3D PASSWORD

SUBMITTED IN THE PARTIAL FULFILMENT OF REQUIREMENT FOR THE

AWARD OF THE DEGREE OF

BACHELOR OF ENGINEERING
IN
ELCTRICAL ENGINEERING

SUBMITTED BY
SUGAM
C. ROLL NO.- 187/17
U. ROLL NO.- 693/17

SUBMITTED TO

MS.KAMALPREET KOUR
PROFESSOR

DEPARTMENT OF ELECTRONICS AND COMMUNICATION

MAHANT BACHTITTAR SINGH COLLEGE OF ENGINEERING &

TECHNOLOGY,JAMMU
YEAR 2020

YEAR 2020
 ACKNOWLEDGEMENT

“There are times when silence speaks so much more loudly than words of praise to only as
good as belittle a person, whose words do not express, but only put a veneer over the feelings,
which are gratitude at this point of time.”
My report will remain incomplete if I do not mention the efforts of the people who helped me in
completing this project. I take this opportunity to thank Ms. Kamalpreet Kour(Assistant
Professor) for guiding me throughout the completion of this seminar report as well as boosting
mymorale.

SUGAM
C. Roll No. –187/17
U. Roll No. –693/17
 ABSTRACT
Current authentication systems suffer from many weaknesses. Textual passwords are
commonly used, however, users do not follow their requirements. Users tend to choose
meaningful words from dictionaries, which make textual passwords easy to break and
vulnerable to dictionary or brute force attacks. Many graphical passwords have a password
that is less than or equal to the textual password space. Smart cards or tokens can be stolen.
Many biometrics authentications have been proposed, however, users tend to resist using
biometrics because of their intrusiveness and the effect of their privacy. Moreover, biometrics
cannot be revoked. The 3D password is a multifactor authentication scheme. To be
authenticated we present a 3D virtual environment where the user navigates and interacts
with various objects. The sequence of actions and interactions towards the objects inside the
3D environment constructs the user’s 3D password. The 3D password can combine most
existing authentication schemes such as textual passwords, graphical passwords and various
types of biometrics into a 3D virtual environment. The design of the 3D virtual environment
and the type of objects selected determine the 3D password key space.
 CONTENTS
Page No.
Chapter 1 Introduction 1
1.1 Introduction to 3D Password 1
1.2 Existing Systems] 2
1.3 Proposed Systems 3
Chapter 2 Password 4
2.1 Textual Passwords 4
2.2 Graphical Passwords 5
2.3 Biometrics 6
Chapter 3 3D Passwords 9
3.1 Brief Description of the System 9
3.2 Scheme 9
3.3 System Implementation 11
3.4 3d Password Selection and Input 13
Chapter 4 3D Virtual Environment 15
4.1 3d Virtual Environment Guidelines 15
4.1.1 Real Life Similarity 15
4.1.2 Object Uniqueness and Distinction 16
4.1.3 Three Dimensional Virtual Environment Size 16
4.1.4 Number of Objects (Items) and their Types 16
4.1.5 System Importance 16
4.2 3D Password Differentiators 17
Chapter 5 3D Password Applications 18
5.1 Security Analysis 19
5.1.1 3D password space size 19
5.1.2 3D Password Distribution Knowledge 20
Chapter 6 Attacks and Counter Measures 22
Chapter 7 Experimental Results 24
7.1 Experimental Virtual 3d Environment 24
7.2 User Study 25
Chapter 8 Advantages and Disadvantages 27
8.1 Advantages of 3D Password 27
 8.2 Disadvantages of 3D Password 27
Conclusion 28
References 30
 LIST OF FIGURES
Fig No. Name of figure Page No.
Fig 2 (a) Basic Identification Method of Password 4
Fig 2.3 (a) Based in human characteristics or body organs 6
Fig 2.3(b) Drawabacks 8
Fig 3.1 (a) 3D Password 10
Fig 3.3 (a) System Administration 11
Fig 3.2 (b) Login Password 12
Fig 3.4 (a) Snapshot of a proof of concept virtual art gallery, which contain
36 pictures and six computers 14
Fig 3.4 (b) Snapshot of a proof of concept 3D Virtual environment where
the user is typing a textual password on a virtual computer as a
part of the user’s 3D password 14
Fig 4.1.1 (a) 3D Virtual Environment 15
Fig 5.1 (a) State diagram of a possible 3D password application 18
 LIST OF TABLES
Table No. Name of Table Page No.
Table 7.1 Resulting number of possible 3D passwords of total length Lmax 24
 3D PASSWORD

CHAPTER 1

INTRODUCTION

1.1 Introduction to 3D Password

The 3D password is a multifactor authentication scheme. It can contain all existing
authentication schemes into a single 3D virtual environment. The 3D virtual environment
contains several objects or items with which the user can interact. The type of interaction
varies from one item to another. The 3D password is constructed by observing the actions and
interactions of the user and by observing the sequence of such actions. The 3D password is a
new authentication scheme that combines Recall, Recognition, Token, Biometrics in one
authentication system.

3D password is customizable and very interesting way of authentication. It is simply the

combination of textual passwords, graphical passwords and various types of biometrics into
a 3D environment.3D password contains a 3D virtual environment where the user navigates
and interacts with various objects. It is a sequence of actions and interactions towards the
objects constructs user’s 3D password. It becomes much more difficult for attackers to guess
the user’s 3D password.

