Next Article in Journal
A Resource-Based Dynamic Pricing and Forced Forwarding Incentive Algorithm in Socially Aware Networking
Previous Article in Journal
Evolution of Antenna Radiation Parameters for Air-to-Plasma Transition
Previous Article in Special Issue
A Review of Deep Learning-Based Binary Code Similarity Analysis
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 13
Issue 15
10.3390/electronics13153042
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

A Survey: Security Vulnerabilities and Protective Strategies for Graphical Passwords

by
Zena Mohammad Saadi
1,
Ahmed T. Sadiq
1,
Omar Z. Akif
2 and
Alaa K. Farhan
1,*
1
Computer Science Department, University of Technology—Iraq, Baghdad 10066, Iraq
2
Department of Computer Science, College of Education for Pure Science (Ibn al-Haitham), University of Baghdad, Baghdad 10066, Iraq
*
Author to whom correspondence should be addressed.
Electronics 2024, 13(15), 3042; https://doi.org/10.3390/electronics13153042
Submission received: 12 July 2024 / Revised: 26 July 2024 / Accepted: 30 July 2024 / Published: 1 August 2024
(This article belongs to the Special Issue AI in Cybersecurity, 2nd Edition)
Browse Figures
Versions Notes

Abstract

:
As technology advances and develops, the need for strong and simple authentication mechanisms that can help protect data intensifies. The contemporary approach to giving access control is through graphical passwords comprising images, patterns, or graphical items. The objective of this review was to determine the documented security risks that are related to the use of graphical passwords, together with the measures that have been taken to prevent them. The review was intended to present an extensive literature review of the subject matter on graphical password protection and to point toward potential future research directions. Many attacks, such as shoulder surfing attacks, SQL injection attacks, and spyware attacks, can easily exploit the graphical password scheme, which is one of the most widely used. To counter these security threats, several measures have been suggested, but none of the security attacks can be completely overcome. Each of the proposed measures has its pros and cons. This study begins by elucidating some of the graphical password schemes studied between 2012 and 2023, delving into potential threats and defense mechanisms associated with these schemes. Following a thorough identification and selection process, five of the reviewed papers explain the threat of shoulder surfing and spyware attacks on graphical password schemes, while two explain the threat of brute force attacks. One paper focuses on dictionary attacks, while four other papers address social engineering, SQL injection attacks, and guessing attacks as potential threats to graphical password schemes. In addition, the papers recognize other forms of attacks, such as video recording attacks, filtering attacks, reverse engineering attacks, multiple observation attacks, key/mouse logger attacks, insider attacks, computer vision attacks, image gallery attacks, sonar attacks, reply attacks, data interception attacks, and histogram manipulation attacks. These attacks are examined in three, three, eight, one, four, one, one, one, one, one, one, and one papers, respectively. Moreover, out of all such countermeasures, most of them are based on three categories—randomization, obfuscation, and password space complexity—which are the most commonly employed strategies for improving graphical password schemes.

1. Introduction

Graphical passwords have emerged as an alternative authentication mechanism, offering a more user-friendly interface compared with traditional text-based passwords. However, as the use of graphical passwords rapidly increases, so does concern about their vulnerability to security attacks. Shoulder surfing is one potential behavioral threat that could result in the compromise of the graphical password system since an attacker simply watches and takes a picture of the user’s password choice during the authentication process. This is especially dangerous as graphical passwords are usually chosen from a list of allowable images, so they are easier to observe and replay. The second kind of threat is the guessing attack, in which the opponent aims at systematically identifying the correct graphical password starting with the images chosen, their locations, or the order of presentation. Consequently, these guessing attacks may be conducted using various methods depending on the designed format of the graphical password system, such as a dictionary attack or brute force attack. Malware and keylogging are also threats that can affect graphical password systems in a big way. The graphical password elements can be captured by the adversaries by creating quarries that are capable of monitoring the user’s movements across the graphical interface of the computer and other devices [1].
Password-based authentication is the most widely used authentication mechanism due to its simplicity and memorability. Understanding the landscape of these threats and the countermeasures used to tackle them is crucial for enhancing the security of graphical password systems. This survey delved into the realm of graphical passwords, security attacks, and the various types of countermeasures employed to safeguard these systems. By examining a range of scientific articles and publications, this study sought to offer an exploration of the threats posed by graphical passwords and the countermeasures developed to combat these vulnerabilities. This study explored two key aspects of the security landscape of graphical passwords. Firstly, the study aims to identify the existing graphical password security attacks and the various vulnerabilities that are affecting these authentication mechanisms. The study then delves into the development of countermeasures designed to combat the identified security threats. In the developed countermeasures, we aimed to enhance the security of graphical password systems, ensuring that graphical passwords are as secure as possible. Furthermore, we conducted a thorough survey and reviewed a wide range of renowned academic articles recognized for their scientific research [2].
This survey study also included specific key terms for specific searches, which aid in understanding some of the frameworks related to graphical passwords and provide insights into the current status and future development trends in the field of graphical password security. The paper’s structure is arranged as follows: The following section illustrates certain graphical password schemes, highlighting their shortcomings from 2012 to 2023. Section 3 displays the types of security attacks and the corresponding graphical password schemes for each attack. Section 4 outlines the countermeasures implemented to combat security attacks on graphical passwords. The results of the analysis are discussed in Section 5. Last but not least, Section 6 provides the conclusion and suggestions for future research.

2. Graphical Password Schemes

This section outlines the limitations of the graphical password frameworks analyzed from 2012 to 2023.

2.1. WYSWYE (“Where You See Is What You Enter”) Scheme

Khot et al., in 2012, presented a secure scheme to counteract shoulder-surfing attacks using recognition-based graphical passwords [3]. The technique utilized the WYSWYE scheme, which requires users to select image-based password patterns from an image grid and replicate them on another grid. WYSWYE symbolizes “Where You See (the password) is What You Enter (the position)”. This scheme, based on the concept of tabular reductions and identification of patterns, is both straightforward and efficient. As shown in Figure 1, it involves identifying the pattern of N password images within an M × M grid and mapping them onto an independent N × N grid (a, b). During the login process, the Challenge grid is displayed next to an empty, randomly generated image grid created by the system, which consists of the M × M grid with N password pictures and M2-N decoy pictures. However, the users do not directly interact with this grid. Instead, they use a distinct N × N grid called the Response grid (c), which is positioned on the right-hand side of the screen, to enter their input. To successfully log in, the users need to accurately recognize the patterns of the password images and replicate them in the Response grid in (d) [4].

2.2. Ho et al.’s Scheme

In 2014, Ho et al. [5] introduced an approach that permits the challenge set’s input to consist of both registered and decoy images. The user must register multiple photos during the registration process. The order of the registered photographs must be retained by the user. Using the initial picture, the cued image, and the suggested method, a pass-image is produced during the authentication process. The initial image marked at the start and the prompted image corresponds to the first and second images that have been registered, respectively. The pass-image is then obtained by applying the suggested technique. The user must decide if the cued picture is on half the imaginary line using the suggested technique. The amount of offset is determined at one in the event that the cued picture is not on half the imaginary line. The pass-image is, therefore, the picture that follows the beginning image immediately along the imaginary half-line. It is necessary for the user to verify whether the cued picture is the final image on the half of the imaginary line if it is on it. The highest offset is used if the cued picture is not the final image on the hypothetical half-line. Consequently, the pass-image is the last picture along the hypothetical half-line [6]. The quantity offset is lowered by one if the cued picture appears last on the hypothetical half-line. Consequently, the pass-image is the picture that comes before the final image along the hypothetical half-line. An identical procedure is utilized to identify the next pass-image; the only differences are that the cued picture is the second registered image, and the beginning image is the current pass-image. Up until the last pass-image is achieved, this procedure is repeated. The user must click the last pass-image in order to log in [5].
This technique can stop direct observation attacks, as suggested by [5]. Nevertheless, the system is susceptible to reverse engineering assaults when numerous sessions are videotaped [6]. Attacks using reverse engineering take advantage of the constancy of the registered photos utilized in a challenge set. One way to conduct a reverse engineering attack is to exclude certain images that are not possible to be the final cued image. By determining the final beginning image or eliminating more photos, an attacker can then obtain the remaining registered images. As a result, attackers can identify the registered photos and log in using those identities.

2.3. Gokhale and Waghmare’s Scheme

A graphical password technique was presented by Gokhale and Waghmare in 2016 [7]. In Figure 2, a user must register multiple photographs from a set of 25 images during the registration process. It is required that the user register a minimum of six photographs, and the total number of images registered must be even. The order of the registered photographs must be retained by the user. The selected registered photographs are shown on a panel for the user’s convenience. However, these pictures vanish in five seconds. The user must then select a question from the pool of questions. There is a number assigned to each question. The user is needed to enter a place as the response to the question after choosing it. To help the user remember the chosen place, the user has the option to pick one of the 25 backdrop images provided by the system or upload their own image from local storage. Three locations must be registered by the user, and each place needs to be connected to a question. The user must use the registered photos to obtain multiple pass-images during the authentication process. Row information from the first registered image and column information from the second registered image is utilized to calculate the position of the first pass-image. The first pass-image is the intersection image. For every pair of registered photos, this procedure is repeated. Subsequently, the three sets of recorded questions are shown to the user at random. During registration, the user must click on the places linked to the questions in order to respond to them.
This technique is simple to implement and can stop shoulder-surfing attacks, claims [7]. Attackers can readily shoulder-surf the clicked spots, though, because the locations are set [8]. Additionally, after making several observations, the attackers can remove the registered photographs. This indicates that shoulder-surfing assaults can still be made against this scheme.

2.4. Por et al.’s Scheme

A technique utilizing digraph substitution rules was presented by Por et al. in 2017 [9]. The user must register two photos throughout the registration process. After that, in order to log in using the first or second pass-image, the user must register. The user must choose a pass-image during authentication in order to log in utilizing digraph substitution rules. The following Figure 3 explains the details of the schema. This strategy can stop shoulder-surfing attacks, according to [9,10].

