See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/263280706

© 2013, IJARCSSE All Rights Reserved Effective Password Authentication

System Using Optical Character Recognition

Article · November 2013

CITATIONS READS

0 1,353

2 authors:

Sreekanth Reddy Shoba Bindu Chigarapalle

Jawaharlal Nehru Technological University, Anantapur Jawaharlal Nehru Technological University, Anantapur
1 PUBLICATION 0 CITATIONS 122 PUBLICATIONS 497 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Sreekanth Reddy on 23 June 2014.

The user has requested enhancement of the downloaded file.

 Volume 3, Issue 11, November 2013 ISSN: 2277 128X
International Journal of Advanced Research in
Computer Science and Software Engineering
Research Paper
Available online at: www.ijarcsse.com
Effective Password Authentication System Using Optical
Character Recognition
Sreekanth Reddy. C Dr.C. Shoba Bindu
Dept. of Computer Science & Engineering, Associate professor, CSE Department,
JNTUA, Anantapur (515002), JNTUA, Anantapur (515002),
Andhra Pradesh, India. Andhra Pradesh, India.

Abstract-- The Security experts recently quoted that user is “THE WEAKEST LINK IN THE CHAIN” of security
system. In order to prevent the user being the weakest link, USABILITY & SECURITY [3] concept has emerged
where, both the security as well usability are given equal importance. This paper proposes a new authentication
scheme which uses the Optical Character Recognition (OCR) [2] as a base, to improve usability as well as security. In
the proposed scheme user selects a word of his/her choice from a textual image and that word is converted to text and
stored as a password. By doing this we can overcome the dictionary attack and we can have more password space
compared to traditional text passwords. In order to gain access, the user has to select the same word at the time of
Login. The entire process of OCR is done based on Semi Continuous Hidden Markov Model (SC-HMM) proposed by
Jose` A. Rodri` et.al [1] best used for OCR. Compared to other graphical passwords, using OCR takes less time.

Keywords: OCR, Authentication, Password,Graphicalpasswords.

1. INTRODUCTION
Security has been a wide area of research where one’s privacy for data is indeed the most important aspect. In
order to keep the user data secure, many authentication techniques have been proposed. Unfortunately each and every type of
authentication has its own advantages and disadvantages. None of the authentication techniques have fulfilled all the
requirements of the security as well as the user’s needs. Different authentication procedures have been introduced ranging
from
 Knowledge based authentication (Alphanumeric passwords, Graphical passwords).
 Token based authentication.
 Biometric based authentication.
These are called the “3-factors of authentication”.
Alphanumeric passwords (Text passwords) are the most commonly used passwords for authentication. Most of the
problems that user’s have with this method are related to the memorability of passwords.
Furthermore, today users have different passwords for computers, networks, web sites, and more. In addition, some
computer systems require frequent password changes. So, users use Weak Passwords to reduce the memory burden.
Weak Passwords are passwords that are easily guessable and are easy to crack. Table 1 shows the list of guessable
passwords according to Bernie Thomas et.al [6].
The best alternative is to choose Strong Passwords instead of weak passwords.

Table 1: Examples of Guessable password categories

Type Percentage of users Explanation Alternative

Family names and Names including pets and dictionary

59% Strong Passwords
plain text words

User’s favorites 30% Singers, actors etc... Strong Passwords

Self descriptors 11% Such as studs or goddess Strong Passwords

Strong passwords are those that use all possible strengthening options: such as use of at least 8 characters, use of
multiple upper case and multiple lower case letters (A-Z, a-z), use of multiple special characters (~`!@#$%^&*()_-
+={[}]|\:;"'<,>.?/) and use of numbers (0-9). Using these options the security will be very high and it even takes more
time to (may be a lifetime) to crack the password. The purpose of a strong password is to make the password harder to
crack or guess, and more secure.

