IJRECS @ Nov Dec 2015, V-5, I-2

ISSN-2321-5485 (Online)
ISSN-2321-5784 (Print)

Security Upgrading Strategy for Consolidating Captcha Utilizing

a Graphical Secret Word on Difficult Issue in AI
M. Pranusha1, M. A. Muneer2, CH. Srinivasulu3
1
M.Tech Student, Dept of IT, JB Institute of Engineering & Technology, Hyderabad TS, India
2
Assistant Professor, Dept of IT, JB Institute of Engineering & Technology, Hyderabad, TS, India
3
Associate Professor & HOD, Dept of IT, JB Institute of Engineering & Technology, Hyderabad, TS, India
Abstract: Cyber security is an important issue to tackle.
Various user authentication methods are used for this
purpose. It helps to avoid misuse or illegal use of highly
sensitive data. Text and graphical passwords are mainly
used for authentication purpose. But due to various flaws,
they are not reliable for data security. Text passwords are
insecure for reasons and graphical are more secured in
comparison but are vulnerable to shoulder surfing attacks.
Hence by using graphical password system and CAPTCHA
technology a new security primitive is proposed. We call it
as CAPTCHA as graphical Password (CaRP). CaRP is a
combination of both a CAPTCHA and a graphical password
scheme. In this paper we conduct a comprehensive survey
of existing CaRP techniques namely Click Text, Click
Animal and Animal Grid. We discuss the strengths and
limitations of each method and point out research direction
in this area. We also try to answer Are CaRP as secured as
graphical passwords and text based passwords? and Is
CARP protective to relay attack?"
Keywords: CAPTCHA, CaRP, passwords, graphical,
techniques.
I.

INTRODUCTION

Security awareness is an important factor in an information

security program. While organizations and institutes expand
their use of advanced security technology and continuously
train their security professionals, fraction of it is used to
increase the security awareness among the normal users. As
a result, today, organized cyber criminals are trying hard
towards research and development of advanced hacking
methods that can be used to steal money and secured
information from the general public. Password
authentication is one of the most common building blocks in
implementing access control. Each user has a relatively
short sequence of characters commonly referred to as a
password.

4343

www.ijrecs.com

To gain access, providing right password is essential.

Common attack for breaking password authenticated
systems is dictionary attack [2]. Graphical password is an
option for alphanumeric password as text password is
slightly hard to remember text password. When any
application is provided with user friendly authentication it
becomes easy to break and use that application. Cloud
security can also be given by alphanumeric password but
thing matter is that use of alphanumeric is not that much of
secure and easy to remember. Any individual examining the
password can memorize it which may lead to its misuse.
Manuscript Received on November 2014. Prof Jayshree
Ghorpade, Department of Computer Engineering, MITCOE,
Pune, India Shamika Mukane, Department of Computer
Engineering, MITCOE, Pune, India Devika Patil,
Department of Computer Engineering, MITCOE Pune,
India Dhana shree Poal, Department of Computer
Engineering MITCOE Pune, India Ritesh Prasad,
Department of Computer Engineering, MITCOE, Pune,
India Graphical password schemes are more reliable and
more resilient to dictionary attacks than textual passwords,
but more vulnerable to shoulder surfing attacks [3].
CAPTCHA (Completely Automated Public Turing tests to
tell Computers and Humans Apart) is a program that
generates and grades tests that are human solvable, but
current computer programs do not have the ability to solve
them.
The robustness of CAPTCHA is found in its strength in
resisting automatic adversarial attacks, and it has many
applications for practical security, including free email
services, online polls, search engine bots, preventing
dictionary attacks, worms and spam [4]. CaRP is a
combination of both a CAPTCHA and a graphical password
scheme. CaRP overcome a number of security issues, such
as relay attacks, online guessing attacks, and, if combined
with CAPTCHA and graphical password, shoulder-surfing
attacks. CaRP is click-based graphical passwords, where

IJRECS @ Nov Dec 2015, V-5, I-2

ISSN-2321-5485 (Online)
ISSN-2321-5784 (Print)
order of clicks on an image is used to get a new password.
Unlike other click-based graphical passwords, images used
in CaRP are used to generate CAPTCHA challenges, and for
every login attempt a new CaRP image is generated whether
the existing user tries authenticating or a new user.
In this paper we conduct a comprehensive survey of existing
CaRP techniques namely Click Text, Click Animal and
Animal Grid. We point out research direction in this area.
We also try to answer our CaRP as secured as graphical
passwords and text based passwords. Survey will be useful
for information security researchers and practitioners who
are interested in finding an alternative to graphical
authentication methods.
II.