2.5. Sun et al.’s Scheme

In 2018 [11], Sun et al. presented PassMatrix in Figure 4, which takes advantage of the picture discretization algorithm. The registration process requires the user to choose many photos. Every choice has a corresponding letter on the horizontal bar and a corresponding number on the vertical bar. For every pre-selected puzzle, the user must move the letter to the column on the horizontal bar and the number to the row on the vertical bar. This procedure is iterated for every chosen image. The first chosen image’s random problems are then displayed. Every problem has a number at the vertical bar and a letter at the horizontal bar [12]. For every pre-selected puzzle, the user must move the letter to the column on the horizontal bar and the number to the row on the vertical bar. Each chosen image undergoes this process once more.
This technique is capable of thwarting shoulder-surfing attacks, as per [5]. The fact that the problems and the chosen photos are fixed, however, leads us to conclude that this system is still susceptible to shoulder-surfing attacks. After several observations, an attacker may shoulder-surf the selected puzzle in advance in each of the chosen images to log in.

2.6. A Combination of Graphical Password Recognition and Recall Scheme

Pandey and Praveen Kumar, in 2019 [13], presented in Figure 5 a graphical password authentication system in which users choose certain images that they must then recognize in order to log in. Recall-oriented techniques and recognition are integrated into this system. Additionally, a recall-centric graphical technique is used, where users must replicate images or sequences selected in the (a) registration process to authenticate themselves. Robust security measures have the capacity to utilize the system’s user-centric interface and efficiency to enable (b) user login phase in a secure and convenient manner, especially for users with limited technical knowledge. Additionally, the password generation procedure integrates recognizable visual prompts from daily life to improve user-friendliness and memory recall, thus making the system advantageous for a wide array of users.

2.7. A Hybrid Textual-Graphical Authentication Scheme

In 2021, S. Z. Nizamani et al. introduced a hybrid authentication system that incorporates both text and graphic elements. This scheme (a, b), as shown in Figure 6, encompasses a multitude of mechanisms in order to address the shortcomings of current security schemes. Easy and secure login are the two password input types that can be dynamically selected within this framework. The options presented aim to strike a balance between safeguarding data and ensuring user convenience. Furthermore, the framework employs a distinctive draw metric method for password generation, enhancing memorability. Furthermore, it integrates a multi-step verification procedure centered on the idea of one-time passwords (OTPs). Additionally, the strategy utilizes basic arithmetic functions to bolster security and assigns random numerical values to password elements, arranging them in a randomized sequence [14].
The efficiency of this framework was assessed through its implementation and evaluation of security resilience against different cyber threats, along with its user-friendliness and ease of retrieval. A comparison of reliability and authentication speed was conducted between this approach and eight other prevalent authentication mechanisms; Figure 6 explains it [14].

2.8. PinWheel Scheme

PinWheel, a login authentication system that combines graphical passwords with biometrics, was presented in 2021 by Li, Y. et al. [15] Within this framework, a unique challenge value accompanies each login, derived from the fixed bead chosen by the user at registration. The user is required to input this challenge value in the specified field to authenticate their identity. By fusing a location password with a text password, unauthorized access to user credentials is effectively prevented; mitigating risks associated with shoulder-surfing, smudge attacks, and video analysis. Additionally, to confine login permissions to reliable administrators, PinWheel integrates an optional user feature-based authentication approach, enhancing device security and safeguarding data privacy through an additional security layer.
PinWheel underwent rigorous testing against various attack scenarios to evaluate its security efficacy. The outcomes of these assessments were affirmative, signaling the resilience of the system. Furthermore, an extensive user evaluation of PinWheel was executed; Figure 7 explains the processes in the schema for two stages (a, b), gathering insights on long-term password retention and authentication duration from individuals who tested a trial version of PinWheel on their mobile devices. A questionnaire was formulated to facilitate data collection in the latter phases of the trial. The findings of the investigation underscored the remarkable user-friendliness of PinWheel.

2.9. SelfiePass Scheme

The SelfiePass scheme, proposed by Rajarajan, S. and colleagues in 2021 [16], as shown in Figure 8, presents a remedy for the susceptibility of graphical passwords in the presence of shoulder surfing threats. By allowing users to input click points on images (a) without direct contact with the image cells, the scheme (b, c, d) employs a grid consisting of permutations of two alphabets, accompanied by a secret token transmitted through headphones to guide users in selecting the click points.
During the process, the user manipulates the grid columns horizontally and vertically to position the secret token (password) on the designated column for the first click point. The system then determines the click point based on the token’s placement. This procedure is repeated for the entry of the second click point, ensuring that even if an attacker records a video of the authentication process, they are unable to ascertain the actual click points. In this manner, SelfiePass establishes a secure and resilient graphical password scheme for user authentication.

2.10. Graphical Password Based on Mouse Behavior (GP-MB) Scheme

In order to protect sensitive data for various organizations, Abdalkareem, Zahraa Adnan et al., in 2021 [17], suggested a new password generation technique based on mouse motion and a special case location identified by the number of clicks. It has been suggested that users click on two or three unique areas to boost the complexity of their passwords. In contrast to other random password generators that are currently used, the admin adds the path and click count, and authorized users must receive training on it.
For a restricted set of users, the goal of this method is to enhance the number of combinations for graphical password generation utilizing mouse motion. A computational framework is created to determine the password’s effectiveness. This study presents a method that minimizes the possibility of password guessing while maintaining user-friendliness in mouse movements. An analysis has been conducted in comparison to a conventional password. According to the findings, the suggested strategy reduces complexity by 200% for fixed position and two variation techniques but by more than 200% for three variant techniques; Figure 9 explains it.

2.11. GRA-PIN Scheme

In 2022, Kausar et al. presented a hybrid authentication approach for smart devices. This approach combines text and graphical-based techniques, requiring users to determine four distinct options in order to generate a password. In Figure 10a, The four selections of GRA-PIN consist of choosing two-digit numbers, choosing one secret image, choosing the swipe-up/down position for arithmetic operation, and finally, choosing the password position in the final four-digit PIN. Additionally, in Figure 10b, the user is required to provide a secret answer in the event of forgetting the password. To enhance security against shoulder surfing, guessing, and camera attacks, a new password is generated each time the user logs in. Overall, this authentication technique offers enhanced reliability, security, and user-friendliness, all while maintaining usability and security [18].

2.12. VGMSGP Scheme

In 2022, Wang, Z. et al. [19], introduced a graphical password scheme that amalgamates a verification grid and map slipping strategy in order to enhance the security and usability of the authentication process. During the authentication process, the user is mandated to manipulate the map in order to align every point on the password path within the predetermined verification grid. This particular approach thwarts shoulder-surfing attempts by complicating the task for malicious individuals in pinpointing the exact verification grid selected by the user. As shown in Figure 11, by integrating the password pathway with the verification grid and employing the technique of map slipping, the system enhances the security of the authentication procedure and boosts the effectiveness of protecting against shoulder-surfing attacks by a range of 37% to 56%. Additionally, the utilization of the map slipping technique enhances the user-friendliness of passwords in the system, increasing it by 3% to 6%. Additionally, the utilization of the map-slipping strategy, in conjunction with the representation of password points as coordinates on the map, assists in ameliorating the storage burden of the system. This scheme successfully attains a harmonious equilibrium between usability and security by integrating the map-slipping strategy as a defense mechanism against shoulder-surfing attack.

2.13. Multi-Factor Authentication (MFA) Scheme

In the year 2023, Carrillo-Torres, D. et al. [19], put forward an innovative MFA mechanism that relies on image recognition and user-established connections, thus eliminating the need for supplementary hardware and ensuring simplicity of use. The integration of textual and graphical elements within the suggested mechanism increases the password space, rendering it more resilient and impervious to security threats.
As shown in Figure 12, the process of authentication entails users discerning specific images from a collection of randomly chosen images and establishing a self-pre-configured relationship between two specific images. A functional model of the suggested system was developed and deployed, and it underwent testing by users from various backgrounds. The algorithm underwent testing on users through the utilization of a mobile application available on both the Android and iOS platforms. The suggested system demonstrated a 100% accuracy rate in identifying and authenticating users, provided that authentication items and credentials have not been forgotten, and was discovered to be user-friendly and preferable to common MFA mechanisms.

2.14. Choice-Based Graphical Password (CGP) Scheme

In 2023, Seksak, Hadier, et al. [20] proposed a framework for web applications. A two-level multi-factor authentication system is utilized in Figure 13, incorporating both textual and recognition techniques. When users register, the system processes the information they provide and generates a unique, random number for them. The second user selects an image from CGP’s dataset or from their device. After the user selects an image, CGP resizes and blurs it before encrypting and storing it in the CGP database. The attacker argued that the image was not just a single element but rather a complex combination of five factors. The user-specified name, user ID, and an authorized image with appropriate characteristics such as name, size, and quality are among the considerations.
According to The Common Attack Pattern Enumeration and Classification (CAPEC), this combination of components offers robustness against different intrusion attempts and poses considerable difficulty for unauthorized deductions. The performance assessment of the suggested CGP system revealed substantial enhancements: a 36% augmentation in password space, a 33% rise in potential password permutations, and a 36% escalation in randomness in comparison to prior methodologies. Our methodology effectively tackled the issue of devising a password that is not only safeguarded and easily memorable but also user-centric and resourceful.

2.15. PassPoint Selection of Automatic Graphical Password Based on Histogram

Safa F. Abbas and Lahieb M. Jawad, in 2023, suggested a graphical password-based authentication approach. The suggested method uses SHA512 encryption to encrypt the selected password points after computing the password points using histogram arithmetic. The proposed system has been implemented as an Android application and assessed using the current literature, taking into account several metrics, such as required login time, password space, and entropy. According to the results, the new proposed system performs more than 85% better in terms of login latency and more than 72% better in terms of entropy results than the reference work [21].

