D.S., Zhou, J.: TMGuard: a touch movement-based security mechanism for screen unlock patterns on smartphones. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 629–647. Springer, Cham (2016). Scholar
  9. 9.
    Meng, W., Lee, W.H., Au, M.H., Liu, Z.: Exploring effect of location number on map-based graphical password authentication. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 301–313. Springer, Cham (2017). Scholar
  10. 10.
    Meng, W., Li, W., Kwok, L.F., Choo, K.K.R.: Towards enhancing click-draw based graphical passwords using multi-touch behaviours on smartphones. Comput. Secur. 65, 213–229 (2017)CrossRefGoogle Scholar
  11. 11.
    Meng, W., Fei, F., Jiang, L., Liu, Z., Su, C., Han, J.: CPMap: design of click-points map-based graphical password authentication. SEC 2018, 18–32 (2018)Google Scholar
  12. 12.
    Meng, W., Liu, Z.: TMGMap: designing touch movement-based geographical password authentication on smartphones. In: Su, C., Kikuchi, H. (eds.) ISPEC 2018. LNCS, vol. 11125, pp. 373–390. Springer, Cham (2018). Scholar
  13. 13.
    Sun, H.-M., Chen, S.-T., Yeh, J.-H., Cheng, C.-Y.: Shoulder surfing resistant graphical authentication system. IEEE Trans. Dependable Secure Comput. 15(2), 180–193 (2018)CrossRefGoogle Scholar
  14. 14.
    Aviv, A., Gibson, K., Mossop, E., Blaze, M., Smith, J.: Smudge attacks on smartphone touch screens. In: Proceedings of USENIX 4th Workshop on Offensive Technologies (2010)Google Scholar
  15. 15.
    Zhao, H., Li, X.: S3pas: a scalable shoulder-surfing resistant textual-graphical password authentication scheme. In: Proceeding of the 21st International Conference Advances Information Network Applications Workshops, vol. 2, pp. 467–472 (2007)Google Scholar
  16. 16.
    Long, J., Mitnick, K.: No tech hacking: a guide to social engineering, dumpster diving, and shoulder surfing (2011).
  17. 17.
    Kwon, T., Shin, S., Na, S.: Covert attentional shoulder surfing: human adversaries are more powerful than expected. IEEE Trans. Syst. Man Cybern. Syst. 44(6), 716–727 (2014)CrossRefGoogle Scholar
  18. 18.
    Google glass snoopers can steal your passcode with a glance. google-glass-snoopers-can-steal-your-passcode-with-a-glance/
  19. 19.
    Bianchi, A., Oakley, I., Kim, H.S.: PassBYOP: bring your own picture for securing graphical passwords. IEEE Trans. Hum.-Mach. Syst. 46(3), 2168–2291 (2015)Google Scholar
  20. 20.
    Tan, D., Keyani, P., Czerwinski, M.: Spy-resistant keyboard: towards more secure password entry on publicly observable touch screens. In: Proceedings of OZCHIComputer- Human Interaction Special Interest Group (CHISIG) of Australia, Canberra, Australia. ACM Press. Citeseer (2005)Google Scholar
  21. 21.
    Wang, L., Chang, X., Ren, Z., Gao, H., Liu, X., Aickelin, U.: Against spyware using captcha in graphical password scheme. In: Proceeding of the 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 760–767. IEEE (2010)Google Scholar
  22. 22.
    Yu, X., Wang, Z., Li, Y., Li, L., Zhu, W.T., Song, L.: EvoPass: evolvable graphical password against shoulder-surfing attacks. Comput. Secur. 70, 179–198 (2017)CrossRefGoogle Scholar
  23. 23.
    Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.-C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on Advanced Visual Interfaces, ser. AVI 2006, pp. 177–184. ACM, New York (2006)Google Scholar
  24. 24.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC, pp. 463–472. IEEE Computer Society, USA (2005)Google Scholar
  25. 25.
    Takada, T.: Fakepointer: an authentication scheme for improving security against peeping attacks using video cameras. In: Proceedings of the 2nd International Conference Mobile Ubiquitous Computer, System, Service Technology, pp. 395–400 (2008)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Teng Zhou
    • 1
  • Liang Liu
    • 1
    Email author
  • Haifeng Wang
    • 2
  • Wenjuan Li
    • 3
  • Chong Jiang
    • 4
  1. 1.College of Computer Science and TechnologyNanjing University of Aeronautics and AstronauticsNanjingChina
  2. 2.NARI Technology Co., Ltd. State Key Laboratory of Smart Grid Protection and Control in ChinaNanjingChina
  3. 3.Department of Computer ScienceCity University of Hong KongHong Kong S.A.R.China
  4. 4.School of Computer ScienceGuangzhou UniversityGuangzhouChina

Personalised recommendations