Dynamic graphic password
Graphic password
Graphic password is a method of unlocking mobile devices by performing certain operations on the touch screen, the result of which is to gain access to the device. It will be about such devices, because In ordinary personal computers, touch screens are usually not available, and for authentication in programs, a login-password is often used.
Dynamic graphic password
Dynamic graphic password - user authentication on the device without displaying a permanent password, in any form, so that, for example, a stranger could not understand what password was entered, even remembering all the actions that the legal user performed when entering the password, and even having remembered a dynamic password, in this case we will speak about a dynamic graphic password.
Graphic Password Examples
 |  |  |  |
|---|---|---|---|
| The use of simple pictures by inexperienced users can lead to easy password selection, taking into account, for example, that a circle is usually drawn against the clock hand, etc. | Touch screens are not designed to work as fingerprint sensors, do not have sufficient accuracy | It is enough to have time to remember the starting and ending point of the graphic password, the probability of matching will increase greatly, and you cannot use one element of this password twice | From the side it is easy to understand what kind of password is required |
Lack of graphic passwords
The above examples of graphic passwords have a disadvantage - any person standing nearby can see and remember your password, or at least remember some points of input. Later, taking possession of your device to pick up the password will not be difficult for him. To get rid of this drawback, there is the concept of a dynamic password.
The essence of a dynamic graphic password
Consider the simplest version of such a password. For example, in the settings of a mobile device, we specified the unlock method - a graphic password. Choose a secret password - "A? BC❀".
- When you press the power button of the device screen, a grid is generated in a pseudo-random manner, which in the simplest case consists of the letters of a simple alphabet;
- This grid is displayed on the device screen;
- It is necessary to mentally calculate a dynamic password;
- Enter the value of the dynamic password in the appropriate field;
')
Ideally, no action other than entering a dynamic password value is necessary.
In a complicated version, it can be a grid with symbols, pictures, emoticons, colored elements, anything. Among the characters on the grid are necessarily the characters of our permanent password.
How to determine a dynamic password?
Method for determining a dynamic password by mental calculations
 |  |
So:
- It is necessary to find the letters of our password on the grid;
- Mentally connect these letters in a line, moving up, down, left, or right;
- Calculate the number of cells passed, successively passing through all the letters of the password - in the example above, the dynamic password should turn out to be 36 ;
- Enter the value of the dynamic password in the field "Dynamic password";
- Press the “OK” button - thus confirming the entry of a dynamic password.
Using this method, we kill two birds with one stone: to unlock the device, we don’t even need to touch the screen, except at the last stage, and plus we will enter a different dynamic password value at each unlocking.
Method for determining a dynamic password by displaying it on the screen
Naturally, this method can also be used as a regular graphical password. Consider the same method, but with the display of our secret password, which is an undesirable point, because The main task of a dynamic password is NOT to give out the value of the permanent secret password.
 |  |
- We need to find the letters of our password on the grid;
- To drag a finger over it, the device itself selects the cells marked with a finger and enters the number 36 itself in the “Dynamic password” field. In the figure above, 2 of the possible correct cell extraction methods are shown;
- Press the “OK” button - thus confirming the entry of a dynamic password;
- In the case of a correctly entered dynamic password, the device will be unlocked;
Validation of the entered digit
Consider simple actions on the device side.
- The program (mobile device operating system) generates a grid and displays it on the screen;
- Waiting for the user to confirm the dynamic password entered by him;
- Reads password from memory, breaks into letters;
- Finds letters on the grid;
- It calculates the distance in the cells between the letters of the alphabet;
- Verifies the calculated number with the entered user;
- Unlocks the device if the input is correct, otherwise it locks the device and / or returns to item 1;
Example of erroneous input
 |  |
In an attempt to select or in case of an erroneous input, the person in this case enters the number 39 or 40, and you need to enter 36.
Possible modifications
- Long password, respectively, some letters can be counted twice - as in the above example;
- Resize mesh, for example 20 x 20;
- Three repetitions of input, to reduce the likelihood of selection;
- Repeating the input three times, but each time a different password (three passwords or three parts of the same password);
- Use of various symbols, pictures, colors, multi-colored pictures instead of the usual alphabet symbols;
- Using this method as a two-factor authentication (PIN + dynamic graphic password);
Self Test Example
Specify a dynamic password for the permanent password "A? BC❀"
findings
This dynamic graphical password method can be used to authenticate access to a device or application under conditions where there is a risk that a password can be detected, and the password itself is compromised. Consider the pros and cons of this method:
Pros:
- When mentally determining a dynamic password, a permanent password is not displayed, such methods are in principle very effective;
- It is impossible to determine the password by the fingerprints on the device screen, each time the grid is randomly generated;
- For supporters of two-factor authentication, for example, via SMS, this method can be authenticated even faster;
Minuses:
- With a sufficiently small field, a short password, the probability of guessing the password is high;
- The huge field causes difficulties in finding characters of a permanent password;
- The value of a dynamic password has a low top border, for example, no more than 60, for a short password - modifications of this simplest method are needed;
- The password is usually stored in the form of hash - amounts, respectively, calculations on the device side will not be possible;
Implementation example
Who did not understand something, or is it interesting to poke the program, you are welcome:
Link to the archive with the program here
Source: https://habr.com/ru/post/173607/
All Articles