3. Possible Vulnerabilities in Systems for Graphical Password Schemes

A total of 19 security attacks are reported in the graphical password schemes. Table 1 displays the types of security attacks and the related graphical password schemes while discussing each attack.
Individuals sometimes include personal information in their graphical passwords to make them simpler to remember, which makes them more susceptible to guessing attacks [22]. Even though the success of these attacks relies on how accurate the estimate is, they are nevertheless a major worry.
As shown in the Chart 1, we would like to clarify the relationship between the type of scheme and the attack you are exposed to, as there are types of threats that control and attack several schemes.
Installing malicious software on a user’s device to record their information and actions is known as a spyware attack [23]. A screen scraper is a type of spyware that records every action a user takes on a screen.
Shoulder surfing entails watching someone else use a computer or mobile device to input a password to gain access to that person’s confidential or sensitive data [24]. This usually happens in busy public areas. To obtain user credentials or private information, one can do shoulder surfing in a variety of ways, such as direct visual surveillance and recording the entire login process [25].
A hacker simply needs a camera-equipped device to capture a victim while they input their password in a video-recording attack [26]. After that, the hacker can watch the video again to get the password.
Cybersecurity employs filtering attacks, in which an attacker manipulates or filters network traffic to either prevent specific data from reaching its target or alter its content. Malevolent purposes can employ filtering attacks in a variety of ways, such as redirecting traffic to malicious websites, altering data during transmission, and preventing access to specific websites or services. A common example of a filtering attack is a content-filtering attack, in which a hacker intercepts and modifies Internet content before it reaches the user’s browser. Hackers can use this to insert malicious scripts, advertisements, or phishing links into seemingly trustworthy websites [27].
The term “reverse engineering attack” describes the process of dissecting a technology, software, or system to comprehend its inner workings, functionality, and design. Often, these attacks aim to obtain confidential data or exploit security vulnerabilities. An attack of this kind entails breaking down and analyzing a system or product to reveal its underlying code, protocols, algorithms, or other confidential information.
Attacks utilizing reverse engineering can target a variety of technological targets, such as communication protocols, hardware, and software [28].
A multiple observation attack constitutes a form of cyber intrusion where a malicious actor acquires seemingly innocuous data fragments from various sources, such as social networking profiles, publicly available databases, or compromised data. Consequently, the malicious actor utilizes sophisticated analytical techniques to correlate and examine this data, revealing sensitive information, identifying potential system vulnerabilities, or executing a more effective targeted attack [29].
A keylogger/mouse logger attack, also referred to as keystroke logging, is a type of cyberattack that records a person’s keystrokes and mouse movements on a computer system or portable device using malicious software or hardware from (Website: www.us-cert.gov (accessed on 22 February 2023)). Cybercriminals commonly use this form of assault to unlawfully obtain sensitive information such as credit card details, passwords, and other confidential data.
Keyloggers may be introduced into a specific system through various means, including physical access to the device, phishing emails, infected attachments, and compromised web pages. Subsequent to its deployment, the keylogger functions surreptitiously in the background, clandestinely capturing all keyboard and mouse inputs executed by the user [30].
A brute force attack, as described in [31], involves testing every conceivable combination or passphrase until the right one is discovered in an effort to guess a password. Brute force attacks typically target passwords that contain a small character set. A brute force assault can also be initiated using a set of faked fingerprint information. Optical character recognition (OCR) can be used by attackers to carry out a brute force attack against captchas, a kind of graphical password.
Three different forms of insider risks can be distinguished: compromised insider threats, careless insider threats, and malevolent insider threats. When an employee of the organization engages in resource mismanagement, divulges confidential information, or engages in actions that go against the establishment’s core beliefs, this is when the deceptive insider danger materializes. When an employee disregards established security measures, it can lead to a careless insider threat, which increases the scope of vulnerabilities and puts the organization’s assets at risk of prospective attacks. A prime illustration of a negligent insider attack includes actions like using default passwords, keeping computers running unattended without shutting down, and postponing installing security updates. A compromised insider threat is an extremely complex type of assault that manages to get past all security measures, including firewalls and intrusion detection systems and enters privileged areas of the company’s network [32].
According to [33], a dictionary attack is a technique for password cracking in which the attacker uses user behavior to construct a list of potential passwords (a dictionary) and attempts each one. This attack employs a methodical approach to key searching, accounting for the highest likelihood of success.
Attacks using social engineering entail deceiving individuals or using their personal data for malicious purposes [34]. Technical expertise is not necessary for these assaults because they trick people into unintentionally sharing their personal data. Phishing is a popular social engineering technique where a maliciously altered version of the website is presented to the user to enter their login credentials. This is done by either replicating the original website or intercepting the server’s response to the user’s request [35].
An SQL injection attack [36] refers to an exploitation of a specific type of weakness in a web application security that permits an attacker to enter a web application and inject malicious SQL statements into a web application’s database, resulting in unauthorized access to data, alteration, or deletion.
The use of artificial intelligence (AI) technologies is facilitated by computer vision attacks. It entails supplying a system with computer vision skills with a live stream or previously recorded video [37]. The system follows the finger motions of the user as seen by the camera, creates the fingertip movements, converts them into the user’s perspective, deduces multiple potential patterns, and scores them according to predetermined standards. In the end, this procedure gives the threat actor the calculated graphical password [38].
An attacker who physically accesses the server or database may launch an image gallery attack [39]. By using this access, the attacker can change the images used during authentication or in the login and registration processes, getting around any authentication constraints. Furthermore, the threat actor may be able to log in as any user with direct server access.
Last but not least, a sonar attack can be launched by using the microphone and speakers that come with every mobile device. A sonar attack uses recorded sound waves to identify the user’s unlocking motion and infer the pattern that was utilized. The device’s microphone records a frequency that the application emits, which is typically inaudible to most people. After processing to eliminate static noise, the captured audio is used to compute relative movement and deduce pattern lines. Candidate patterns are created using the inferred pattern lines, ranked, and sent to the attacker [40].
Playback attacks, also known as replay attacks, are a type of network attack in which legitimate data transport has been repeated or is deliberately postponed. This attack might have been carried out either by the original data sender or by an adversary who intercepted and retransmitted the data—most likely as part of an attempt to fake IP replacement packets. This method is thought to be among the more fundamental man-in-the-middle assaults [41].
Data interception “Man-In-The-Middle”, sometimes referred to as sniffing or eavesdropping attacks, is the practice of listening in on user and server communications. A hacker can try to access a user’s account by either intercepting information that the user sends to the server and decrypting it or by intercepting the user’s request and replaying it to the server at a later time [42].
A histogram manipulation attack is a technique utilized to manipulate images by altering the distribution of pixel intensity values within the image’s histogram. The histogram offers a visual depiction of the distribution of various levels of intensity, like brightness or color, found in the image. Through a histogram manipulation attack, a perpetrator can adjust the image’s histogram to achieve various objectives, including emphasizing or diminishing specific features, hiding information, or evading detection by image analysis algorithms. Through the manipulation of the histogram, an attacker can clandestinely embed data in a manner that is challenging for the naked eye or conventional image analysis tools to detect. Instances of attacks involving histogram modification can also be employed for malicious purposes, such as deceiving image recognition systems or fabricating images [43].

4. Countermeasures and Mitigation Strategies

The following presents the countermeasures introduced to address the security attacks on graphical passwords.

4.1. Guessing Attack

Countermeasures Against Guessing Attacks:
  • Randomization Technique: It has been found that one of the ways to mitigate the guessing attack is by using the randomization technique. To avoid the problem of guess attacks, the “Click-based Captcha as a Graphical Password (CaRP)” [44] system generates a random challenge image containing all password letters for the subsequent session.
  • ClickText Scheme: Specifically, the “ClickText” scheme within the framework of the CaRP system is used; in the challenge image, characters are mixed in a random order, in addition to the alphanumeric characters and special symbols are placed. This appending of random elements is an additional layer of challenge maximization, which deters the attackers from guessing the right password [44].
  • AnimalGrid Scheme: Another measure within the CaRP system is the “AnimalGrid” scheme, in which the graphical representations of animal images are included in the form of 2D images for authentication. The AnimalGrid scheme is similar to the ClickText scheme, and in addition to a variety of images used in this type of scheme, the randomness and variability of such images make it even more secure against guess attacks [44].
Thus, through the addition of mentioned randomization techniques and schemes, the danger of guess attacks in the graphical password system would decrease, and the general safety of the organization would be improved.

4.2. Spyware Attack

Other measures against spyware attacks are some of the aspects within a number of mitigations that include randomizing the system, testing the system for spyware during the actual authentication, and including a different form of input and or the following features during the actual authentication. For instance:
  • Randomization: Randomization has also been applied to one of the two proposed mobile authentication strategies, that is, coin passcode graphical password authentication by [45]. Of the two proposed, AuthMobile is the hybrid graphical-password mobile authentication approach. As for the functionality of this scheme in this malicious application, the users are to enter the correct passcode for the coins to verify them. Of the separated six inputs, the “keypads” of letters a, b, c, d, e and f are designated for each of the six inputs and are run six times in every iteration; randomly, another advantage is the fact that such randomization would fight against spying and is good at ensuring the safety of the devices.
  • Performing Tests during Authentication: This one is particularly a severe issue because performing tests during an authentication process leads to compromising the system, as well as valuable user and account data necessary to attackers and hackers. Here, several papers are being presented in this context [11,16] wherein CAPTCHA is described as Completely Automated Public Turing Tests to Tell Computers and Humans Apart, which include tests during authentication.
It is only perhaps that there are small differences in applying different papers: All the papers seek to present challenges that today’s AI and computerized systems are yet to solve. This makes it an added layer of a barrier for spying or hacking into a computer.

4.3. Shoulder Surfing Attack

Countermeasures Against Shoulder Surfing Attacks:
Confusion: This method clears authentication information to observers and makes them vague to other people. It implies concealing or encrypting the actual input during the process of authentication. For instance, instead of using letters, images can display password components among fake images, which make it difficult for observers to select the right images. Two categories of the obfuscation mechanism still exist, namely, Secure Graphical One-Time Password (GOTPass) [4] and EvoPass [46].
  • GOTPass: It employs the WYSWYE strategy, where what people see is actually what they get to experience in the facility. Users do not choose password images; rather, they point to the response grid in relation to the images. Onlookers witness arbitrary points on the keyboard being touched; thus, the password cannot be recognized.
  • EvoPass: This method alters the chosen password images to generate what can be referred to as “decoy sets”, which are also dynamic in nature and transforms the images into which recognizable information is eliminated gradually. Users can go back to the previously saved drafts in case they have trouble recognizing evolved-pass sketches.
Randomization: Randomization adds randomness to the positions or the arrangements made on the elements of the password to make it more challenging for the shoulder surfer to capture the actual password. Two of them are The Coin Passcode Model and the 2D Coordinates System [47].
  • Coin Passcode Model: It blends color, numerical values, and icons to give it form different passcodes. In the coin password, components of the password are altered each time to improve security agains shoulder-surfing and brute force attacks. Interactions of the users with the interface do not disclose the true passcode.
  • 2D Coordinates System: It employs random 2D coordinates to protect pictures and create passwords at the same time. During login, the images presented in the x and y coordinates randomly switch; thus, it becomes impossible to define the original image, and this contributes to the shields against shoulder-surfing attacks.