Normally, the authentication scheme the user undergoes is particularly very lenient or strict.
Throughout the years the authentication has been a very interesting approach. With all the
means of the technology developing, it can be very easy for others to fabricate or to steal
identity or to hack someone’s password. Therefore many algorithms have come up each with
an interesting approach towards calculation of a secret key. The algorithms are such based to
pick a random number in the range of 10^6 and therefore the possibilities of the same number
coming is rare.

Users now-a-days are provided with major passwords stereotypes such as textual passwords,
biometrics scanning, token or cards (such as an ATM) etc. Mostly textual passwords follow
an encryption algorithm. Biometric scanning is your natural signature and cards or tokens
prove your validity. But some people hate the fact to carry around their cards, some refuse to
undergo strong IR exposure to their retinas. Mostly textual passwords are kept very simple
say a word from the dictionary or their pet names, girlfriends etc. Years back Klein

Electronics and Communication Engg. Deptt. MBSCET 1

 3D PASSWORD
performed such tests and he could crack 10-15 passwords per day. Now with the technology
change, fast processors and many tools on the Internet, this has become a child’s play.

Therefore we present our idea, the 3D passwords which are more customizable and very
interesting way of authentication. Now the passwords are based on the fact of Human
memory. Generally, simple passwords are set so as to quickly recall them. The human
memory in our scheme has to undergo the facts of Recognition, Biometrics or Token based
authentication. Once implemented and you login to a secure site, the 3D password GUI opens
up. This is an additional textual password which the user can simply put. Once he goes
through the first authentication, a 3D virtual room will open the screen. In our case let’s say a
virtual garage. Now in a day to day garage one will find all sorts of tools, equipments etc
each of them is having unique properties. The user will then interact with these properties
accordingly.

Each object in the 3D space can be moved around in an (x,y,z) plane. That’s the moving
attribute of each object. This property is common to all the objects in the space. Suppose a
user logs in and enters the garage. He sees and picks up the screw driver (initial position in a
xyz coordinates (5,5,5)) and moves it 5 places to the right (in the xyz plane i.e. (10,5,5)). This
can be identified as an authentication. Only the true user understands and recognizes the
objects which he has to choose among many. This is the Recall and Recognition part of
human memory coming into play. Interestingly, a password can be set as approaching a radio
and setting its frequency to number only the users knows. Security can be enhanced by the
fact of including Cards and Biometric scanner as input. There can be levels of authentication
a user can undergo.

1.2 Existing Systems

Current authentication systems suffer from many weaknesses. Textual passwords are
commonly used, however, users do not follow their requirements. Users tend to choose
meaningful words from dictionaries, which make textual passwords easy to break and
vulnerable to dictionary or brute force attacks. Many graphical passwords have a password
that is less than or equal to the textual password space. Smart cards or tokens can be stolen.
Many biometrics authentications have been proposed, however, users tend to resist using
biometrics because of their intrusiveness and the effect of their privacy. Moreover, biometrics
cannot be revoked. The 3D password is a multifactor authentication scheme. The design of
the 3D virtual environment and the type of objects selected determine the 3D password key

Electronics and Communication Engg. Deptt. MBSCET 2

 3D PASSWORD
space. Users have the freedom to select whether the 3D password will be solely, recall,
recognition or token based, or combination of two schemes or more.

1.3 Proposed Systems

The proposed system is a multi factor authentication scheme that combines the benefits of
various authentication schemes. Users have the freedom to select whether the 3D password
will be solely, recall, recognition or token based, or combination of two schemes or more.
This freedom of selection is necessary because users are different and they have different
requirements. Therefore, to ensure high user acceptability, the user’s freedom of selection is
important.

The following requirements are satisfied in the proposed scheme.

1. The new scheme provide secrets that are easy to remember and very difficult for intruders
to guess.

2. The new scheme provides secrets that are not easy to write down on paper. Moreover, the
scheme secrets should be difficult to share with others.

3. The new scheme provides secrets that can be easily revoked or changed.

The dramatic increase of computer usage has given rise to many security concerns. One
major security concern is authentication which is the process of validating who you are to
whom you claimed to be. In general, human authentication techniques can be classified as:-

Electronics and Communication Engg. Deptt. MBSCET 3

 3D PASSWORD

CHAPTER 2

PASSWORD

Password is basically an encryption algorithm. It usually contains 8-15 characters or slightly

more than that. Password can be meaningful words from dictionary, pet names, names of
friend etc. Password is easy to break and vulnerable to brute force attack.

Fig 2 (a) Basic Identification Method of Password

Passphrase is an enhanced version of password. It is the combination of words and simply a

collection of passwords in proper sequence. The length of passphrase is 30-50 characters or
more than that also. It creates ambiguity to remember if there is no proper sequence.

2.1 Textual Passwords

Recall based techniques require the user to repeat or to reproduce a secret that the user
created before. Recognized based techniques require the user to identify and recognize the
secret, or part of it, that the user selected before. One of the most common recall based
authentication schemes used in the computer world is the textual passwords.

Electronics and Communication Engg. Deptt. MBSCET 4

 3D PASSWORD
Textual passwords are commonly used, however users do not follow their requirements.
Users tend to choose meaningful words from dictionaries, which make textual password easy
to break and vulnerable to dictionary or brute force attack.