RELATED WORK

Bin B. Zhu [1] implemented the Captcha as Graphical

Passwords-A New Security primitive Based on Hard AI
Problems. This authentication system is based on Animal
Grid and Click text which can be used in smart phone as
well as desktop computers. Hossein Nejati [2] implemented
the Deep CAPTCHA: An Image CAPTCHA Based on
Depth Perception. In this system 6 images of different
objects and different sizes of images is used and user task is
to order these images in terms of their relative size. Hadyn
Ellis [3] implemented the Science behind Passfaces. In this
system 3x3 grid is used.
User also uses the human faces or a numerical keypad value
this value is corresponds to the faces on the grid. In that at
least 3 to 7 faces user have to select for login process. But in
this system required login time can be increased if user
selects more passfaces. P. R. Devale [4] implemented Cued
Click Points with Click Draw Based Graphical Password. In
this system increasing security using secret drawing in
particular image during authentication process Correct
password or incorrect password is displayed after final
click. Pankaja Patil [5] implemented Graphical password
authentication using persuasive cued click point. In this
system after filling the form user can select user define
picture or system define picture after that user have to click
any pixels in the images as click point to create graphical
password.
During creation of password one view port that is randomly
positioned on the image User also change this view port if
user does not want that view port. View port can be changed

4344

www.ijrecs.com

using Shuffle. During registration phase user has to click 5

point within that view port and at a login time sequence
must be in correct order. Nilesh Kawale [6] implemented A
Reorganization Based Graphical Password System. In this
system 3x3 grid is used. During registration phase user has
to select 3 images from that grid. After completion of
registration process one message send to user mobile which
contain a password which is entered during login phase.
During login phase user have to enter username which is
entered during registration phase, text password, and select
3 images from current grid which is selected during
registration phase. Darryl DSouza [7] implemented Avatar
Captcha: Telling Computers and humans apart via face
classification. In this system based on combination of
human faces and Avatar faces. In that 2 rows are used each
row having 6 images total 12 images in that.
Each images having checkbox which is used to select only
avatar faces for successful login. Robert Biddle [8]
discussed on Graphical Passwords: Learning from the first
Twelve Year. A survey and conducted a brief study on
existing graphical password techniques. Mohamed Sylla [9]
implemented Combinatoric Drag Pattern Graphical
Password. In this System one graphical keyboard is
provided to user for selection of a password. During
selection of password user has to choose set of characters
from the graphical keyboard. These characters shown in
textbox User must follow the sequence for creation of
password. After that system check password if it is not
strong then system suggests different character between
passwords. And for that user has to draw pattern for that to
create a password.
A. CAPTCHA
A CAPTCHA is a program that can generate and grade tests
that: (A) most humans can pass, but (B) current computer
programs cannot pass. Such a program can be used to
differentiate humans from computers [5]. There are two
types of visual CAPTCHA: text CAPTCHA and Image
Recognition CAPTCHA (IRC).CAPTCHA can be
circumvented through relay attacks whereby CAPTCHA
challenges are relayed to human solvers [1].
B. GRAPHICAL PASSWORD
Graphical password schemes have been proposed as a
possible alternative to alphanumeric schemes, motivated

IJRECS @ Nov Dec 2015, V-5, I-2

ISSN-2321-5485 (Online)
ISSN-2321-5784 (Print)
partially by the fact that humans can remember images
easily than text; psychological studies support such
assumption [8]. Images are generally easier to be
remembered than text. In addition, if the number of possible
images is enough large, the possible password space of a
graphical password scheme may exceed that of text-based
schemes and thus presumably offer better resistance to
dictionary attacks. Because of these (presumed) advantages,
there is a increasing interest in graphical password. In
addition to web log-in applications and workstation,
graphical passwords have also been applied to mobile
devices and ATM machines [6].
III.