4.4. Video Recording Attack

Any element of randomness or a level of distortion that creates visual complexity with the aim of deceiving an adversary is useful. More specifically, in order to do so, a new graphical password scheme called RiS (Rotating into Sector) was proposed in [48]. Also, they presented one new password scheme, which was called T-RiS or Rotating into Sector Based on Texts. Similar to RiS, T-RiS has an LR1 login mode and, accented by the three concentering rings, provides a higher level of security. This complexity puts extra latency for an attacker who wants to make a video recording attack since only the user knows the position of the line or sector, and it changes each character input at random. This approach actually makes it more difficult to use recording through video to capture the password.

4.5. Filtering Attack

Here are some countermeasures that can help defend against filtering attacks [49].
  • Utilize encryption and authentication at the possible sphere to shield information streams. This makes it impossible for an attacker to scan the messages, as would be done in the normal https protocol, where the attacker filters out certain content.
  • Improving network security:
    -
    Employ network redundancy. If going to be lose connections in one part of the network due to filtering, we should have the other connections ready beforehand.
    -
    Sprawl out the modes of communication rather than centralize them to one general protocol, port or connection.
    -
    Verify the source and authenticity of all the received messages. More importantly, make sure you are using checksums, hashes and the like to ensure that any alterations made to the original data are detected, and it is better to isolate on different physical buses, if attainable, for transmitting more sensitive messages, thereby improving network security.
    -
    Some of the communication ports/protocols should not be opened, especially those that are frequently targeted by hackers and other malicious individuals.

4.6. Reverse Engineering Attack

Some of the measures that an organization can take to protect against reverse engineering attacks include the following [50].
  • Code obfuscation: It makes it difficult for an attacker to reverse engineer the code.
  • Legal: Organizations should seek legal ways to protect their codes, such as copyright laws and end-user license agreements.
  • Control of source codes and encryption: organizations should ensure that they use strong access controls and encryption techniques to prevent an attacker from gaining access to confidential information.

4.7. Multiple Observations Attack

As a result of different observation assaults, it is recommended that firms and individuals exercise a lot of caution when it comes to the revealing of sensitive data in cyberspace. They should also commonly monitor and adjust the privacy settings of social networking sites, incorporate enhanced methods of authenticating data, and adopt protective features such as encryption, limitations on access to data, and surveillance tools that can help prevent data collection and analysis by nefarious parties. What is more, it is advisable to teach employees and users about the dangers of the disclosure of certain personal data over the Internet, using multiple observations to achieve a favorable outcome for cyberattacks [51].

4.8. Key/Mouse Logger Attack

There are multiple recording attacks that need to be prevented at both user and organizational levels; these precautions may include the purchase of reputable antivirus and anti-malware software, timely updating of operating systems and software, avoiding opening emails or downloading attachments from unfamiliar people, avoiding sharing of passwords and other relevant information with other people, and using good security practices while dealing with electronic gadgets. To address these kinds of attacks, other layers of security can be implemented, including multi-factor authentication and encryption [52].

4.9. Brute Force Attack

Measures that can be taken toward controlling brute force attacks include randomization, large password space use, more layers of authentication, and limiting attempts. Here are some examples:
  • Randomization: Randomization is one of the ideas that can be implemented in an LMS to encourage learner participation, and it includes the pass-matrix of [12]. In the last, it presents a safe login area where users can select alphanumeric characters through an 8 × 8 matrix. All the chosen characters go through transpose operations on their columns, especially during the login sessions. This graphic (mutating) password scheme also prevents brute-force attacks since they act in a loop.
  • Large Password Space: The vibration and pattern (VAP) code, as proposed in [53], can be considered an instance of the large password space. It contains two quite different approaches and the password space, which helps to produce shields against brute force attacks.
These countermeasures work in unison to enhance security through the employment of extra layers of authentication, scattered web pages, randomness and complexity, which makes it very difficult for attackers to gain access to passwords through try and error methods.

4.10. Insider Threats

Here are some key countermeasures against insider threats [54].
  • Perform background checks and screening of employees: This can help in the determination of increased risk employees, for instance, criminals or individuals with some financial related issues.
  • Limit access and implement segregation of duties: A general rule that should be observed is that no employee should be given full or complete access to any data and or systems used by the company, depending on the position they hold.
  • Monitor and analyze user activity: Permission from White Hat Hackers, as well as reviewing of auditing software such as data loss prevention, behavior analytics, or any other monitoring instruments, can show signs of malicious or unauthorized activity, transfer of sensitive information, violation of policies, and similar events.
  • Enforce endpoint security controls: Encapsulation of devices and networks, firewalls, antivirus, sequestration software that is frequently referred to as sandboxing, and restriction of the USB port helps in combating leakage and, hence, reducing the extent to which a company would lose.
  • Institute robust incident response and investigation capabilities: The insider threat should have a dedicated team and processes in place for a thorough evaluation in case the threat is realized and to effectively contain/remove the insider threat.

4.11. Dictionary Attack

Various methods that add complexity and randomization to the authentication process are countermeasures against dictionary attacks.
  • Conundrum-Pass: This technique has been expounded in [6], and it entails choosing an image and a whole number, n, by the users where the said number will be used in the division of the targeted image into an n × n matrix; users can then choose parts of the image they want and come up with the required patterns. Shuffling is also explained when the login session is over, which means that the arrangement of the image chunks is random. To unlock the screen, the previous choice of the grids should be selected one by one in the correct sequence. This method also introduces certain randomness and randomness to the chosen patterns, thus making the method not vulnerable to dictionary attacks.
  • Spin-Wheel-Based Authentication: Another countermeasure that has been highlighted in [15] includes the spin-wheel-based graphical authentication mechanism. This approach provides a vast password space that does not allow for easy identification through a dictionary attack. The actual interface provided to the users is in the form of a spin wheel, four small spin wheels to be precise, each of which contains 36 slots labeled 1 through 36 in a peculiar manner. The user sets a password for the authentication by selecting four numbers from the sub-wheels and entering them in sequential order through the rotation of the main wheel. It also cascades elements of randomness and disorderliness in generating this password, making it difficult for it to be cracked by a dictionary attack.
These countermeasures aim at ensuring that dictionary attacks are not effective since there are barriers placed on the path of the attacker, and this means that even if the attacker has a list of passwords in advance, he/she will not be in a position to guess most passwords through a process of elimination.

4.12. Social Engineering Attack

Countermeasures against Social Engineering Attacks:
  • User Awareness: As it has been seen in most cases of social engineering, it will be relevant to point out the fact that no attacks happen if prevention methods are well employed, and this will, in most cases, be determined by the users at the terminal end. Individuals should be compelled to care for security or even be made to cultivate a security sense so as to observe threats that may exist and strategies used by the attackers. They can categorize the attack tactics, with phishing being now one of the most popular attacks out there.
  • HTTPS Verification: This also means that the users can protect themselves from these phishing attacks, for example, by verifying whether this specific site has an HTTPS prefix before entering the password. From this context, HTTPS is said to refer to a site that is safe from security breaches through SSL and or TLS, hence making the connection secure. These assist in showing the user which website is safe to visit and which is fake [34].
  • Certificate Verification: Also, the system must ensure the website’s authenticity, and this can be done by verifying the digital certificate, which consists of a public key that is matched with identification data and a signature. When a browser communicates with a website, it means that the browser has come across an online tool. Then, perhaps, it can proceed to understand the circumstances of the installation, and in case of finding an installation of a certificate that is signed by an untrusted certificate authority, it should warn the user. This alert is of caution in order for the user not to key in the correct password into the related site, which the legitimate site regards as fake [34].
This makes it essential for organizations to teach users how to avoid falling prey to such scams, to check whether their Hyper Text Transfer Protocol Secure connections are secure from session takeover, and to check the validity of the communicating certificates in a bid to minimize the likelihood of being redirected to sites developed by the actual hacking team.

4.13. SQL injection Attack

Below are the countermeasures of SQL injection [55].
  • In this regard, the activity entails limiting the privileges of the database user account to the basic ones that will be useful for the application. This can help reduce the affected damage if the malicious user has successfully invaded and launched a SQL injection attack;
  • Use of Web Application Firewalls (WAFs) for to limit the risks of SQL injection attacks;
  • Use of encryption should be introduced when using different means for safeguarding the given data, in which case it becomes more difficult for attackers to access or modify it. By using the described countermeasures, it becomes possible to nearly fully minimize the threat of SQL injection attacks, as well as to enhance the protection of the application.

4.14. Computer Vision Attack

Strategies to improve security are included in countermeasures against computer vision threats, as explained in [37,38]:
  • Randomizing Pictures: The first is to randomize the pictures, where the position of the touch point is changed for each login. The above randomization makes the authentication process more complicated, and it becomes difficult for the attackers who use computer vision techniques;
  • Dynamic Screen Changes: Some devices have the capabilities to change the color and brightness of the screen, which is why people cannot secretly record videos. This alteration bewilders the camera and does not allow the attackers to record a clear video of their ill intentions;
  • User Education: The precautions should be advocated to the users such that their fingers are well covered when drawing the pattern during the authentication. This reduces the possibility of an attacker gaining useful information through video recording;
  • Additional On-Screen Activities: Other on-screen activities can be included in the pattern unlocking process to improve security. For instance, requiring the user to input a sentence in the same manner as Swype or drawing different graphical shapes before or after the pattern can add more layers to the authentication process for any potential attacker;
  • Skipping Dots: Another technique that users can apply when drawing a pattern is the omission of some of the dots in a vertical, horizontal, or diagonal sequence. This intentional skipping also makes it difficult for tracking algorithms to determine which dots are intentionally left out and, thus, complicates computer vision-based attacks.
These countermeasures acting in synergy try to raise the level of difficulty and the randomness of the authentication process so it is much harder for an attacker to exploit the computer vision in order to breach security.

4.15. Image Gallery Attack

Countermeasures against Image Gallery Attacks:
  • Watermarking Techniques: To prevent a breakthrough of image gallery attacks and modifications of images in the gallery, watermarking methods can be applied [39]. Watermarking is the process of applying a distinctive watermark to each of the digital images. A secret key is used to designate a specific location of the watermark within the image.
  • Verification Using Secret Key: In case the users or the system require the identification process of images in the gallery as genuine or original, the secret key is used. By extracting the watermark from an imprint and comparing it with an embedded watermark using the secret key, one can decide if the image has been tampered with or not.
The integration of watermarking techniques and secret key verification also improves the security of the image gallery to detect any changes or abuses of operations in the stored images.