One major drawback of textual password is its two conflicting requirements: the selection of
passwords that are easy to remember and, at the same time, are hard to guess.

Klein collected the passwords of nearly 15000 accounts that had alphanumeric passwords,
and he reached the following observation: 25% of the passwords were guessed by using a
small yet well formed dictionary of 3*10^6 words. Furthermore, 21% of the passwords were
guessed in the first week and 368 passwords were guessed within the first 15 min. Klein
stated that by looking at these results in a system with about 50 accounts, the first account can
be guessed in 2 minutes and 5-15 accounts can be guessed in the first day. Klein showed that
even though the full textual password space for eight character passwords consisting of letters
and numbers is almost 2*10^14 possible passwords , it is easy to crack 25% of the passwords
by using only a small subset of the full password space. It is important to note that Klein’s
experiment was in 1990 when the processing capabilities, memory, networking and other
resource were very limited compared to today’s technology.

2.2 Graphical Passwords

Various graphical password schemes have been proposed. Blonder proposed the first
graphical password schema. Blonder’s idea of graphical passwords is that by having a
predetermined image, the user can select or touch regions of the image causing the sequence
and the location of the touches to construct the user’s graphical password. After, Blonder’s
the notion of the graphical passwords was developed. Many graphical passwords have been
proposed. Dhamija and Perrig proposed DejaVu which is a recognition based graphical
password system. Another recognition based graphical password is Passfaces. Passfaces
simply works by having the user select a subgroup of k faces from a group of n faces. For
authentication, the system shows m faces and one of the faces belong to the subgroup k. The
user has to do the selection many times to complete the authentication process. Another
scheme is the Story scheme, which requires the selection of pictures of objects (people, cars,
food, airplanes, etc) to form a story line.

Graphical passwords are based on the idea that users can recall and recognize pictures better
than words. However, some of the graphical password schemes require a long time to be
performed. Graphical passwords have a password space that is less than or equal to the

Electronics and Communication Engg. Deptt. MBSCET 5

 3D PASSWORD
textual password space. Moreover, most of the graphical passwords can be easily observed or
recorded while the legitimate user is performing the graphical password; thus, it is vulnerable
to shoulder surfing attacks. Currently, most graphical passwords are still in their research
phase and require more enhancements and usability studies to deploy them in the market.

The drawbacks of graphical passwords are as under:

1. Graphical passwords can be easily recorded as these schemes take a long time.

2. One main drawback of applying biometrics is its intrusiveness upon a user’s

personnel characteristics.

3. They require special scanning device to authenticate the user which is not acceptable
for remote and internet users.

2.3 Biometrics
One important type of authentication is based on who you are or in other words, biometrics.
Fingerprints, palm-prints, face recognition, voice recognition, iris and retina recognition are
all different methodologies of biometric recognition systems.

1. Human properties are vulnerable to change from time to time due to several reasons such
as ageing, scarring, face make-up, change of hair-style and sickness (change of voice).

Fig 2.3 (a) Based in human characteristics or body organs

Electronics and Communication Engg. Deptt. MBSCET 6

 3D PASSWORD
2. People tend to resist biometrics for different reasons. Some people think that keeping a
copy of the user’s fingerprints is not acceptable and is a threat to the user’s privacy. In
addition some users resist the idea of a low intensity infrared light or any other kind of
light directed at their eyes, such as in retina recognition systems.

3. Biometrics cannot be revoked which leads to a dilemma in case the user’s data have been
forged. Unlike other authentication schemes where the user can alter his/her textual
password in case of a stolen password or replace his/her token if it has been stolen or
forged, a user’s biometrics cannot be revoked.

Biometric refers to a broad range of technologies. It automates the identification or

verification of an individual. Based on human characteristics or body organs biometrics has
been characterized into:

o Physiological: face, fingerprints, iris, etc.

o Behavioral: hand written signature, voice, etc.

Many biometric schemes have been proposed; fingerprints, palm-prints, hand geometry, face
recognition, voice recognition, iris recognition and retina recognition are all different
biometric schemes. Each biometric recognition scheme has its advantages and disadvantages
based on several factors such as consistency, uniqueness, and acceptability. One of the main
drawbacks of applying biometrics is its intrusiveness upon a user personal characteristic.
Moreover, retina biometrical recognition schemes require the users to willingly subject their
eyes to a low intensity infrared light. In addition, most biometric systems require a special
scanning device to authenticate users, which is not applicable for remote and internet users.

Electronics and Communication Engg. Deptt. MBSCET 7

 3D PASSWORD
Biometrics has also some drawbacks:

Fig 2.3(b) Drawabacks

o Suppose you select your finger as a biometric.

o But what to do when you have crack or wound in your finger.

o And now-a-days some hackers even implement exact copy of your biometrics also.

o After seeing all the different security scheme now it is time to do something advance in
this security system.

o Here, the 3D password came into the picture.

Electronics and Communication Engg. Deptt. MBSCET 8

 3D PASSWORD

CHAPTER 3

3D PASSWORDS

3.1 Brief Description of the System

The 3D password is a multifactor authentication scheme. It can contain all existing
authentication schemes into a single 3D virtual environment. The 3D virtual environment
contains several objects or items with which the user can interact. The type of interaction
varies from one item to another. The 3D password is constructed by observing the actions and
interactions of the user and by observing the sequence of such actions. The 3D password is a
new authentication scheme that combines Recall, Recognition, Token, Biometrics in one
authentication system.