© 2013, IJARCSSE All Rights Reserved Page | 1049

 Reddy et al., International Journal of Advanced Research in Computer Science and Software Engineering 3(11),
November - 2013, pp. 1049-1055
Although strong passwords are best alternative but users cannot remember those passwords. Since, users are not able
to remember strong passwords they tend to select weak passwords, which can be cracked easily. Schemes which forces
users to select strong passwords result in other unsafe way, such as user will write down the password or will be kept
open. So, text passwords have the disadvantage from a usability standpoint, and basically usability problems tend to
change directly into security problems. That is, if a user fails to choose a password and fail to handle those passwords
securely, then it leads the attackers to exploit the user’s data.
An alternative for text passwords called GRAPHICAL PASSWORDS are proposed by Greg Blonder [9] which uses
pictures as passwords, motivated by the fact that “A Picture is worth a Thousand Words”. That means user can easily
remember pictures than text passwords.
Graphical passwords offer better security compared to text passwords because many people in attempt to memorize
text-based passwords, uses plain text rather than strong passwords which can be easily cracked by a dictionary attack.
So, the proposed scheme concentrates on the knowledge based authentication especially the GRAPHICAL
PASSWORDS [4] which are the best alternative to the traditional text passwords. Basically, graphical passwords are of two
types
 Recognition based and
 Recall based.
In Recognition Based method user is provided with a set of images and user identifies or recognizes the images
he/she previously stored in the registration phase.
Dhamija and Perrig [7] proposed a graphical password scheme based on the Hash Visualization method. In that
scheme, the user has to select a certain number of images from a set of random images generated by a program (figure 1).
Then, the user will identify the preselected images in order to gain access. The results showed 90% of all participants
succeeded in the authentication using this scheme, while only 70% succeeded using PINS and text passwords. The average
log-in time, is more than the traditional approach. A weakness of this system is that the server needs to store the seeds of the
images of each user in plain text, and the process of selecting a set of pictures from the picture database can be time
consuming for the user.

Fig 1: Random images used by Dhamija and Perrig [7]

In Recall Based method user is forced to reproduce or select the exact thing which he/she selected or reproduced
earlier during the registration phase. Both these methods have memory advantage over the traditional alphanumeric
passwords.
Jermyn, et al. [8] Proposed a scheme, called “Draw - a - secret (DAS)”, which allows the user to draw their
password (figure 2). A user is asked to draw a simple picture on a 2D grid. The coordinates of the grids occupied by the
picture are stored in the order of the drawing. During authentication, the user is asked to re-draw the picture. If the drawing
touches the same grids in the same sequence, then the user is authenticated. Jermyn, et al. Suggested that given reasonable-
length passwords in a 5 X 5 grid, the full password space of DAS are larger than that of the full text password space.

Fig 2: Draw-a-Secret (DAS) proposed by Jermyn, et al. [8]

This paper proposes a new recall based authentication scheme where the user selects the exact same word which he/she
selected earlier during the registration phase. For high speed and accurate results we are using OCR for providing
authentication.

© 2013, IJARCSSE All Rights Reserved Page | 1050

 Reddy et al., International Journal of Advanced Research in Computer Science and Software Engineering 3(11),
November - 2013, pp. 1049-1055
OCR, usually abbreviated to optical character recognition, is the electronic translation of images of, printed text
into machine-editable text. It is a field of research in artificial intelligence and pattern recognition. Existing OCR systems
can recognize any kind of text images and can convert into editable text. There are wide ranges of OCR’s available which
use different backgrounds for recognition some uses Neural Networks (NN) and some uses Distance Measures (KNN).
Each method has its own advantages and disadvantages, some are slow in recognition but accuracy is good, some are fast
but accuracy will be poor. So, we have chosen the OCR proposed by Jose` A. Rodri`guez-Serrano et.al [1] which is good at
both speed and accuracy. Due to its fast recognition speed we have an advantage of login time over other schemes.
The rest of the paper is organized as follows: In section 2 we discuss about the OCR process, Section 3 focuses on the
proposed scheme, in section 4 we consider some metrics used for usability and security and section 5 focuses on analyzing
the proposed scheme using the metrics defined in section 4 and finally in section 6 we conclude the proposed scheme.

2. OCR PROCESS USED FOR PROPOSED MODEL

The proposed scheme uses OCR as a main component for providing the authentication. OCR Stands for Optical
Character Recognition where it is an electronic or mechanical conversion of handwritten, printed or scanned images into
machine editable forms.
We use SC-HMM proposed in [1] for developing this OCR due to its high accuracy rates compared to other
OCR techniques. The OCR process is divided into various stages like
 Scanning & Digitization
 Pre-processing
 Segmentation
 Feature extraction
 Classification &
 Post-processing.
In order to process the printed characters the page should be scanned and saved in a standard image format,
which any image processing tool can handle it.
The scanned image is subjected to image processing technique, Deskew, where the skewing angel will be
corrected and that image is prepared well for the next stages of recognition.
In the context of character recognition segmentation can be explained as the process of extracting the smallest
possible character from the scanned image for recognition.
Feature Extraction plays a vital role in the process of recognition where the output of segmentation is
characterized based on some certain specific parameters. The process of Parameterization is done here for getting the
individual parameters. The role of SC-HMM comes here where the parameters are represented as sequences. These
sequences are represented in two ways
 Sequence-independent parameters &
 Sequence-dependent parameters.
Classification places the individual sequences into one of a pre-determined set of classes (characters or alphabets).
In order to decide where to place the sequences or in which class we have to place the sequences, we perform a
sequence similarity measure between those SC-HMM’s. We use Dynamic Time Warping (DTW) as a distance measure
between the individual sequences.