4.16. Sonar Attack

Countermeasures against Sonar Attacks:
  • Limiting microphone use in the background: When creating patterns is one way to counteract sonar attacks [40]. By restricting access to the microphone, attackers are unable to record acoustic signals and, thus, cannot identify fingertip movements on the screen.
  • Randomization of Pattern Grid Layouts: Moving the pattern grids in random positions in the network and varying the intervals between rows or columns also creates a high level of difficulty when mounting an attack [40]. This randomization also prevents the attacker from creating a valid database matching the movement features of a particular site with the password patterns. However, one must wonder how this can affect the overall user experience and whether it brings any benefits.
  • Restricting Frequency Range: Another countermeasure is to limit the operating frequency to prevent its transmission signal that is inaudible by the human ear [53]. Similarly, one can integrate the functionality for pop-up notifications, which informs a user that a specific high-frequency sound signal has been received, suggesting the possible existence of a side channel attack.
  • Acoustic Jamming: There are other methods that can be implemented to counter sonar attacks, and one of them is jamming in the acoustic channel. Interference is used as a method of preventing attackers from initiating the attack as planned.
These countermeasures are still intended to improve the protection of attacks via sonar and also take into account the user experience and inform the users of possible attacks.

4.17. Reply Attack

Here are some possible countermeasures against a reply attack.
  • Numbers in sequences, names of devices and their corresponding timestamps: This should be assigned to each packet sent and include the sequence number and the timestamp. This is because flow control enables the receiver to detect duplicate or out-of-order packets that could be suggestive of a reply attack.
  • Authentication: Imposing an authentication process or cryptographic methods, such as digital signatures on the packets, complicates an attack since the attacker cannot send messages as a reply. This way, the receiver can easily tell whether the sender is genuine or not.
  • Filtering: It is also possible that networks can block packets having source IP addresses outside this network or packets arriving on ports/protocols that are not used. This makes the process of sending spoofed reply packets difficult for an attacker.
The two security measures that can be implemented include firewalls and intrusion detection programs. It is possible to configure firewalls and IDS as reply attack devices that will identify patterns in traffic that are suspicious. They can prevent identified invasions from occurring in the first place.
  • Disable response protocols: Eliminating any host’s available reply protocols with UDP reply services (e.g., chargen, echo) decreases the services offered to attackers in a reply attack.
The goals that are mainly sought when dealing with reply attacks are the identification and filtering of spoofed or duplicate packets that are sent with malicious intent, preventing amplification of the incoming packets, and restricting the level of traffic that an attacker can achieve. The optimal strategy to achieve this is to maintain layered security at the network level [56].

4.18. Data Interception

Some of the defense measures against data interception attacks include the use of good and secure forms of authentication processes and techniques, including the use of randomization, whereby the attacks often find it very hard to capture or mimic authentic information. Here’s how these countermeasures work:
  • Authentication Protocol: Only by using the correct authentication protocol in the construction of channels for interaction between the server and the client can such attacks be prevented. The new concept to explain is the change in the values shifted over an authentication session in which different values are used. This goes a long way in reducing the scenario whereby the same authentication data are intercepted by an attacker and are used to flood the system with similar values with the aim of “locking out” the genuine client.
  • Hashing Timestamps and Pass-image Components: English and Poet [22] also recommended utilizing this countermeasure in cases when hashing was implemented for some of the authentication components, including the timestamps and data related to the pass-image. When hashed, these components make it difficult for the attackers to analyze the authentication data given below: the use of hashing makes the authentication data look like a randomly generated string of characters even when it has been intercepted, hence making it immune to eavesdropping attacks.
  • Random Location Assignment for Passphrase: Authors English and Poet also propose that the passphrase should be placed in the system space randomly each time the attempt to authenticate is made [22]. This implies that while encrypting the session key with the passphrase, the position of the passphrase shifts with each session and has to be transmitted to the server for checking. This dynamic location assignment makes the data that are being used in the authentication process unique and not easily forged since the attacker will need to intercept the information sent several times before getting one right in his or her attack.
Thus, it can be concluded that the described countermeasures can serve in the enhancement of the existing approaches to system authentication and protection from eavesdropping because the intercepted data will remain meaningless and not relevant to the actual information for the intruder.

4.19. Histogram Manipulation Attacks

Here are some countermeasures against histogram manipulation attacks [57].
  • Implement a random generation of color palette or binning algorithm: This means that when drawing histograms, small differences can lead to completely different histograms being produced. The randomization process can be performed per image, or there can be groups of images that are randomized.
  • The image can be made blurry, or the contrast can be reduced so that it will be difficult to notice that changes are being made to the histogram. While this slightly reduces the quality of the image, it is not always an undesirable effect and can be utilized when necessary.
  • Another aspect is adding or subtracting some random noise to the image pixels, which alters the histogram shape and is randomly difficult for an attacker to manipulate. Again, this reduces quality.
  • Stamp or highlight critical areas of the image that must be fixed with a watermark. It helps to check the unalterable stamp sections by extracting the watermark at a later stage if needed.
  • Implement the process to monitor the metadata of the image contents, such as hashes and timestamps, at the database level in order to detect instances of tampering across the storage systems. It can expose other levels of manipulation.
The core ideas are adding randomness and checking integrity at multiple levels to make precise histogram-targeted attacks nearly impossible. Such a combination of countermeasures also results in the encasement of security layers.
Table 2 will summarize the types of security attacks and their corresponding countermeasures, with a comparative analysis detailing each protective measure’s applicability, implementation cost, and usability.
Where applicability represents the suitability of the countermeasure to prevent attack, implementation cost represents the material and time cost required for implementing the countermeasure, and ease of use represents the ease of using and applying the countermeasure by users.

5. Experimental Results

Relying on some references [58,59,60,61], the evaluation matrix for measurement testing and successful attacks can be explained as follows:
  • Testbed: To replicate a similar environment in the real world to that an attacker with bad intentions can take advantage of the hole to invade the system, we created a vulnerable web application on a virtual machine;
  • Attack Scenarios: Thus, we proposed five attack scenarios to evaluate the availability of each protection measure:
    • SQL Injection Attack;
    • Reverse Engineering Attack;
    • Brute Force Attack;
    • Image Gallery Attack.
  • Protective Strategies: To investigate the effectiveness of the protective strategies below were employed:
    • Encryption and Authentication;
    • Web Application Firewall (WAF);
    • Dynamic Screen Changes and Randomness;
    • Image Watermarking and Encryption;
    • Filtering and Authentication.
  • Evaluation Metrics: Based on the protective strategies followed, the following measures were considered while assessing the efficiency:
Attack Success Rate (ASR): The likelihood of the attacker to bring out his/her attack.
Attack Detection Rate (ADR): The dynamic character of the changes in the properties of attacks detected.
False Positive Rate (FPR): the overall safety rate for a false alarm.
Response Time (RT): Response time is the time that is taken to respond once an attack is noticed.
Experimental Results:
Encryption and Authentication:
  • ASR: 0% (all attacks have been prevented);
  • ADR: It was 100 percent (all the attacks were detected);
  • FPR: It indicated 0% false alarms, meaning no false alarms per day;
  • RT: 0.5 s (the median reaction time).
Web Application Firewall (WAF):
  • ASR: 20%; this means that four out of 20 attacks were successful;
  • ADR: 80%; such a performance means that during 20 attacks, it is possible to detect 16 of them;
  • FPR: 10% means that there are two false alarms;
  • RT: 1.2 s is the average response time.
Dynamic Screen Changes and Randomness:
  • ASR: 10% of the attacks were successful, that is, 2 of the 20 attacks;
  • ADR: 90%, that is, 18 out of the 20 attacks were successfully detected;
  • FPR: 5% (possibility that one is being false negative);
  • RT: 0.8 s (mean response time).
Image Watermarking and Encryption:
  • ASR: 15% of the supposed attempts were successful (three of the twenty attacks);
  • ADR: 85% percent of attackers were detected, with a mean number of 17 from 20 attacks;
  • FPR: 10% (2 false alarms);
  • RT: 1.5 s, which is the average time it takes to respond.
Filtering and Authentication:
  • ASR: 25%; that is, five out of the 20 attacks made were successful;
  • ADR: 75% of possible attacks were detected (15 out of twenty possible attacks);
  • FPR: 15% of alarms were false alarms, that is, three false alarms out of total alarms;
  • RT: 2.1 s; it is approximate (average response time).

6. Discussion

A physical observation attack can be viewed as a procedure of gaining access to classified information or trespassing security through the direct watching of a subject or its environment and also using it in classified applications [62]. In this category of attacks, people or organizations can use direct observation to compromise data or physical equipment. That is why it is vulnerable to shoulder surfing attacks. SQL injection attacks refer to a technique that involves the entry of unauthorized SQL statements into the existing queries within an application, giving attackers free access to databases. As for the technical observation attack, it specifically means the procedures involving tools, techniques, and technologies to gather data but not touch. It involves either observing or collecting data about a target system, network, or data instructively. This category of attack involves video recording with the camera, image gallery and sonar attacks, eavesdropping and attacks involving computer vision. Malware assaults involve using a bad application with the intention to corrupt a computer, a network or a device to, for example, steal information. As for the malware classification, spyware attacks are one of the most common types of attacks. Interestingly, social engineering attacks are a good illustration of the human manipulation technique. In a password attack, a naughty person tries to intrude into someone’s account or system by guessing the password or acquiring it in one way or another. This one includes attacks like a force attack, a simple numeric attack, and an attack using a dictionary. Moreover, the histogram manipulation attack tries to change the histogram of the image in such a way that it may contain any concealed message, or it may look like the characteristics have different natures in the image.
Moreover, randomization has been identified as a common and strongly effective countermeasure regarding several types of attacks, except for social engineering attacks and image gallery attacks. Conversely, large password spaces act as the countermeasure to brute force and dictionary attacks since they introduce several degrees of variability to the number of potential combinations. One of the ways through which complexity acts as a countering measure is that it increases the difficulty of the passwords, making it difficult for attackers to see and program the recognition of complex password characters. This complexity is particularly helpful in handling video recording and computer vision attacks. Spyware attacks are most efficiently addressed using different input methods. These methods bring variation to users’ interactions with the devices, which can hamper the consistency on which attackers depend.
Moreover, specific countermeasures that relate to each type of attack are encryption, behavioral analysis, and so on. Some limitations have been encountered during the research process; for example, there are still no unique recommendations for applying graphical password systems, and thus, comparison with other studies becomes rather difficult. Secondly, the survey gives only articles released till the year 2023. It is possible that studies after 2023 could also be valuable. In addition, our focus on only the security attacks and the countermeasures of graphical passwords leaves out other password types, such as PIN passwords. Nevertheless, drawing on our review, this study provides a helpful generalization of the state of research in this field and points to further research prospects for overcoming the aforementioned limitations.