3D password is customizable and very interesting way of authentication. It is simply the

combination of textual passwords, graphical passwords and various types of biometrics into
a 3D environment.3D password contains a 3D virtual environment where the user navigates
and interacts with various objects. It is a sequence of actions and interactions towards the
objects constructs user’s 3D password. It becomes much more difficult for attackers to guess
the user’s 3D password.

3.2 Scheme
We present a multifactor authentication that combines the benefits of various authentication
schemes. We attempted to satisfy the following requirements:

 The new scheme should provide secrets that are easy to remember and very difficult for
intruders to guess.

 The new scheme should not be either recall based or recognition based only. Instead the
scheme should be a combination of recall, recognition, biometrics and token based
authentication schemes.

 The new scheme should provide secrets are not easy to write down on paper and difficult
to share with others.

 The new scheme should provide secrets can be easily revoked or changed.

 Users ought to have the freedom to select whether the 3D password will be solely recall,
recognition, biometrics, or token based or a combination of two schemes or more. This

Electronics and Communication Engg. Deptt. MBSCET 9

 3D PASSWORD
selection of freedom is necessary because users are different and they have different
requirements. Some users do not like to carry cards. Some users do not like to provide
biometrical data, and some users have poor memories. Therefore, to ensure high user
acceptability, the user’s freedom of selection is important.

Fig 3.1 (a) 3D Password

The choice of what authentication scheme will be a part of the user’s 3D password reflects
the user’s preferences and requirements. A user who prefers to remember and recall a
password might choose textual and graphical passwords as part of their 3D password. On the
other hand users who have more difficulty with memory or recall might prefer to choose
smart cards or biometrics as part of their 3D password. Moreover the users who prefers to
keep any kind of biometric data private might not interact with object that require biometric
information. Therefore, it is the user’s choice and decision to construct the desired and
preferred 3Dpassword.

Electronics and Communication Engg. Deptt. MBSCET 10

 3D PASSWORD

3.3 System Implementation

The 3D password is a multifactor authentication scheme. The 3D password presents a 3D
virtual environment containing various virtual objects. The user navigates through this
environment and interacts with the objects. It is simply the combination and sequence of user
interactions that occur in the 3D environment. The 3D password is a new authentication
scheme that combines Recall, Recognition, Token, Biometrics in one authentication system.
This can be done by designing a 3D virtual environment that contains objects that request
information to be recalled, information to be recognized, tokens to be presented and
biometrics data to be verified.

For example, the user can enter the virtual environment and type something on a computer
that exists in (x1, y1, z1) positions, then enter a room that has a fingerprint recognition device
that exists in a position (x2, y2, z2) and provide his/her fingerprints. Then the user can go to
the virtual garage, open the car door and turn on the radio to a specific channel. The
combination and sequence of the previous actions towards the specific objects construct the
user’s 3D password.

Fig 3.3 (a) System Administration

It is the user’s choice to select which type of authentication scheme will be part of their 3D
password. This is achieved through interacting only with the objects that acquire information
that the user is comfortable in providing and ignoring the objects that request information that
the user prefers not to provide. For example, if an item requests an iris scan and the user is

Electronics and Communication Engg. Deptt. MBSCET 11

 3D PASSWORD
not comfortable in providing such information, the user simply avoids interacting with that
item. Moreover, giving the user the freedom of choice as to what type of authentication
schemes will be part of their 3D password and given the large number of objects and items in
the environment, the number of possible 3D passwords will increase. Thus, it becomes much
more difficult for the attackers to guess the user’s 3D password.

Virtual objects can be any object that we encounter in real life. Any obvious actions and
interactions towards the real life objects can be done in the virtual 3D environment towards
the virtual objects. Moreover, any user input (such as speaking in a specific location) in the
virtual 3D environment can be considered as a part of the 3D password. We can have the
following objects:

Fig 3.2 (b) Login Password

 A computer with which the user can type.

 A fingerprint reader that require users fingerprint.

 A biometrical recognition device.

 A paper or white board that a user can write, sign, or draw on.

 An automated teller (ATM) machine that requires a token.

 A light that can be switched on/off.

 A television or radio where channels can be selected.

 A staple that can be punched.

 A car that can be driven.

Electronics and Communication Engg. Deptt. MBSCET 12

 3D PASSWORD
 A book that can be moved from one place to another.

 Any graphical password scheme.

 Any upcoming authentication scheme.

The action towards an object (assume a fingerprint recognition device) that exists in location
(x1, y1, z1) is different from the actions towards a similar object (another fingerprint
recognition device) that exists in location (x2, y2, z2), where x1=x2, y1=y2 and z1=z2.
Therefore, to perform legitimate 3D password, the user must follow the same scenario
performed by the legitimate user. This means interacting with the same objects that reside at
the exact locations and perform the exact actions in the proper sequence.

3.4 3d Password Selection and Input

Let us consider a 3D virtual environment space of size G*G*G. the 3D environment space is
represented by the coordinated (x, y, z) E[1,…….,G]*[1,…….,G]*[1,…….,G]. The objects
are distributed in the 3D virtual environment with unique (x, y, z) coordinates. We assume
that the user can navigate into the 3D virtual environment and interacts with the objects using
any input device such as mouse, keyboard, fingerprint scanner, iris scanner, stylus, card
reader, and microphone. We consider the sequence of those actions and interactions using the
previous input devices as the user’s 3D password.