THE SURVEY

Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning
Xu [1] proposed CaRP scheme. In CaRP i.e. CAPTCHA as
graphical Passwords, CAPTCHA and graphical password is
combined and used as a single entity for authentication. The
CaRP schemes are actually click-based graphical passwords
with the CAPTCHA technique used in a way that a new
image is generated for every login attempt even for the
existing user just as CAPTCHAs change everytime. CaRP
uses an alphabet set. Instead of actual characters, visual
objects i.e. a visual depiction of alphanumeric characters or
might be some objects is used for the CaRP image
generation which actually turns out to be a CAPTCHA
challenge. Noticeable difference between normal
CAPTCHA and CaRP images is that all objects of an
alphabet set for a CaRP scheme are included in every image
challenge unlike normal CAPTCHAs where only a part of
alphabet set is used. Many CAPTCHA schemes can be
converted to CaRP schemes, as described in the next
subsection. On the basis of the memory tasks in memorizing
and entering a password, classification of CaRP schemes
can be done as follows: recognition based and recognitionrecall. The second scheme i.e. recognition recall CaRP is a
new category which works by recognizing an image and
using the recognized objects as cues to enter a password.
Recognition call combines the tasks of both recognition and
cuedrecall. It retains the advantages of both schemes i.e.
recognition advantage of being easy for human memory and
the cued-recall advantage of a large password space [1].

Fig. 1. Flowchart of Basic CaRP Authentication of the

Proposed Architecture
Step 1: Enter ID and send it to Authentication server AS.
Step 2: AS Stores a salt and hash value H(p, s) for each ID .
p is the user password and it is stored.
Step 3: Upon receiving login request, AS generates a CARP
image. It records location of characters or animals in image
and the image is sent to the user.
Step 4: User Clicks the Password.
Step 5: Co-ordinates of points are recorded are sent to AS.
Step 6: AS maps these Co-ordinates & recovers clickable
points of object p, that user clicked.
Step 7: Then AS retrieves salt s of account & calculates its
hash value with salt using algorithm like SHA-1.
Step 8: IT compares result with hash value stored for the
a/c.
Step 9: Authentication is successful if and only if the two
hash value matched

4345

www.ijrecs.com

IJRECS @ Nov Dec 2015, V-5, I-2

ISSN-2321-5485 (Online)
ISSN-2321-5784 (Print)
RECOGNITION BASED CaRP
A. CLICKTEXT

effects, textures, and optionally distortions are used for

generating the Click Animal image. The resulting 2D
animals are then arranged on a cluttered background like
grasslands. Some animals may be overlapped by other
animals in the image, but their core parts are not overlapped
in order for humans to identify each of them. The number of
similar animals is much less than the number of available
characters. Click Animal has a smaller alphabet, and thus a
smaller password space, then Click Text [1].
C. ANIMALGRID

Click Text is a recognition-based CaRP scheme. It uses text

CAPTCHA as its underlying principle. Alphabet set of Click
Text comprises alphanumeric characters. A Click Text
password is a series of characters in the alphabet, e.g.,
=DE@F2SK78, which is similar to a text password. A
Click Text image is different from usual CAPTCHA as here
all the characters of alphabet set are to be included in the
image. The underlying CAPTCHA engine generates such
CaRP image. When image is generated, each characters
location in the image is recorded which would be used in
authentication. Characters can be arranged randomly on 2D
space in these images which differs from text CAPTCHA
challenges where characters are typically ordered from left
to right in order for users to type them sequentially [1].
B. CLICKANIMAL

Click Animal is also a recognition-based CaRP scheme. It

has an alphabet of similar animals such as dog, horse, pig,
etc. The password in this scheme is a sequence of animal
names such as = Cat, Dog, Horse, Turkey. One or more
models are built for every animal. The CAPTCHA
generation process wherein 3D models are used to get 2D
models by applying different views, colors, lightning