7. Conclusions and Future Research

In this survey, deeper analysis is provided to the kind of security threats being perpetrated against graphical password with their respective security mechanisms. The survey involved the identification of 16 articles through a broad search using the mentioned keywords. In the course of the research work in this paper, we carefully enumerated a total of nineteen types of security attacks affecting graphical password systems.
Among the aforementioned identified attacks, shoulder surfing, spyware, and brute force attacks were considered the most common. However, the approaches that are described in the studies also present certain defects in terms of completely eliminating all kinds of attacks. In addition, several of the prior works have limited approaches with rather limited and restricted areas of concern, which include prior works that address only certain categories of attack types or a certain period of time. However, since there are more complex and progressive attacks at the current level, our attempts have been made to organize the list of attacks and their corresponding countermeasures and findings from the research. A closer look at the articles under consideration has helped to identify a wide range of security threats that graphical password systems are likely to face.
These threats include complicated issues, such as SQL injection attacks, and basic issues, such as brute force attacks and shoulder attacks. These types of vulnerabilities show that more research is needed in this area, and there is a need for new techniques to be developed in the use of graphical passwords. Now, focusing on defensive modes, the technique of randomization appears to be the most common and frequently implemented technique for the purpose of increasing the level of security in graphical password schemes. A weakness is eliminated via randomization, through which the password images are fragmented and reshuffled, making it exceedingly difficult for an attacker to remember the new pass-image, guess it, or capture it through computer vision assistance.
Nevertheless, with regard to countermeasures, some specific features remain critical in security attacks and in relation to new and constantly developing technologies. This synthesis of the information and results obtained by researchers shows the need to comprehensively approach the creation of graphical passwords. Moving forward, one must consider not only the technical flaws and weaknesses but also the people, the functionality, and the user interfaces. Effective countermeasures require combined inputs from security specialists, psychologists, and designers to acknowledge the interactions among various aspects in the protection of graphical password systems.
Regarding future research, it is important to stress the fact that security attacks are becoming more and more sophisticated with the use of deep learning; thus, more attention and research is needed to protect users and their personal information and data from further threats.

Author Contributions

Conceptualization, Z.M.S. and A.T.S.; methodology, O.Z.A.; software, A.K.F.; validation, Z.M.S., A.T.S. and O.Z.A.; formal analysis, A.K.F.; investigation, O.Z.A.; resources, A.T.S.; data curation, Z.M.S.; writing—original draft preparation, Z.M.S.; writing—review and editing, O.Z.A.; visualization, A.K.F.; supervision, O.Z.A.; project administration, A.T.S.; funding acquisition, A.K.F. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