Using the above formula we are going to calculate the distances between two vectors, after the distance
calculation, the vector is placed in the appropriate class of alphabets based on the distance acquired. Consider if a part of
the image is inputted to DTW and the distance is closer to the alphabet S then that inputted word will be recognized as S.
Finally in the post-processing the output of the Classification stage is converted into ISCII or ASCII so that the
converted words, alphabets, paragraphs are reconstructed from the previously stored templates. The entire process of OCR
is represented in fig 3.

Fig 3: Represents the flow of OCR

© 2013, IJARCSSE All Rights Reserved Page | 1051

 Reddy et al., International Journal of Advanced Research in Computer Science and Software Engineering 3(11),
November - 2013, pp. 1049-1055
3. Proposed Model:
In the proposed scheme we are using the OCR proposed by Jose`A. .Rodri`Guezz-Serrano [1] is used for
providing authentication. Here the user is prompted to select the username of his/her choice and then user is prompted to
choose a textual image at the time of registration and that image is stored under that username. The user has to select a
word from that textual image and that word is converted to text using the OCR and saved as password under the same
username.

Fig 4: User Interface of Registration phase

In figure 4 user selected the word “using” that word is converted to text using OCR and saved as password.
At the time of login user have to enter his/her username then the image stored under that username is explicitly provided to
the user. The user then has to select the same exact word which he/she has selected earlier at the time of registration. Here
we are using an invisible rectangle to avoid spoofing (shoulder surfing attack) then the selected word is converted to text
again using OCR and then compared with the stored password if both the words are matched then the user is authenticated
else the user is prompted to login again.
4. USABILITY AND SECURITY METRICS
The proposed scheme aims to improve the usability while providing the maximum security so as to satisfy both the
criteria’s. Some of the metrics for usability and security are considered for analysis and they are as follows:
4.1 Usability Metrics:
 Memorability: Extent to which a user can remember his / her password after a period of time. (Usually 1-4
weeks).
 Login time: Time taken to login using a particular authentication system.
 Creation Time: Time taken to create a password using an authentication system.
 Login Success Rate: Percentage of those users are able to successfully login after particular no. of login
attempts.
4.2 Security Metrics:
 Total Password Space: Total number of possible values in a password system.
 Shoulder Surfing: The extent to which someone can look over the shoulder of a person entering his / her
password and guess his / her password.

5. USABILITY AND SECURITY ANALYSIS

In order to analysis both the usability and security, we are using the metrics defined in section 4. We also use the most
common and popular Graphical password scheme Persuasive Cued Click-Points (PCCP) proposed by Sonia Chiasson,
et.al [5] for comparison with the proposed scheme.
5.1 Usability Analysis:
5.1.1 Memorability:
One of the major metrics of usability is Memorability which explains how well the user is able to remember the
selected password. While analyzing the Memorability we tested our proposed scheme along with the most widely used
graphical password schemes Persuasive cued click points. Each of the schemes is tested for 4 weeks and the results are
tabulated in table 2:

Table 2: Results of Two schemes for Memorability

No. of students who are able to remember
the selected password
Scheme
Week- Week-
Week-I Week-IV
II III
PCCP 25 25 23 23
OCR 25 25 23 21
© 2013, IJARCSSE All Rights Reserved Page | 1052
 Reddy et al., International Journal of Advanced Research in Computer Science and Software Engineering 3(11),
November - 2013, pp. 1049-1055
The proposed scheme tends to perform slightly poor in the week-IV compared to PCCP. Because users face some problem
remembering the selected word.
5.1.2 Login Time:
The time plays a crucial role in modern days and the time needed in order to access a user system/ account must be
minimized. The same analysis done for Memorability is applied to this metric also and the results are shown in table 3:

Table 3: Login times for both PCCP and OCR scheme

Time Taken To Login In Seconds

Scheme
Week-I Week-II Week-III Week-IV
PCCP 20-25 20-25 25-30 25-30
OCR 20-25 20-25 20-25 20-25

Here proposed scheme maintains constant login time but PCCP raises to 30sec in week III & week IV same are shown
in fig 5.

Fig 5: Comparison of Login time of two schemes.

5.1.3 Creation Time:
Another metric of usability is the time taken for a user to register with the authentication scheme. We tested this only
once throughout the testing phase because registration is needed only once and the results are tabulated in table 4.
Table 4: creation time comparison of both schemes

Scheme Time Taken To Register In Seconds

PCCP 20-23 Sec
OCR 15-18 Sec

Coming to creation time our proposed scheme performed well compared to PCCP and the main advantage here is the
speed of OCR method. The comparison is shown in fig 6.

Registration Time
30
Time in Seconds

20
10
PCCP
0
OCR

Fig 6: Comparison of Registration time of two schemes.