4346

www.ijrecs.com

In order to resist human guessing attacks, a sufficiently large

effective password space should be present for CaRP
schemes. If the Click Animal scheme be combined with grid
based graphical passwords, its password space can be
increased. The grid can be made depending on the size of
the selected animal. For authentication process, a Click
Animal image is displayed first. After an animal is selected,
an image of nn grid appears, with the grid-cell size
equaling the bounding rectangle of the selected animal.
Each grid-cell is labeled to help users identify. It has the
advantage that a correct animal should be clicked in order
for the clicked grid-cell(s) on the follow-up grid to be
correct. If a wrong animal is clicked, the follow-up grid is
wrong. A click on the correctly labeled grid-cell of the
wrong grid would likely produce a wrong grid-cell at the
authentication server side when the correct grid is used [1].
Security Analysis
The computational intractability of hard AI problems such
as object recognition is fundamental to the security of CaRP.
Existing analyses on Captcha security were mostly case by
case or used an approximation approach. No theoretic
security model has been established yet. Segmenting similar
objects (e.g. characters) is considered as a computationally-

IJRECS @ Nov Dec 2015, V-5, I-2

ISSN-2321-5485 (Online)
ISSN-2321-5784 (Print)
expensive and combinatorial-hard problem [7], which
modern text Captcha schemes rely on. According to [7], the
complexity of object segmentation is exponentially
dependent of the number of objects contained in a
challenge, and polynomially dependent of the size of the
Captcha alphabet. A Captcha challenge typically contains 6
to 10 characters, whereas a CaRP image typically contains
30 or more characters.
Therefore, Click Text is much more secure than normal text
Captcha. Furthermore, characters in a CaRP scheme are
arranged two-dimensionally, which further increases
segmentation difficulty due to an additional dimension to
segment. Click Animal relies on both object segmentation
and multiple-label classification. Its security remains an
open question. As a framework of graphical passwords,
CaRP does not rely on the security of any specific Captcha
scheme. If one Captcha scheme gets broken, a new and
more robust Captcha scheme may appear and be used to
construct a new CaRP scheme.
CaRP offers protection against online dictionary attacks on
passwords, which have been for long time a major security
threat for various online services Defending against online
dictionary attacks is a subtler problem than it might appear.
Intuitive countermeasures such as limiting the number of
logon attempts do not work, for two reasons:
They cause denial-of-service attacks (which were
exploited to lock highest bidders out in final minutes of
eBay auctions [8]) and incurs expensive helpdesk costs for
account reactivation.
They are vulnerable to global password attacks [5], where
adversaries intend to break into any account rather than a
specific one, and thus they try each password candidate on
multiple accounts. This way, the number of guesses on each
account is made below the threshold, thus avoiding
triggering account lockout.
CaRP makes it much harder for bad guys to perform
automated guess attacks. Even when a human is involved,
the attack is still expensive and slowed down. CaRP also
offers protection against relay attacks, which have been an
increasing threat to online applications protected by
Captchas. In a relay attack, Captcha challenges are relayed
to humans to solve, with their answers returned.

4347

www.ijrecs.com

CaRP is robust to shoulder-surfing attacks, if combined with

Microsofts dualview technologies [9] that show two sets of
completely different images simultaneously on the same
LCD screen: one for private, and the other for public. When
a CaRP image is displayed as private, attackers can capture
a users click-points but not the private image, but these
points are useless for a next login session (where a new
CaRP image will be used). CaRP is robust to cross-site
scripting attacks targeting at stealing users graphical
passwords, although other click-based graphical passwords
such as PassPoints are vulnerable to such attacks. However,
a longitudinal evaluation is needed to establish the effective
password space for each CaRP instantiation. CaRP is
vulnerable if a client is compromised, and the image and
user-clicked points can both be captured.
Summary
It is a fundamental method in computer security to create
cryptographic primitives based on hard mathematical
problems that are computationally intractable. 10 B.B. Zhu
and J. Yan Using hard AI problems for security, initially
proposed in [10], is an exciting new paradigm. Under this
new paradigm, the most notable primitive invented is
Captcha. However, the new paradigm has achieved just a
limited success, if compared with the number of
cryptographic primitives based on hard math problems and
the wide applications of such primitives.
We have showed that it is indeed possible to construct new
security primitives based on hard AI problems. Like
Captcha, CaRP utilizes unsolved AI problems. However, a
password is much more valuable for attackers than a free
email account that Captcha typically protects. Therefore
there are probably more incentives for the attackers to hack
CaRP than Captcha. That is, CaRP can attract more efforts
than ordinary Captcha does to the following win-win game:
if the attackers succeed, they contribute to improving AI by
providing solutions to open problems. Otherwise, our
system stays secure, contributing to practical security.
Overall, CaRP appears to be a step forward in the paradigm
of using hard AI problems for security. What else can be
invented this way? We expect CaRP to inspire new
inventions of AI based security primitives.
FUTURE WORK

IJRECS @ Nov Dec 2015, V-5, I-2

ISSN-2321-5485 (Online)
ISSN-2321-5784 (Print)
Our graphical password system provides more security to
data and protection against different attack. Our graphical
password system is based on text password and graphical
password. For successful login user has to select correct
image which is chosen by user during a registration and this
system provide text password which provide more security
to data. Future work is based on Pattern.
CONCLUSION

[3] T. S. Ravi Kiran, Y. Rama Krishna, Combining

CAPTCHA and
graphical
passwords
for
user
authentication, International Journal of Research in IT &
Management, Volume 2, Issue 4 (April 2012) (ISSN 22314334)
[4] Liming Wang, Xiuling Chang, Zhongjie Ren, Haichang
Gao, Xiyang Liu, Uwe Aickelin, Against Spyware Using
CAPTCHA in Graphical Password Scheme

The paper conducts a comprehensive survey of CAPTCHA

as Graphical Password schemes. CaRP is a combination of
both a CAPTCHA and a graphical password scheme. CaRP
schemes are classified as Recognition-Based CaRP and
Recognition-Recall CaRP. We have discussed Recognition
Based CaRP which include Click Text, Click Animal and
Animal Grid techniques in this paper. Current graphical
password techniques are an alternative to text password but
are still not fully secure. As a framework, CaRP does not
rely on any specific CAPTCHA scheme. When one
CAPTCHA scheme is broken, a new and more secure one
may appear and be converted to a CaRP scheme. Due to
reasonable security and usability and practical applications,
CaRP has good potential for refinements. The usability of
CaRP can be further improved by using images of different
levels of difficulty based on the login history of the user and
the machine used to log in.

[5] Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and

John Langford, CAPTCHA: Using Hard AI Problems for
Security

REFERENCES

[8] Darryl D. Souza Phani, C. Polina, Roman V and

Yampolskiy. Avatar Captcha: Telling Computers and
humans apart via face classification. IEEE, 2012.

[1] Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and
Ning Xu, CAPTCHA as Graphical PasswordsA New
Security Primitive Based on Hard AI Problems, IEEE
TRANSACTIONS ON INFORMATION FORENSICS
AND SECURITY, VOL. 9, NO. 6, JUNE 2014
[2] Matthew Dailey, Chanathip Namprempre, A TextGraphics
Character
CAPTCHA
for
Password
Authentication

4348

www.ijrecs.com

[6] Xiaoyuan Suo, Ying Zhu, G. Scott. Owen, Graphical

Passwords: A Survey, Department of Computer Science
Georgia State University
[7] Iranna A M and Pankaja Patil. Graphical Password
Authentication using Persuasive Cued Click Point,
International Journal of Advanced Research in Electrical,
Elecrtorics and Instrumentation Engineering, Vol.2, Issue 7,
July 2013.
[8] Nilesh Kawale and Shubhangi Patil. A Recognition
Based Graphical Password System. International Journal of
Current Engineering and Technology, Vol.4, No.2, Apr 10,
2014

[9] Robert Biddle Sonia Chiasson and P. C. van Oorschot

Graphical Passwords: Learning from the First Twelve Year.
School of Computer Science, Carleton University, Jan 4,
2012.
[10] Mohamed Sylla, Gul Muhammad, Kaleem Habib and
Jamaludin lbrahim. Combinatoric Drag-Pattern Graphical
Password Journal of Emerging Trends in Computing
Information Sciences, Vol.4,No.12,Dec 2013.