• Rohan Rao


Authentication based on passwords is used largely in applications for computer security and privacy. As the number of web and mobile applications are rising exponentially, people can access these applications anytime and anywhere with various devices. People may log into web services and applications in public to access their personal and confidential accounts with their laptops, smartphones, tablets or public devices, like bank ATM.  All these things bring great convenience but at the same time increase the risk of exposing passwords to shoulder surfing attacks.  A shoulder surfing is a kind of attack where attackers can observe directly or use external recording devices to collect user’s credentials. Shoulder surfing attackers can observe how the passwords were entered with the help of reflecting glass windows or let recording devices like CCTV camera hanging everywhere in public places. Passwords are exposed to risky environments, even if the passwords themselves are complex and secure. To overcome this problem of shoulder surfing, we propose an image-based authentication system along with encryption. With one-time valid login indicator / token, horizontal and vertical bars covering the entire scope of an image, proposed system offers no hint for attackers to figure out or narrow down a password even when they conduct multiple camera based attacks. In addition to this, the login indicator is completely random and valid only for short period of time. The proposed system also contains an android application which will receive login indicator. The goal of the android application is to receive the login indicator and display it to the user. In addition to this to protect the mobile application from theft, only one email id is allowed per application and an easy-to-remember randomly generated password required for logging into the application is also sent to the user. This password is completely encrypted and valid only for single login. Keywords: Authentication, shoulder surfing attack, encryption, decryption, login indicator


[1] S. Sood, A. Sarje, and K. Singh, “Cryptanalysis of password authentication schemes: Current status and key issues ”, in Method and Models in Computer Science, 2009. ICM2CS 2009. Proceeding of International Conference on, Dec 2009

[2] S. Gurav, L. Gawade, P. Rane, and N. Khochare, “Graphical password authentication: Cloud securing scheme,” in Electronic Systems, Signal Processing and Computing Technologies (ICESC), 2014 International Conference on, Jan 2014

[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, “The design and analysis of graphical passwords,” in Proceedings of the 8th conference on USENIX Security Symposium-Volume 8. USENIX Association, 1999

[4] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “Passpoints: Design and longitudinal evaluation of a graphical password system,” International Journal of Human-Computer Studies, vol. 63

[5] S. Brostoff and M. Sasse, “Are passfaces more usable than passwords? a field trial investigation,” PEOPLE AND COMPUTERS

[6] T. Kwon, S. Shin, and S. Na, “Covert attentional shoulder surfing: Human adversaries are more powerful than expected,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 44

[7] M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, “Reducing shoulder-surfing by using gaze-based password entry,’ in Proceedings of the 3rd symposium on Usable privacy and security. ACM, 2007
How to Cite
RAO, Rohan. IMAGE BASED SYSTEM TO RESIST SHOULDER SURFING ATTACK OVER WEB. International Journal Of Emerging Technology and Computer Science, [S.l.], v. 2, n. 1, jan. 2017. ISSN 2455-9954. Available at: <>. Date accessed: 28 may 2020.


Authentication, shoulder surfing attack, encryption, decryption, login indicator