5.1.4 Login Success Rate:

The success rate defines the number of users who are able to login successfully without fail after the Week-IV the
success rate (SR) is calculated using the formula:
SR= (No. Of successful logins/ No. of Login attempts) x100
We consider the default login attempts as 100. Successful logins of PCCP are 80 and successful logins of OCR are 85
and the results are tabulated in table 5:

© 2013, IJARCSSE All Rights Reserved Page | 1053

 Reddy et al., International Journal of Advanced Research in Computer Science and Software Engineering 3(11),
November - 2013, pp. 1049-1055
Table 5: Comparison of success rates of both schemes

Scheme Success Rate (%)

PCCP 80%
OCR 85%

Almost two schemes performed well over the success rate but proposed scheme slightly tends to be good over
PCCP.

86%
84%
82%
80%
78%
76%
PCCP OCR

Fig 7: Comparison of Login Success Rates of both Schemes

5.2 Security Analysis:
5.2.1 Total Password space:
The password space for any password system is the total number of unique passwords that could be generated according
to the system specifications. Ideally, a larger password space lowers the chances that any particular guess is correct for a
given password. So larger the password space then the probability of guessing attack will be lower. Fortunately both the
proposed scheme and PCCP have a very large password space compared to traditional text passwords the guessing attack will
be minimum on both the schemes. The proposed scheme uses an image with huge text. If the image contains 100 words and
the password length is 8 characters then there are 100 8 or 10 quadrillion (10,000,000,000,000,000), possible combinations
which form the password. The adversary must try every possible combination in order to crack the password it would take (on
average) millions of years to break the password with random combination.

Table 6: password spaces of both schemes

Scheme Password Space

PCCP 6.5x108
OCR 6.5x104

OCR 6.5x108

In table 6, 104 represents that if the word selected for password containing less than or equal to 4-letters and 108 represents if
the word selected contains less than or equal to 8-letters and 6.5 is the default image size.
5.2.2 Shoulder surfing attack:
The proposed OCR scheme is not vulnerable to shoulder surfing attack. This was achieved through the invisible
rectangle used at the time of login to select the word. Fig 8 shows the same where user selected the word “using” and the
user is verified successfully but the selected word is not visible to the adversary. Even though, an adversary observes the
login window, he/she will not be able to see the selected word. So, the proposed scheme is resistant to shoulder surfing
attack.

Fig 8: Showing the invisible rectangle at the time of Login.

© 2013, IJARCSSE All Rights Reserved Page | 1054
 Reddy et al., International Journal of Advanced Research in Computer Science and Software Engineering 3(11),
November - 2013, pp. 1049-1055
6. CONCLUSION
This paper studies both the combination of textual passwords and graphical passwords as OCR uses the Text as a
base we can use that as Textual password and we are using a graphical interface for selecting that word. Using this type of
combinational password system, user can have a better usability compared to individual authentication schemes. The
proposed scheme is also resistant to dictionary attack where it is impossible to crack the password with huge password
space and also resistant to shoulder surfing, where we use an invisible rectangle for graphical login. The proposed scheme
offers better results compared to PCCP. However, our findings are preliminary and inconclusive. More user evaluations
need to be conducted.

ACKNOWLEDGMENT
We are especially indebted to AICTE-RPS (Research Promotion Scheme) for providing us an environment
where we can work to the best we can. We would also like to thank Mr. Raj Mohammed Mohd, research scholar who has
helped in the design, development, testing and implementation of this proposed scheme.

REFERENCES
1. Jose´ A. Rodrı´guez-Serrano and Florent Perronnin. “A Model-Based Sequence Similarity in Application to
Handwritten Word Spotting” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 34, NO. 11,
November 2012, Page. no: 2108-2120.
2. “Optical Character Recognition” http://en.wikipedia.org/wiki/Optical_character_recogntion.
3. Lorrie Faith Cranor, Simson Garfinkel “Security and Usability: Designing secure systems.”
4. Xiaoyuan Suo Ying Zhu G. Scott. Owen “Graphical Passwords: A Survey”.
5. Sonia Chiasson, Elizabeth Stobert, Alain Forget, “Persuasive Cued Click-Points: Design, Implementation, and
Evaluation of a Knowledge-Based Authentication Mechanism” IEEE Transactions On Dependable And Secure
Computing, Vol. 9, No. 2, March/April 2012, Page. no: 222-235.
6. Bernie Thomas “Simple Formula for Strong Passwords (SFSP)” 2005.
7. R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proceedings of the
9th USENIX Security Symposium, 2000.
8. I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The Design and Analysis of Graphical
Passwords," in Proceedings of the 8th USENIX Security Symposium, 1999.
9. Greg E. Blonder (1996). U.S. Patent No. 5559961.

© 2013, IJARCSSE All Rights Reserved Page | 1055

View publication stats