For example, consider a user who navigates through the 3D virtual environment that consists
of an office and a meeting room. Let us assume that the user is in the virtual office and the
user turns around to the door located in (10, 24, 91) and opens it. Then, the user closes the
door. The user then finds a computer to the left, which exists in the position (4, 34, 18), and
the user types “FALCON”. Then the user walks to the meeting room and picks up a pen
located at (10, 24, 80) and draws only one dot in a paper located in (1, 18, 30) which is the
dot (x, y) coordinate relative to the paper space is (330, 130). The user then presses the login
button. The initial representation of user actions in the 3D virtual environment can be
recorded as follows:

(10, 24, 91) Action= Open the office door;

(10, 24, 91) Action=Close the office door;

(4, 34, 18) Action=Typing “F”;

(4, 34, 18) Action=Typing “A”;

Electronics and Communication Engg. Deptt. MBSCET 13

 3D PASSWORD
(4, 34, 18) Action=Typing “L” ;

(4, 34, 18) Action=Typing “C”;

Fig 3.4 (a) Snapshot of a proof of concept virtual art gallery, which contain 36 pictures and
six computers

(4, 34, 18) Action=Typing “O” ;

(4, 34, 18) Action=Typing “N”;

(10, 24, 80) Action=Pick up the pen

(1, 18, 80) Action=Drawing , point=(330,130)

Fig 3.4 (b) Snapshot of a proof of concept 3D Virtual environment where the user is typing a
textual password on a virtual computer as a part of the user’s 3D password

Electronics and Communication Engg. Deptt. MBSCET 14

 3D PASSWORD

CHAPTER 4

3D VIRTUAL ENVIRONMENT

The 3D virtual environment consists of many items or objects. Each item has different
responses to actions. The user actions, interactions and inputs towards the objects or towards
the 3D virtual environment create the user’s 3D password. 3D virtual environment affects the
usability, effectiveness, and acceptability of a 3D password system. 3D environment reflects
the administrator needs and the security requirements.

4.1 3d Virtual Environment Guidelines

The design of 3D virtual environment affects the usability, effectiveness, acceptability of the
3D password. Therefore, the first step in building a 3D password system is to design a 3D
environment that reflects the administration needs and the security requirements. The design
of 3D virtual environments should follow these guidelines:

4.1.1 Real Life Similarity

The prospective 3D virtual environment should reflect what people are used to seeing in real
life. Objects used in virtual environments should be relatively similar in size to real objects
(sizes to scale). Possible actions and interactions towards virtual objects should reflect real
life situations. Object responses should be realistic. The target should have a 3D virtual
environment that users can interact.

Fig 4.1.1 (a) 3D Virtual Environment

Electronics and Communication Engg. Deptt. MBSCET 15

 3D PASSWORD

4.1.2 Object Uniqueness and Distinction

Every virtual object or item in the 3D virtual environment is different from any other virtual
object. The uniqueness comes from the fact that every virtual object has its own attributes
such as position. Thus the prospective interaction with object 1 is not equal to the interaction
with object 2. However having similar objects such as 20 computers in one place might
confuse the user. Therefore, the design of the 3D virtual environment should consider that
every object should be distinguishable from other objects. A simple real life example is home
numbering. Assume that there are 20 or more homes that look like each other and the homes
are not numbered. It would be difficult to distinguish which house was visited a month ago.
Similarly, in designing a 3D virtual environment, it should be easy for users to navigate
through and to distinguish between objects. Therefore, it improves the system usability.

4.1.3 Three Dimensional Virtual Environment Size

A 3D virtual environment can depict a city or even the world. On the other hand, it can depict
a space as focused as a single room or office. The size of a 3D environment should be
carefully studied. A large 3D virtual environment will increase the time required by the user
to perform a 3D password. Moreover, a large 3D virtual environment can contain a large
number of virtual objects. Therefore, the probable 3D password space broadens. However, a
small 3D virtual environment usually contains only a few objects, and thus, performing a 3D
password will take less time.

4.1.4 Number of Objects (Items) and their Types

Part of designing a 3D virtual environment is determining the types of objects and how many
objects should be placed in the environment. The types of objects reflect what kind of
responses the object will have. For simplicity, we can consider requesting a textual password
or a fingerprint as an object response type. Selecting the right object response types and the
number of objects affects the probable password space of a 3D password.

4.1.5 System Importance

The 3D virtual environment should consider what systems will be protected by a 3D

password. The number of objects and the types of objects that have been used in the 3D
virtual environment should reflect the importance of the protected system.

Electronics and Communication Engg. Deptt. MBSCET 16

 3D PASSWORD

4.2 3D Password Differentiators

1. Flexibility- 3D password allows multifactor authentication biometrics, textual passwords
can be embedded in 3D password technology.