No External Data.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Adebimpe, L.A.; Ng, I.O.; Idris, M.Y.I.; Okmi, M.; Ku, C.S.; Ang, T.F.; Por, L.Y. Systemic Literature Review of Recognition-Based Authentication Method Resistivity to Shoulder-Surfing Attacks. Appl. Sci. 2023, 13, 10040. [Google Scholar] [CrossRef]
  2. Yasser, Y.A.; Sadiq, A.T.; AlHamdani, W. Honeyword Generation Using a Proposed Discrete Salp Swarm Algorithm. Baghdad Sci. J. 2023, 20, 0357. [Google Scholar] [CrossRef]
  3. Khot, R.A.; Kumaraguru, P.; Srinathan, K. WYSWYE: Shoulder surfing defense for recognition based graphical passwords. In Proceedings of the 24th Australian Computer-Human Interaction Conference, Melbourne, Australia, 26–30 November 2012; pp. 285–294. [Google Scholar] [CrossRef]
  4. Nagothu, D.; Chen, Y.; Blasch, E.; Aved, A.; Zhu, S. Detecting Malicious False Frame Injection Attacks on Surveillance Systems at the Edge Using Electrical Network Frequency Signals. Sensors 2019, 19, 2424. [Google Scholar] [CrossRef]
  5. Ho, P.F.; Kam, Y.H.-S.; Wee, M.C.; Chong, Y.N.; Por, L.Y. Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information. Sci. World J. 2014, 2014, 838623. [Google Scholar] [CrossRef]
  6. Por, L.Y.; Ku, C.S.; Ang, T.F. Preventing Shoulder-Surfing Attacks using Digraph Substitution Rules and Pass-Image Output Feedback. Symmetry 2019, 11, 1087. [Google Scholar] [CrossRef]
  7. Gokhale, A.S.; Waghmare, V.S. The shoulder surfing resistant graphical password authentication technique. Procedia Comput. Sci. 2016, 79, 490–498. [Google Scholar] [CrossRef]
  8. Islam, A.; Por, L.Y.; Othman, F.; Ku, C.S. A Review on Recognition-Based Graphical Password Techniques. In Computational Science and Technology; Lecture Notes in Electrical Engineering; Alfred, R., Lim, Y., Ibrahim, A., Anthony, P., Eds.; Springer: Singapore, 2019. [Google Scholar] [CrossRef]
  9. Por, L.Y.; Ku, C.S.; Islam, A.; Ang, T.F. Graphical password: Prevent shoulder-surfing attack using digraph substitution rules. Front. Comput. Sci. 2017, 11, 1098–1108. [Google Scholar] [CrossRef]
  10. Kwon, T.; Hong, J. Analysis and Improvement of a PIN-Entry method resilient to Shoulder-Surfing and recording attacks. IEEE Trans. Inf. Forensics Secur. 2015, 10, 278–292. [Google Scholar] [CrossRef]
  11. Sun, H.-M.; Chen, S.-T.; Yeh, J.-H.; Cheng, C.-Y. A shoulder surfing resistant graphical authentication system. IEEE Trans. Dependable Secur. Comput. 2018, 15, 180–193. [Google Scholar] [CrossRef]
  12. Tabrez, S.; Sai, D.J. Pass-matrix authentication a solution to shoulder surfing attacks with the assistance of graphical password authentication system. In Proceedings of the International Conference on Intelligent Computing and Control Systems (ICICCS), Madurai, India, 15–16 June 2017; pp. 776–781. [Google Scholar] [CrossRef]
  13. Pandey, P. Restricting shoulder surfing: A modified graphical password Technique. DOAJ Dir. Open Access J. 2019, 8, 394–405. [Google Scholar] [CrossRef]
  14. Nizamani, S.Z.; Hassan, S.R.; Shaikh, R.A.; Abozinadah, E.A.; Mehmood, R. A Novel Hybrid Textual-Graphical Authentication Scheme with Better Security, Memorability, and Usability. IEEE Access 2021, 9, 51294–51312. [Google Scholar] [CrossRef]
  15. Li, Y.; Yun, X.; Fang, L.; Ge, C. An Efficient Login Authentication System against Multiple Attacks in Mobile Devices. Symmetry 2021, 13, 125. [Google Scholar] [CrossRef]
  16. Rajarajan, S.; Priyadarsini, P. SelfiePass: A Shoulder Surfing Resistant Graphical Password Scheme. In Proceedings of the International Conference on Recent Trends on Electronics, Information, Communication & Technology (RTEICT), Bangalore, India, 27–28 August 2021; pp. 563–567. [Google Scholar] [CrossRef]
  17. Abdalkareem, Z.A.; Akif, O.Z.; Abdulatif, F.A.; Amiza, A.; Ehkan, P. Graphical password based mouse behavior technique. J. Phys. Conf. Ser. 2021, 1755, 012021. [Google Scholar] [CrossRef]
  18. Kausar, N.; Din, I.U.; Khan, M.A.; Almogren, A.; Kim, B.-S. GRA-PIN: A Graphical and PIN-Based Hybrid Authentication Approach for Smart Devices. Sensors 2022, 22, 1349. [Google Scholar] [CrossRef]
  19. Wang, Z.; Liao, L.; Meng, R.; Yang, C.-N.; Zhou, Z.; Yang, H. Verification Grid and Map Slipping Based Graphical Password against Shoulder-Surfing Attacks. Secur. Commun. Netw. 2022, 2022, 6778755. [Google Scholar] [CrossRef]
  20. Seksak, H.M.; Amin, K.M.; Zarif, S. Choice-Based Graphical Password (CGP) Scheme for web applications. IJCI Int. J. Comput. Inf. 2023, 10, 104–112. [Google Scholar] [CrossRef]
  21. Abbas, S.F.; Jawad, L.M. Pass Point Selection of Automatic Graphical Password Authentication Technique Based on Histogram Method. Iraqi J. Inf. Commun. Technol. 2024, 6, 28–39. [Google Scholar] [CrossRef]
  22. English, R.; Poet, R. Towards a metric for recognition-based graphical password security. In Proceedings of the 2011 5th International Conference on Network and System Security, Milan, Italy, 6–8 September 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 239–243. [Google Scholar] [CrossRef]
  23. Zhang, R.; Chen, X.; Wen, S.; Zheng, X.; Ding, Y. Using AI to Attack VA: A Stealthy Spyware Against Voice Assistances in Smart Phones. IEEE Access 2019, 7, 153542–153554. [Google Scholar] [CrossRef]
  24. Abass, I.A.M.; Hussein, L.F.; Kallel, T.; Ben Aissa, A. New Textual Authentication Method to Resistant Shoulder-Surfing Attack. Int. J. Adv. Comput. Sci. Appl. 2022, 13, 490–496. [Google Scholar] [CrossRef]
  25. Eiband, M.; Khamis, M.; von Zezschwitz, E.; Hussmann, H.; Alt, F. Understanding Shoulder Surfing in the Wild: Stories from Users and Observers. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI ‘17), Denver, CO, USA, 6–11 May 2017; Association for Computing Machinery: New York, NY, USA, 2017; pp. 4254–4265. [Google Scholar] [CrossRef]
  26. Kawamura, T.; Ebihara, T.; Wakatsuki, N.; Zempo, K. EYEDi: Graphical Authentication Scheme of Estimating Your Encodable Distorted Images to Prevent Screenshot Attacks. IEEE Access 2022, 10, 2256–2268. [Google Scholar] [CrossRef]
  27. Charlès, A.; Udovenko, A. LPN-based attacks in the white-box setting. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2023, 318–343. [Google Scholar] [CrossRef]
  28. Basile, C.; Canavese, D.; Regano, L.; Falcarin, P.; De Sutter, B. A meta-model for software protections and reverse engineering attacks. J. Syst. Softw. 2019, 150, 3–21. [Google Scholar] [CrossRef]
  29. Xiong, Z.; Eappen, J.; Zhu, H.; Jagannathan, S. Defending Observation Attacks in Deep Reinforcement Learning via Detection and Denoising. arXiv 2022, arXiv:2206.07188. [Google Scholar] [CrossRef]
  30. Bhardwaj, A.; Goundar, S. Keyloggers: Silent cyber security weapons. Netw. Secur. 2020, 2020, 14–19. [Google Scholar] [CrossRef]
  31. Meng, W.; Li, W.; Wong, D.S.; Zhou, J. TMGuard: A Touch Movement-Based Security Mechanism for Screen Unlock Patterns on Smartphones. In Applied Cryptography and Network Security; Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Springer: Cham, Switzerland, 2016; Volume 9696, pp. 629–647. [Google Scholar] [CrossRef]
  32. Saminathan, K.; Mulka, S.T.R.; Damodharan, S.; Maheswar, R.; Lorincz, J. An artificial neural network autoencoder for insider cyber security threat detection. Futur. Internet 2023, 15, 373. [Google Scholar] [CrossRef]
  33. Alsaiari, H.; Papadaki, M.; Dowland, P.; Furnell, S. Secure Graphical One Time Password (GOTPass): An Empirical Study. Inf. Secur. J. A Glob. Perspect. 2015, 24, 207–220. [Google Scholar] [CrossRef]
  34. Gao, H.; Jia, W.; Ye, F.; Ma, L. A survey on the use of graphical passwords in security. J. Softw. 2013, 8, 1678–1698. [Google Scholar] [CrossRef]
  35. Vinayakumar, R.; Alazab, M.; Soman, K.P.; Poornachandran, P.; Al-Nemrat, A.; Venkatraman, S. Deep Learning Approach for Intelligent Intrusion Detection System. IEEE Access 2019, 7, 41525–41550. [Google Scholar] [CrossRef]
  36. Ma, L.; Zhao, D.; Gao, Y.; Zhao, C. Research on SQL Injection Attack and Prevention Technology Based on Web. In Proceedings of the 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA), Xi’an, China, 27–29 September 2019; pp. 176–179. [Google Scholar] [CrossRef]
  37. Ye, G.; Tang, Z.; Fang, D.; Chen, X.; Wolff, W.; Aviv, A.J.; Wang, Z. A Video-based Attack for Android Pattern Lock. ACM Trans. Priv. Secur. 2018, 21, 19. [Google Scholar] [CrossRef]
  38. Ye, G.; Tang, Z.; Fang, D.; Chen, X.; Kim, K.I.; Taylor, B.; Wang, Z. Cracking Android Pattern Lock in Five Attempts. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA, 26 February–1 March 2017; Internet Society: Reston, VA, USA, 2017. [Google Scholar] [CrossRef]
  39. Lashkari, A.H.; Manaf, A.A.; Masrom, M. A Secure Recognition Based Graphical Password by Watermarking. In Proceedings of the IEEE 11th International Conference on Computer and Information Technology (CIT), Paphos, Cyprus, 31 August–2 September 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 164–170. [Google Scholar] [CrossRef]
  40. Zhou, M.; Wang, Q.; Yang, J.; Li, Q.; Xiao, F.; Wang, Z.; Chen, X. PatternListener. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada, 15–19 October 2018; ACM: New York, NY, USA, 2018; pp. 1775–1787. [Google Scholar] [CrossRef]
  41. Al-Shareeda, M.A.; Manickam, S.; Laghari, S.A.; Jaisan, A. Replay-Attack Detection and Prevention mechanism in Industry 4.0 landscape for secure SECS/GEM communications. Sustainability 2022, 14, 15900. [Google Scholar] [CrossRef]
  42. Obonna, U.O.; Opara, F.K.; Mbaocha, C.C.; Obichere, J.-K.C.; Akwukwaegbu, I.O.; Amaefule, M.M.; Nwakanma, C.I. Detection of Man-in-the-Middle (MitM) Cyber-Attacks in Oil and Gas Process Control Networks Using Machine Learning Algorithms. Futur. Internet 2023, 15, 280. [Google Scholar] [CrossRef]
  43. Ghosh, G.; Kavita; Anand, D.; Verma, S.; Rawat, D.B.; Shafi, J.; Marszałek, Z.; Woźniak, M. Secure surveillance systems using Partial-Regeneration-Based Non-Dominated optimization and 5D-Chaotic MAP. Symmetry 2021, 13, 1447. [Google Scholar] [CrossRef]
  44. Kolekar, V.K.; Vaidya, M.B. Click and session based—Captcha as graphical password authentication schemes for smart phone and web. In Proceedings of the International Conference on Information Processing (ICIP), Pune, India, 16–19 December 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 669–674. [Google Scholar] [CrossRef]
  45. Fong, T.J.; Abdullah, A.; Jhanjhi, N.; Supramaniam, M. The Coin Passcode: A Shoulder-Surfing Proof Graphical Password Authentication Model for Mobile Devices. Int. J. Adv. Comput. Sci. Appl. 2019, 10, 302–308. [Google Scholar] [CrossRef]
  46. Yu, X.; Wang, Z.; Li, Y.; Li, L.; Zhu, W.T.; Song, L. EvoPass: Evolvable graphical password against shoulder-surfing attacks. Comput. Secur. 2017, 70, 179–198. [Google Scholar] [CrossRef]
  47. Assudani, P.J. Graphical Password Using 2d Coordinates. Int. J. Adv. Res. Comput. Sci. 2018, 9, 467–469. [Google Scholar] [CrossRef]
  48. Ku, W.-C.; Cheng, B.-R.; Yeh, Y.-C.; Chang, C.-J. A Simple Sector-Based Textual-Graphical Password Scheme with Resistance to Login-Recording Attacks. IEICE Trans. Inf. Syst. 2016, E99.D, 529–532. [Google Scholar] [CrossRef]
  49. Liu, Y.; Dachman-Soled, D.; Srivastava, A. Mitigating Reverse Engineering Attacks on Deep Neural Networks. In Proceedings of the IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Miami, FL, USA, 15–17 July 2019; pp. 657–662. [Google Scholar] [CrossRef]
  50. Salman, R.S.; Farhan, A.K.; Shakir, A. Lightweight Modifications in the Advanced Encryption Standard (AES) for IoT Applications: A Comparative Survey. In Proceedings of the 2022 International Conference on Computer Science and Software Engineering (CSASE), Duhok, Iraq, 15–17 March 2022; pp. 325–330. [Google Scholar] [CrossRef]
  51. Hu, X.; Xu, M.; Xu, S.; Zhao, P. Multiple cyber attacks against a target with observation errors and dependent outcomes: Characterization and optimization. Reliab. Eng. Syst. Saf. 2017, 159, 119–133. [Google Scholar] [CrossRef]
  52. Singh, A.; Choudhary, P.; Singh, A.K.; Tyagi, D.K. Keylogger Detection and Prevention. J. Phys. Conf. Ser. 2021, 2007, 012005. [Google Scholar] [CrossRef]
  53. Azad, S.; Rahman, M.; Ranak, M.S.A.N.; Ruhee, B.M.F.K.; Nisa, N.N.; Kabir, N.; Rahman, A.; Zain, J.M. VAP code: A secure graphical password for smart devices. Comput. Electr. Eng. 2017, 59, 99–109. [Google Scholar] [CrossRef]
