Graphical password: prevent shoulder-surfing attack using digraph substitution rules

In this paper, a new scheme that uses digraph substitution rules to conceal the mechanism or activity required to derive password-images is proposed. In the proposed method, a user is only required to click on one of the pass-image instead of both pass-images shown in each challenge set for three consecutive sets.While this activity is simple enough to reduce login time, the images clicked appear to be random and can only be obtained with complete knowledge of the registered password along with the activity rules. Thus, it becomes impossible for shoulder-surfing attackers to obtain the information about which password images and pass-images are used by the user. Although the attackers may know about the digraph substitution rules used in the proposed method, the scenario information used in each challenge set remains. User study results reveal an average login process of less than half a minute. In addition, the proposed method is resistant to shoulder-surfing attacks.