2. Strength- This scenario provides almost unlimited passwords possibility.

3. Ease to memorize- It can be remembered in the form of short stories.

4. Respect of privacy- Organizers can select authentication schemes that respect user’s
privacy.

Electronics and Communication Engg. Deptt. MBSCET 17

 3D PASSWORD

CHAPTER 5

3D PASSWORD APPLICATIONS

Because a 3D password can have a password space that is very large compared to the other
authentication schemes, the 3D password’s main application domains are protecting critical
systems and resources. Possible critical applications include the following:

1. Critical Servers- Many large organizations have critical servers that are usually
protected by a textual password. A 3D password authentication proposes a sound
replacement for a textual password. Moreover, the entrances to such locations are usually
protected by access cards and sometimes PIN numbers. Therefore, a 3D password can be
used to protect the entrances to such locations and protect the usage of such servers.

2. . Nuclear And Military Facilities- Such facilities should be protected by the most
powerful authentications systems. The 3D password has a very large probable password
space, and since it can contain token-, biometrics-, recognition-, and knowledge based
authentications in a single authentication system, it is a sound choice for high level
security locations

3. Airplanes And Jetfighters- Because of the possible threat of misusing airplanes and
jetfighters for religion-political agendas, usage of such airplanes should be protected by a
powerful authentication system. The 3D password is recommended for these systems.

In addition, 3D passwords can be used in less critical systems because the 3D virtual
environment can be designed to fit any system’s need. A small 3D virtual environment can be
used in many systems, including the following:

Fig 5.1 (a) State diagram of a possible 3D password application

Electronics and Communication Engg. Deptt. MBSCET 18

 3D PASSWORD
1. ATM’s

2. Personal digital assistants

3. Desktop computers and laptop logins

4. Web authentication

5. Security analysis

To analyze and study how secure a system is, we have to consider,

 How hard it is for the attackers to break such a system

o A possible measurement is based on the information content of a password space. It is

important to have a scheme that has a very large possible password space which increases
the work required by the attacker to break the authentication system.

o Find a scheme that has no previous or existing knowledge of the most probable user
password selection.

5.1 Security Analysis

To analyze and study how secure a system is, we have to consider how hard it is for the
attackers to break such a system. A possible measurement is based on the information
concept of a password space, which is defined in as “the entropy of the probability
distribution over that space given by the relative frequencies of the passwords that user
actually choose”. We have seen that textual password space may be relatively large; however,
an attacker might only need a small subset of the full password space as Klein observed to
successfully break such an authentication system. As a result, it is important to have a scheme
that has a very large possible password space as one factor for increasing the work required
by the attacker to break the authentication system. Another factor is to find a scheme that has
no previous or existing knowledge of the most probable user password selection, which can
also resist the attack on such an authentication scheme.

5.1.1 3D password space size

One important factor to determine how difficult it is to launch an attack on an authentication

system is the size of the password space. To determine the password space, we have to count
all possible 3D passwords that have a certain number of actions, interactions, and inputs
towards all objects that exist in the 3D virtual environments.

Electronics and Communication Engg. Deptt. MBSCET 19

 3D PASSWORD

5.1.2 3D Password Distribution Knowledge

Users tend to use meaningful words for textual passwords. Therefore finding these different
words from dictionary is a relatively simple task which yields a high success rate for breaking
textual passwords. Pass faces users tend to choose faces that reflect their own taste on facial
attractiveness, race, and gender.

Every user has different requirements and preferences when selecting the appropriate 3D
password. This fact will increase the effort required to find a pattern of user’s highly selected
password. In addition, since the 3D password combines several authentication schemes into a
single authentication environment, the attacker has to study every single authentication
scheme and has to discover what the most probable selected secrets are. Since every 3D
password system can be designed according to the protected system requirements, the
attacker has to separately study every 3D password system. Therefore, more effort is required
to build the knowledge of most probable 3D passwords.

Studying the user’s behavior of password selection and knowing the most probable textual
passwords are the key behind dictionary attacks. Klein used such knowledge to collect a
small set of 3*10^6 words that have a high probability of users among users. The question is
how has such information (highly probable passwords) been found and why. Users tend to
choose words that have meaning, such as names, places, famous people’s names, sport terms
and biological terminologies. Therefore, finding these different words from the dictionary is a
relatively simple task. Using such knowledge yields a high success rate for breaking textual
passwords. Any authentication scheme is affected by the knowledge distribution of the user’s
secrets. According to Davis Et Al , “passfaces” user tend to choose faced that reflect their
own taste on facial attractiveness, race and gender. Moreover, 10% of male passwords have
been guessed in only two guesses.

Currently, knowledge about user’s behaviors on selecting their 3D password does not exist.
Every user has different requirements and preferences when selecting the appropriate 3D
password. This fact will increase the effort required to find a pattern of user’s highly selected
3D password. In addition, since the 3D password combines several authentication schemes
into a single authentication environment, the attacker has to study every single authentication
scheme and has to discover what the most probable selected areas are. For textual password,
the highly probable selected textual password might be determined by the use of dictionaries.

Electronics and Communication Engg. Deptt. MBSCET 20

 3D PASSWORD
However, there are many authentication schemes with undiscovered probable password
space.

Since every 3D password system can be designed according to the protected system
requirements, the attacker has to separately study every 3D password system. This is because
objects that exist in one 3D password system might not exist on other 3D password systems.
Therefore, more effort is required to build the knowledge of most probable 3D passwords.

Electronics and Communication Engg. Deptt. MBSCET 21

 3D PASSWORD

CHAPTER 6

ATTACKS AND COUNTER MEASURES

To realize and understand how far an authentication scheme is secure, we have to consider all
possible attack methods. We have to study whether the authentication scheme proposed is
immune against such attacks or not. Moreover, if the proposed authentication scheme is not
immune, we then have to find the countermeasures that prevent such attacks. In this section,
we try to cover most possible attacks and whether the attack is valid or not. Moreover, we try
to propose countermeasures for such attacks.

1. Brute force attack- The attacker has to try all possible 3D passwords. This kind of attack
is very difficult for the following reasons:

a) Time required to login- The total time needed for a legitimate user to login may
vary from 20 s to 2 min or more, depending on the number of interactions and
actions, the size of the 3D virtual environment, and the type of actions and
interactions done by the user as a 3D password. Therefore, a brute force attack on
a 3D password is very difficult and time consuming.

b) Cost of attacks- In a 3D virtual environment that contains biometric recognition

objects and token-based objects, the attacker has to forge all possible biometric
information and forge all the required tokens. The cost of forging such
information is very high; therefore, cracking the 3D password is more
challenging. Moreover, the high number of possible 3D password space leaves the
attacker with almost no chance of breaking the 3D password.

2. Well studied attacks- The attacker tries to find the highest probable distribution of 3D
passwords. However, to launch such an attack, the attacker has to acquire knowledge of
the most probable 3D password distributions. Acquiring such knowledge is very difficult
because the attacker has to study all the existing authentication schemes that are used in
the 3D environment. Moreover, acquiring such knowledge may require forging all
existing biometrical data and may require forging token based data. In addition, it
requires a study of the user’s selection of objects, or a combination of objects, that the
user will use as a 3D password. Moreover, a well studied attack is very hard to
accomplish since the attacker has to perform a customized attack for every different 3D
virtual environment design. Every system can be protected by a 3D password that is

Electronics and Communication Engg. Deptt. MBSCET 22

 3D PASSWORD
based on a unique 3D virtual environment. This environment has a number of objects and
types of object responses that differ from any other 3D virtual environment. Therefore, a
carefully customized study is required to initialize an effective attack.

3. Shoulder surfing attack- An attacker uses a camera to record the user’s 3D password or
tries to watch the legitimate user while the 3D password is being performed. This attack is
the most successful type of attack against 3D passwords and some other graphical
passwords.

However, the user’s 3D password may contain biometrical data or textual passwords that
cannot be seen from behind. The attacker may be required to take additional measures to
break the legitimate user’s 3D password. Therefore, we assume that the 3D password
should be performed in a secure place where a shoulder surfing attack cannot be
performed.

4. Timing attack- In this attack, the attacker observes how longer it takes the legitimate
user to perform a correct sign-in using the 3D password. This observation gives the
attacker an indication of the legitimate user’s 3D password length. However, this kind of
attack alone cannot be very successful since it gives the attacker mere hints. Therefore, it
should probably be launched as a part of a well studied or brute force attack. Timing
attacks can be very effective if the 3D virtual environment is poorly designed.

Electronics and Communication Engg. Deptt. MBSCET 23

 3D PASSWORD

CHAPTER 7

EXPERIMENTAL RESULTS

We have built an experimental 3D virtual environment that contains several objects of two
types. The first type of response is the textual password. The second type of response is
requesting graphical passwords. Almost 30 users volunteered to experiment with the
environment. We asked the user to create their 3D password and to sign-in using their 3D
password several times over several days.

7.1 Experimental Virtual 3d Environment

In our experiment, we have used java open GL to build the 3D virtual environment and we
have used a 1.80 GHz Pentium M Centrino machine with 512 MB random access memory
and ATI Mobility Radeon 9600 video cards.

The design of the experimental 3D virtual environment represents an art gallery that the user
can walk through.

Table 7.1 Resulting number of possible 3D passwords of total length Lmax

# of actions, Log2 (# of 3D # of actions, Log2 (# of 3D

interactions and input passwords) interaction and input passwords)
(Lmax) (L max)

1 13 17 221

2 26 18 234

3 39 19 247

4 52 20 260

5 65 21 273

6 78 22 286

7 91 23 299

8 104 24 312

Electronics and Communication Engg. Deptt. MBSCET 24

 3D PASSWORD

9 117 25 325

10 130 26 338

11 143 27 351

12 156 28 364

13 169 29 377

14 182 30 390

15 195 31 403

16 208 32 416

7.2 User Study

We concluded a user study on 3D passwords using the experimental 3D virtual environments.
The study reviewed the usage of textual passwords and other authentication schemes. The
study covers almost 30 users. The user varied in age, sex, and education level. Even though it
is a small set of users, the study produced some distinct results. We observed the following
regarding textual passwords, 3D passwords and other authentication schemes.

1. Most users who use textual passwords of 9-12 character lengths or who use random
characters as a password have only one to three unique passwords.

2. More than 50% of the user’s textual passwords are eight characters or less.

3. Almost 25% of user’s use meaningful words as their textual passwords.

4. Almost 75% of user’s use meaningful words or partially meaningful words as their
textual passwords. In contrast, only 25% of users use random characters and letters as
textual passwords.

5. Over 405 of users have only one to three unique textual passwords, and over 90% of
users have eight unique textual passwords or less.

6. Over 90% of users do not change their textual passwords unless they are required to
by the system.

Electronics and Communication Engg. Deptt. MBSCET 25

 3D PASSWORD
7. Over 95% of users under study have never used any graphical password scheme as a
means of authentication.

8. Most users feel that 3D passwords have a high acceptability.

9. Most users believe that there is no threat to personal privacy by using a 3D password
as an authentication scheme.

Electronics and Communication Engg. Deptt. MBSCET 26

 3D PASSWORD

CHAPTER 8

ADVANTAGES AND DISADVANTAGES

8.1 Advantages of 3D Password

o Easy to memorize

o Several authentication schemes

o Designed according to protected system

o Highly flexible

o Extremely strong

o Provides secrets

o 3D environment can be changed

o Password can change easily

o Difficult to crack

o Freedom to select

o Difficult to share

o 3D graphical password has no limit

8.2 Disadvantages of 3D Password

o Difficult for blind people to use this technology

o Expensive

o Requires sophisticated computer technology

o A lot of program coding is required

Electronics and Communication Engg. Deptt. MBSCET 27

 3D PASSWORD

CONCLUSION

There are many authentication schemes in the current state. Some of them are based on user’s
physical and behavioral properties, and some other authentication schemes are based on
user’s knowledge such as textual and graphical passwords. Moreover, there are some
authentication schemes that are based on what you have, such as smart cards. Among the
various authentication schemes, textual passwords and token based schemes, or the
combination of both, are commonly applied. However, both authentication schemes are
vulnerable to certain attacks. Moreover, there are many authentication schemes that are
currently under study and they may require additional time and effort to be applicable for
commercial use.

The 3D password is a multi factor authentication scheme that combines the various
authentication schemes into a single 3D virtual environment. The virtual environment can
contain any existing authentication scheme or even any upcoming authentication scheme by
adding it as a response to actions performed on an object. Therefore, the resulting password
space becomes very large compared to any existing authentication schemes.

The design of 3D virtual environment, the selection of objects inside the environment and the
object’s type reflect the resulted password space. It is the task of the system administrator to
design the environment and to select the appropriate object that reflects the protected system
requirements. Designing a simple and easy to use 3D virtual environment is a factor that
leads to a higher user acceptability of a 3D password system.

The choice of what authentication scheme will be part of user’s 3D password reflects the
user’s preferences and requirements. A user who prefers to remember or recall a password
might choose textual and graphical passwords as part of their 3D password. On the other
hand, users who have more difficulty with memory or recall might prefer to choose smart
cards or biometrics as part of their 3D password. Moreover, users who prefer to keep any
kind of biometrical data private might not interact with objects that require biometric
information. Therefore, it is the user’s choice and decision to construct the desired and
preferred 3D password.

The 3D password is still in its early stages. Designing various kinds of 3D virtual
environments, deciding on password spaces, and interpreting user feedback and experiences
from such environments will result in enhancing and improving the user experience of the 3D
password. Moreover, gathering attackers from different backgrounds to break the system is
Electronics and Communication Engg. Deptt. MBSCET 28
 3D PASSWORD
one of the future works that will lead to system improvement and prove the complexity of
breaking a 3D password. Moreover, it will demonstrate how the attackers will acquire the
knowledge of the most probable 3D passwords to launch their attacks.

Shoulder surfing attacks are still possible and effective against 3D passwords. Therefore, a
proper solution is a field of research.

Electronics and Communication Engg. Deptt. MBSCET 29

 3D PASSWORD

BIBLIOGRAPHY

[1] IEEE Transactions on Instrumentations and Measurement, “Three Dimensional Password

for more Secure Authentication” by Fawaz Alsulaiman and Abdulmotaleb El Saddik.

[2] IEEE International Conference Virtual Environment, Human Computer-Interfaces and

Measurement Systems, “A Novel 3D Graphical Password Schema” by Fawaz Alsulaiman
and Abdulmotaleb El Saddik.

[3] X.suo, Y. Zhu and G.S. Owen, “Graphical passwords: A survey”, in proc 21st Annu.

[4] Alsulaiman, F.A.; El Saddik, A., "Three- for Secure”, IEEE Transactions on
Instrumentation and measurement, vol.57, no.9, pp 1929-1938.Sept. 2008.

[5] Vidya Mhaske et al, Int.J.Computer Technology & Applications, Vol 3 (2), ISSN: 2229-
6093, 510-519.

[6] Tejal Kognule and Yugandhara Thumbre and Snehal Kognule, ―”3D password”,
International Journal of Computer Applications (IJCA), 2012.

[7] A.B.Gadicha , V.B.Gadicha , ―”Virtual Realization using 3D Password”, in International

Journal of Electronics and Computer Science Engineering, ISSN 2277-1956/V1N2-216-
222.

[8] Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, “A Novel 3D Graphical Password

Schema”, IEEE International Conference on Virtual Environments, Human-Computer
Interfaces, and Measurement Systems, July 2006.

[9] Duhan Pooja, Gupta Shilpi , Sangwan Sujata, & Gulati Vinita, ―”SECURED
AUTHENTICATION: 3D PASSWORD”, I.J.E.M.S., VOL.3(2),242 – 245, 2012.

[10] Grover Aman, Narang Winnie, ―”4-D Password: Strengthening the Authentication
Scene”, International Journal of Scientific & Engineering Research, Volume 3, Issue 10,
October-2012.

Electronics and Communication Engg. Deptt. MBSCET 30