  54. Yaseen, Q.; Panda, B. Insider threat mitigation: Preventing unauthorized knowledge acquisition. Int. J. Inf. Secur. 2012, 11, 269–280. [Google Scholar] [CrossRef]
  55. Alsobhi, H.; Alshareef, R. SQL Injection Countermeasures Methods. In Proceedings of the 2020 International Conference on Computing and Information Technology (ICCIT-1441), Tabuk, Saudi Arabia, 9–10 September 2020; pp. 1–4. [Google Scholar] [CrossRef]
  56. Lee, S.K.; Tsao, Y. A study of using cepstrogram for countermeasure against replay attacks. arXiv 2022, arXiv:2204.04333. [Google Scholar]
  57. Barni, M.; Fontani, M.; Tondi, B. A universal technique to hide traces of histogram-based image manipulations. In Proceedings of the on Multimedia and Security (MM & Sec ‘12), Coventry, UK, 6–7 September 2012; Association for Computing Machinery: New York, NY, USA, 2012; pp. 97–104. [Google Scholar] [CrossRef]
  58. Gudipati, V.K.; Venna, T.; Subburaj, S.; Abuzaghleh, O. Advanced automated SQL injection attacks and defensive mechanisms. In Proceedings of the 2016 Annual Connecticut Conference on Industrial Electronics, Technology & Automation (CT-IETA), Bridgeport, CT, USA, 14–15 October 2016; pp. 1–6. [Google Scholar] [CrossRef]
  59. Balzarotti, D.; Cova, M.; Felmetsger, V.; Jovanovic, N.; Kirda, E.; Kruegel, C.; Vigna, G. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (sp 2008), Oakland, CA, USA, 18–22 May 2008. [Google Scholar] [CrossRef]
  60. Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J. Survey of intrusion detection systems: Techniques, datasets and challenges. Cybersecurity 2019, 2, 20. [Google Scholar] [CrossRef]
  61. Gall, T.; Maniadis, Z. Evaluating solutions to the problem of false positives. Res. Policy 2019, 48, 506–515. [Google Scholar] [CrossRef]
  62. Oleiwi, B.K.; Abood, L.H.; Farhan, A.K. Integrated Different Fingerprint Identification and Classification Systems based Deep Learning. In Proceedings of the 2022 International Conference on Computer Science and Software Engineering (CSASE), Duhok, Iraq, 15–17 March 2022; pp. 188–193. [Google Scholar] [CrossRef]
Electronics 13 03042 g001
Figure 1. Where You See is What You Enter (WYSWYE; adapted from [4]) user interface. (a) Users must mentally cross out each row and column from the challenge grid that does not have the password images—in this example, an apple, a dog, ice cream, and television. (b) Users must determine where the password images are located in the grid with fewer challenges. (c) Users must click where the password images are located in the response grid. (d) Sample notations that are used in the challenge and response grids to highlight WYSWYE’s shortcomings [3].
Figure 1. Where You See is What You Enter (WYSWYE; adapted from [4]) user interface. (a) Users must mentally cross out each row and column from the challenge grid that does not have the password images—in this example, an apple, a dog, ice cream, and television. (b) Users must determine where the password images are located in the grid with fewer challenges. (c) Users must click where the password images are located in the response grid. (d) Sample notations that are used in the challenge and response grids to highlight WYSWYE’s shortcomings [3].
Electronics 13 03042 g001
Electronics 13 03042 g002
Figure 2. The Gokhale and Waghmare system’s user interface [7].
Figure 2. The Gokhale and Waghmare system’s user interface [7].
Electronics 13 03042 g002
Electronics 13 03042 g003
Figure 3. The system’s user interface by Por et al. [9].
Figure 3. The system’s user interface by Por et al. [9].
Electronics 13 03042 g003
Electronics 13 03042 g004
Figure 4. The system’s user interface by Sun et al. [12].
Figure 4. The system’s user interface by Sun et al. [12].
Electronics 13 03042 g004
Electronics 13 03042 g005
Figure 5. A combination of graphical password recognition and recall schemes [13].
Figure 5. A combination of graphical password recognition and recall schemes [13].
Electronics 13 03042 g005
Electronics 13 03042 g006
Figure 6. A hybrid textual-graphical authentication scheme [14].
Figure 6. A hybrid textual-graphical authentication scheme [14].
Electronics 13 03042 g006
Electronics 13 03042 g007
Figure 7. The first stage of login verification [15]. (a) Primary interface; (b) The system passes implicitly “8,T” as a user login indicator.
Figure 7. The first stage of login verification [15]. (a) Primary interface; (b) The system passes implicitly “8,T” as a user login indicator.
Electronics 13 03042 g007
Electronics 13 03042 g008
Figure 8. (a) User’s password image. (b) Click points chosen by the user indicated by circles. (c) Image presented with a grid of alphabets. (d) Secret token ‘GC’ aligned over the first click point [16].
Figure 8. (a) User’s password image. (b) Click points chosen by the user indicated by circles. (c) Image presented with a grid of alphabets. (d) Secret token ‘GC’ aligned over the first click point [16].
Electronics 13 03042 g008
Electronics 13 03042 g009
Figure 9. Path tolerance example [17].
Figure 9. Path tolerance example [17].
Electronics 13 03042 g009
Electronics 13 03042 g010aElectronics 13 03042 g010b
Figure 10. GRA-PIN scheme [18].
Figure 10. GRA-PIN scheme [18].
Electronics 13 03042 g010aElectronics 13 03042 g010b
Electronics 13 03042 g011
Figure 11. Selection of verification grids and password path in the registration phase [19].
Figure 11. Selection of verification grids and password path in the registration phase [19].
Electronics 13 03042 g011
Electronics 13 03042 g012
Figure 12. Multi-factor authentication (MFA) [18]. (a) Image loading screen; (b) The image upload screen once the user has uploaded 9 images.
Figure 12. Multi-factor authentication (MFA) [18]. (a) Image loading screen; (b) The image upload screen once the user has uploaded 9 images.
Electronics 13 03042 g012
Electronics 13 03042 g013
Figure 13. The system architecture of the choice-based graphical password scheme [20].
Figure 13. The system architecture of the choice-based graphical password scheme [20].
Electronics 13 03042 g013
Electronics 13 03042 ch001
Chart 1. Related graphical password schemes with security attacks.
Chart 1. Related graphical password schemes with security attacks.
Electronics 13 03042 ch001
Table 1. Type of Security Attacks.
Table 1. Type of Security Attacks.
No.Type of Security AttackRelated Graphical Password Schemes
1.Guessing Attack.WYSWYE (“Where You See is What You Enter”) scheme.
VGMSGP scheme.
Multi-Factor Authentication (MFA) scheme.
PassPoint Selection of Automatic Graphical Password Based on Histogram.
2.Spyware Attack.WYSWYE (“Where You See is What You Enter”) scheme.
A combination of graphical password recognition and recall scheme.
GRA-PIN scheme.
VGMSGP Scheme.
Multi-Factor Authentication (MFA) scheme.
3.Shoulder Surfing AttackWYSWYE (“Where You See is What You Enter”) scheme.
Ho et al.’s scheme [5].
Gokhale and Waghmare’s scheme [7].
Por et al.’s scheme [9].
Sun et al.’s scheme [11].
4.Video Recording AttackHo et al.’s scheme [5].
Por et al.’s scheme [9].
Sun et al.’s scheme [11].
5.Filtering AttackGokhale and Waghmare’s scheme [7].
A combination of graphical password recognition and recall scheme.
Multi-Factor Authentication (MFA) Scheme.
6.Reverse Engineering AttackGokhale and Waghmare’s scheme [7].
Por et al.’s scheme [9].
Sun et al.’s scheme [11].
A combination of graphical password recognition and recall scheme.
A Hybrid Textual-Graphical Authentication scheme.
PinWheel scheme.
SelfiePass scheme.
GRA-PIN scheme.
7.Multiple Observations AttackSun et al.’s scheme [11].
8.Key/Mouse Logger AttackA Hybrid Textual-Graphical Authentication Scheme.
PinWheel scheme.
SelfiePass scheme.
Graphical Password based on Mouse Behavior (GP-MB) scheme.
9.Brute Force AttackGraphical Password based on Mouse Behavior (GP-MB) scheme.
PassPoint Selection of Automatic Graphical Password Based on Histogram.
10.Insider ThreatsGraphical Password based on Mouse Behavior (GP-MB) scheme.
11.Dictionary AttackGraphical Password based on Mouse Behavior (GP-MB) scheme.
12.Social Engineering AttackA hybrid textual-graphical authentication scheme.
PinWheel scheme.
SelfiePass scheme.
GRA-PIN scheme.
Graphical Password based on Mouse Behavior (GP-MB) scheme.
13.SQL Injection ASttackGokhale and Waghmare’s scheme [7].
PinWheel scheme.
Choice-Based Graphical Password (CGP) scheme.
PassPoint Selection of Automatic Graphical Password Based on Histogram.
14.Computer Vision AttackChoice-Based Graphical Password (CGP) scheme.
15.Image Gallery AttackChoice-Based Graphical Password (CGP) scheme.
16.Sonar AttackChoice-Based Graphical Password (CGP) scheme.
17.Reply AttackPassPoint Selection of Automatic Graphical Password Based on Histogram.
18.Data Interception Attack “Man-In-The-Middle”PassPoint Selection of Automatic Graphical Password Based on Histogram.
Ho et al.’s scheme [5].
19.Histogram Manipulation AttackPassPoint Selection of Automatic Graphical Password Based on Histogram.
Table 2. The summary of countermeasures, applicability, implementation cost, and usability proposed for each security attack.
Table 2. The summary of countermeasures, applicability, implementation cost, and usability proposed for each security attack.
No.Type of Security AttackCountermeasuresApplicabilityImplementation CostUsability
1.Guessing AttackRandom distribution of challenge images.HighLowHigh
2.Spyware AttackRandomization.
Performing tests during authentication.
Different input methods.		HighModerateModerate
3.Shoulder Surfing AttackConfusion.
Randomization.		ModerateLowHigh
4.Video Recording AttackRandomization.
Visual Complexity.		HighModerateHigh
5.Filtering AttackUtilize encryption and authentication.
Improving network security.		HighModerateModerate
6.Reverse Engineering AttackCode obfuscation.
Control of source codes and encryption.		HighHighLow
7.Multiple Observations AttackMonitoring and adjusting the privacy settings.
Encryption.		HighModerateModerate
8.Key/Mouse Logger AttackTaking the safety measures.
Multi-factor authentication and encryption.		HighModerateHigh
9.Brute Force AttackRandomization.
Large password space use.
More layers of authentication.
Limiting login attempts.		HighModerateHigh
10.Insider ThreatsImposing security controls on employees and peripheral devices.HighModerateModerate
11.Dictionary AttackRandomization in Conundrum-Pass technique.
Large password space in Spin-Wheel-Based Authentication.		HighModerateHigh
12.Social Engineering AttackIncreased users’ awareness.
The usage of HTTPS on the website.
Inform the users when the certificate check is not successful.		HighLowHigh
13.SQL Injection AttackLimiting the privileges of the database.
Use Web Application Firewalls (WAFs).
Encryption.		HighModerateModerate
14.Computer Vision AttackRandomness of pictures.
Awareness of users.
Dynamic Screen Changes.		HighModerateHigh
15.Image Gallery AttackMethod of watermarking.
Using a Secret Key for Verification.		HighModerateModerate
16.Sonar AttackChanging of the pattern grid arrangement.
Limit the use of the microphone and the frequency band that a device can operate in.
Educate the users about the possibility of the attacks.
Jamming on the acoustic channel.		HighModerateHigh
17.Reply AttackAuthentication.
Filtering.
Disable response protocols.		HighModerateHigh
18.Data Interception Attack ”Man-In-The-Middle”Authentication Protocol.
Hashing Timestamps and Pass-image Components.
Random Location Assignment for Passphrase.		HighHighLow
19.Histogram Manipulation AttackAdding randomness.
Blur or the contrast;
Adding or subtracting some random noise.
Checking integrity at multiple levels (hashes and timestamps).		HighModerateHigh
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Saadi, Z.M.; Sadiq, A.T.; Akif, O.Z.; Farhan, A.K. A Survey: Security Vulnerabilities and Protective Strategies for Graphical Passwords. Electronics 2024, 13, 3042. https://doi.org/10.3390/electronics13153042

AMA Style

Saadi ZM, Sadiq AT, Akif OZ, Farhan AK. A Survey: Security Vulnerabilities and Protective Strategies for Graphical Passwords. Electronics. 2024; 13(15):3042. https://doi.org/10.3390/electronics13153042

Chicago/Turabian Style

Saadi, Zena Mohammad, Ahmed T. Sadiq, Omar Z. Akif, and Alaa K. Farhan. 2024. "A Survey: Security Vulnerabilities and Protective Strategies for Graphical Passwords" Electronics 13, no. 15: 3042. https://doi.org/10.3390/electronics13153042

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop