New Enhancing E-mail Security by CAPTCHA based Image Grid … · 2015. 7. 29. · Enhancing E-mail...

International Journal of Advancements in Computing Technology

Volume 2, Number 5, December 2010

Enhancing E-mail Security by CAPTCHA based Image Grid Master

Password

Nitin*, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat

Gupta and Srishti Sarin

*College of Information Science and Technology, Department of Computer Science,

Peter Kiewit Institute, University of Nebraska at Omaha, 1110 South 67th Street Omaha,

Nebraska 68182-0116, United States

E-mail: [email protected]

Jaypee University of Information Technology, Waknaghat, Solan-173234,

Himachal Pradesh, India

E-mails: {aditya187,amanpreetsarora, radhikamedury, shubh.naval, juitrajat,

srishti.sarin}@gmail.com doi:10.4156/ijact.vol2. issue5.10

Abstract Identity theft, privacy invasion, loss of key information is the major reasons for which E-mail

security is breached these days. Hence, it is very essential that effective security prevention measures

are taken. This paper, proposes many such hacking prevention measures with approaches to recover a

hacked account. It also puts forward a novel CAPTCHA (Completely Automated Public Turing Test to

tell Computers and Humans Apart) based mechanism, which can protect the crucial information even

if the account is hacked.

Keywords: CAPTCHA, E-mail Security, Image Grid Algorithm, Grid Generation Algorithm

1. Introduction and Motivation

In this day and age, e-mails are one the most extensively used modes of communication. People

access e-mails for personal and professional uses. In both the cases there is vital information that is

being sent and received. With the advent of e-Commerce, there is also a risk of losing money by e-mail

fraud. E-mail account can be hacked by various means. Most widely used techniques are Keylogger

software and a phishing page.

Keylogger software pursues keys struck on a keyboard typically in a stealthy manner so that the

person using the keyboard remains unaware that his actions are being monitored. Password is guessed

by analyzing the recorded key strokes. It is mostly used on a public computer. Whereas a phishing page

is a fake page looking like a website‟s login page. A user is allured to enter his username and password.

Once the details are entered they are sent directly to the hacker. Hence, it is very necessary to take

proper measures to make e-mail communication as secure as possible.

We put forward the concept of an easy to remember image based Master Password, which will be

used to generate a collage CAPTCHA thus making it safe from automated bots and humans. This

master password is actually an image uploaded by the user, which will be presented as a collage

CAPTCHA whenever required. A user will have to select his particular uploaded image i.e. the master

password from the set of given images. If a wrong guess is made, the collage is generated again with

changed image positions. There is a limit to maximum number of wrong attempts.

Growing number of e-mail accounts being hacked and absence of any sound mechanism to recover

the hacked account motivated us to look for alternative ways. Hence, we propose a few suggestions and

the master password mechanism to existing E-mail Service Providers. To make it effortless for the user

to memorize the password, we make use of an image as the master password.

The rest of the paper is organized as follows: Section 3 and 4 provides suggestions and suggested

methods and Section 5 and 6 provides Image Mining and Image Grid algorithms followed by Grid

Generation Algorithm explained in Section 7 and supported by user survey explained in Section 8

followed by Conclusion and References.

- 89 -

mailto:srishti.sarin%[email protected]

Enhancing E-mail Security by CAPTCHA based Image Grid Master Password

Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin

Figure 1. Initial password recovery form in Gmail. It asks for various problems and leads the user

accordingly.

Figure 2. Password recovery form in Windows‟ Hotmail.

2. Literature Survey

A study of various research papers was done on CAPTCHAs [1-12], e-mail security, computer

networks, image mining and image segmentation. Starting with the papers and study material on

computer networks and e-mail security, a study of latest security mechanisms employed by major

e-mail service providers (ESPs) was done. We also logged onto major e-mail services like Yahoo,

Gmail and MSN. Various loopholes were found in their password recovery systems. Presented below

(Figure 1-6) are the screenshots of Gmail, Hotmail and Yahoo Mail; these were studied as part of the

literature survey to discover the ubiquitous but overlooked flaws in the existing system.

A case study has been done to recover a lost password on Yahoo Mail. Few flaws were found in the

existing system and to overcome these flaws finally the Master Password Mechanism is suggested by

us. Beginning with Figure 3, it shows the Yahoo page when the user clicks on the Forgot My

Password/ID/Cannot Login link. This figure demonstrates the various ways in which to begin the

password recovery process. Next to follow is Figure 4, wherein the user is asked to enter the secondary

e-mail address. This part of the password recovery process has a flaw that in case the hacker changes

the secondary e-mail address of the user, will not be able to retrieve his password. Figure 5 follows

with security question. Here also the same problem (as discussed with previous figure) might occur that

the hacker may change user‟s security question as well. If in case user enters the information asked in

Figure 4 and Figure 5 correctly then password can finally be renewed as shown in Figure 6.

- 90 -



Figure 3. Initial password recovery form in Yahoo. It asks for various problems and leads the user

accordingly.

Figure 4. An alternative e-mail address is asked for password recovery. This step is not useful in case

user‟s secondary e-mail ID is changed by the hacker.

Figure 5. A security question is asked for password recovery. This step is not useful in case user‟s

security question is changed by the hacker or the user forgets the answers.

- 91 -



Figure 6. The final step where the password is changed.

Subsequently, we have studied about CAPTCHAs in which a reverse Turing test is used to thwart

the automated bot attacks to crack the passwords. CAPTCHA is basically a type of challenge-

response test used in computing to ensure that the response is not generated by a computer [11]. The

most common form of CAPTCHAs are randomly generated images containing codes that are to be

manually entered. A machine cannot decode the intentionally distorted letters and numbers. Also we

have suggested a CAPTCHA based master password.

To create the Master Password, we have used image mining and image segmentation algorithms.

Image mining, a broader view of data mining technique can help us find meaningful relationship

among various images generated by the image mining algorithm [2]. It is more than just an extension

of data mining to image domain as it requires expertise in computer vision, image processing, image

retrieval, data-mining, machine learning, database, and artificial intelligence for perfect retrieval.

Image mining is rapidly gaining attention among researchers in the field of data mining, information

retrieval and multimedia databases because of its potential in discovering useful image patterns that

may push the various research fields to new frontiers.

According to the image mining technique given in the research paper, various image

descriptors/region descriptors can be assigned to an individual image after successfully mining through

Figure 7. A screenshot taken from www.gmail.com showing the record of last 5 IP addresses from

where the account was last accessed. It also shows the time details.

- 92 -



Figure 8. This figure explains the proposed way in which Master Password could be implemented.

Here Master Password is used to open a locked folder.

the segmentation algorithm. These region descriptors are very useful in finding different types of

images from a large database [4]. A way of image mining is to rely on the automatic/semi-automatic

analysis of image content and to do the mining on the generated descriptors. For example, color,

texture, shape and size can be determined automatically. Objects in an image can be determined by the

similarity of those attributes.

After getting a collection of images from image mining algorithm, the task to be done is to choose

the relevant images that are necessary for that particular application. This is known as the Refinement

Process. It uses the concept of Association Rule Mining technique of databases. For example, the

support and confidence parameters can be used here for getting the relevant images.

The image form of password is easy to remember than the usual textual passwords. Images also

have more scope than text in real world entity as it is said that “A picture is worth a thousand words”,

therefore, mining images for the purpose of having different combinations of master password would

definitely increase the complexity of cracking the password and therefore, fulfilling the aim of the

research paper.

3. Suggestions for E-mail Service Providers

3.1. Safety Measure Prior to Account being Hacked

E-mail Service Providers (ESPs) maintain a record of the IP address accessing the e-mail account. It

can be done at the time of creation of the account that user is asked a question (given below) “From

where do you access this account?”

1. Home/Office

2. Public Place (Internet Cafe)

3. Both

If the answer to the above question is „a‟ i.e. the account is used from home/office then there must

be a fixed IP address of these places provided to user by the ISPs (Internet Service Providers). Hence

those particular IP addresses are recorded in the database. In case the account is being opened

consistently from a new IP address then the user is alerted by a message and is authenticated by

answering a security question or entering the master password.

If the answer to the above question is „b‟ then user is not warned at all even if many different IP

addresses are accessing the account. He‟s advised to uncheck the „stay signed in‟ checkbox while

logging in and logout from the account when done. Timed auto logout feature can also be used in

- 93 -



which user is automatically logged out from the session after a certain amount of time. If the answer

selected is „c‟ i.e. both, then also the procedure as explained in option „b‟ shall be followed. Another

safety measure could be to lock the folders/labels prevalent today in most of the e-mail services.

Locking shall be done by the master password.

3.2. How to Retrieve an Account after it is Hacked?

There are following existing ways to recover a hacked account:

1. Secondary E-mail ID: An e-mail having the information about „how to reset your password‟ is

sent to user‟s secondary e-mail id.

2. Security Question: User can answer the security questions filled by him while creating the

account in order to retrieve his password.

Mobile Phone: User‟s new password is sent as an SMS to the mobile number mentioned in user‟s

account.

3. However, all the above three details can be changed by the hacker; hence user cannot recover his

account by merely adhering to above-mentioned ways.

4. Proposed Mechanism

4.1. Understanding a CAPTCHA

A CAPTCHA [7,11] is a program that protects websites against bots by generating and grading tests

that humans can pass but current computer programs cannot. It is imperative these days to thwart any

brute force attack launched by automated bots to prevent e-mail account.

We have clubbed a CAPTCHA along with a password known as „Master Password‟. This Master

Password is actually an image uploaded by the user. With the help of 2 algorithms we create a collage

CAPTCHA, containing the master password. A user will be presented this CAPTCHA to recover a

hacked account, to reset password or to view the contents of any locked folder.

- 94 -



1. Our suggested method uses an Image-Mining algorithm along with a Image Grid Algorithm.

Here‟s the whole process in short is explained:

2. User uploads any 1 personal picture, specially of any object/pet. This image is the Master

Password.

3. Image Mining Algorithm looks for similar (not exact) images and generates a pool of images.

4. Image Grid Algorithm makes a collage of these images. It will be a grid of say, 4 x 4 images

consisting of 1 actual image uploaded by the user and 15 similar images from the image pool,

which is generated by the Image mining algorithm.

5. This grid of images (Collage CAPTCHA) will be used to ask for the Master Password

whenever it is required.

6. Master Password can be used to lock the folders or to recover a lost account.

5. Image Mining Algorithm

5.1. Segmentation

Image segmentation is an initial and vital step in a series of processes aimed at overall image

understanding. The image is segmented into various regions. The purpose of segmentation is to

partition an image into meaningful regions with respect to a particular application. Here we segment

images into regions identifiable by region descriptors. The segmentation is based on measurements

taken from the image and might be greylevel, color, texture, depth or motion.

5.2. Searching Images based on various Region Descriptors

According to the varied regions of the above mentioned image, we tend to find the related object

images which are similar to it. Compare objects in one image to objects in every other image. In this

algorithm we propose to find the images which are having the same objects as that of our segmented

image.

5.3. Refining the Search Operation

Based on the main region descriptor, we tend to make our search more specific by eliminating all

the images found so far that are not associated with it with the help of some associations rule in data

mining.

Explanation of flowchart- The first step is to select an image for segmentation. The image which is

uploaded as a master password is used as the input to the segmentation algorithm. Here we have

uploaded a cat image as the master password (Refer Figure 9: highlighted using red box). This image is

used for segmentation.

Now, we segment the image into various region descriptors i.e R1,R2….Rn where Ri is the ith

region descriptor. Let us assume that the cat‟s face is described by resgion descriptor R2 (main region

descriptor) and other portions of image like background and cat‟s remaining body by R1 and R3

respectively.

Now, we search for the different type of images based on these region descriptors from a centralized

database having collection of different types of images. This would result with a collection of different

types of images.

Now, based on our main region descriptor i.e R2 (cat‟s face), we further refine our search by the

help of association rule data mining technique to obtain different cat images.

Here, we have assumed that after refinement is over, we will be getting around 16 images that are

relevant to the main image (Master Password). Now, These images are used as the input to the Grid

making algorithm [2].

6. Image Grid Algorithm

- 95 -



1. Set a Static Image Grid: We intend to create a grid of images, say of 6 images out of the images

collected using the image mining algorithm previously explained. These images need to be cropped to

a maximum height and width of 500 pixels, say.

2. Leave Margins so as to wrap the Images Nicely: Place a bit of margin on the right and bottom

edges to add a bit of whitespace.

3. Align the Photographs: Image grids look best when the photographs are both vertically and

horizontally centered.

4. Adding the Slider: To set up the slider, by adding some JavaScript.

7. Grid Generation Algorithm

var i, j, counter=0;

var a[4][4];

//selecting 16 random images from the set of 5000 images

for(i=0; i<4;i++)

{

for(j=0; j<4;j++)

a[i][j] = rand(0,4999);

}

im = rand(0,15);

$_SESSION['mpwd'] = md5($im);

//Code for generating the image grid

var counter = 0;

for(i=0; i<4;i++)

{

for(j=0;j<4;j++)

{

if(counter = = im)

{

//display the master password image of the user stored by him at the time of registration

counter++;

}

else

{

//display the random images previously determined

counter++;

}

}

}

The algorithm was implemented using PHP. It makes use of mt_rand() function to extract random

images from a pool of 5000 images which were previously generated by the image mining algorithm.

Here, randomly 16 images are selected which constitute the image grid. User‟s master password is also

assigned a random location and is encrypted by md5() hashing algorithm. This encrypted location of

user‟s password is stored in a session variable which is later used to check the correct answer.

- 96 -



Figure 9. A sample 4 x 4 collage. It is formed from the image pool generated by the master password

image of the user. 2 Algorithms were used. Each time the page is a refreshed image changes their

position.

8. User Survey

A user survey was conducted to test the ease and feasibility of this technique. The technique was

implemented using PHP and was hosted over intranet on our webpage. A test pool of 1000 images was

created to randomly generate the image grid. On every page refresh set of 16 new images was

displayed out of which 1 was user‟s own master password image. Selected users were sent invitations

to participate in the survey. The registered users chose the right answer with 90% accuracy in first

attempt and with 95% accuracy in second attempt. Along with this a poll was posted over the webpage,

in which around 83% of the users found this better than the text based CAPTCHAs. Also, a certain set

of users were asked to crack the password without knowing the answer to check for the security of the

technique. On an average, 89% of the people could not guess the answer. They tried refreshing the

page and look for a common image to guess the answer but few images repeated themselves, thus

making the guess work difficult. To further improve the efficiency of this method, a larger grid could

be deployed.

9. Conclusion

E-mail security can be enhanced by following the suggestions mentioned in the paper. Clubbing of

CAPTCHA with password saves time and effort, increases the ease of use and is decently effective in

thwarting both human intrusion and bot attacks. If the proposed mechanism is incorporated by existing

e-mail service providers then security would be greatly enhanced. This will also build a confidence in

novice users, business professionals and administrators who store key information in their e-mail

accounts. Hence, an efficient way to protect and recover hacked e-mail account is put forth. Future

holds great possibilities only if cyber crime is checked by augmenting internet security.

10. References

[1] R. Gossweiler, M. Kamvar and S. Baluja, What‟s Up CAPTCHA? A CAPTCHA Based on Image

Orientation, In Proceedings of the 18th international conference on WWW, pp. 841-850, 2009.

[2] C. Ordonez and E. Omiecinski, Image Mining: A New Approach for Data Mining, Georgia

Institute of Technology, CC Technical Report; GIT-CC-98-12, pp.1-22, 1998.

- 97 -



[3] W. Hsu, M.L. Lee and J. Zhang, Image Mining: Trends and Developments, Journal of Intelligent

Information Systems 19(1), pp. 7-23, 2002.

[4] P. Stanchev, Using Image Mining for Image Retrieval, In Proceedings of the IASTED conference

on Computer Science and Technology, pp. 214-218, 2003.

[5] S. Yardi, N. Feamster and A. Bruckman, Photo-Based Authentication Using Social Networks, In

Proceedings of the 1st Workshop on Online Social Networks, pp.55-60, 2008

[6] Y. Rui and Z. Liu, Excuse Me, But Are You Human?,In Proceedings of the 11th ACM

International Conference on Multimedia, pp. 462-463, 2003.

[7] L. Ahn, M. Blum, N.J. Hopper, and J. Langford, CAPTCHA: Telling humans and computers

apart, In Advances in Cryptology: Lecture Notes in Computer Science, pp. 294-311, 2003.

[8] R. Agrawal, T. Imielinski, and A. Swami, Mining Association Rules between Sets of Items in

Large Databases, In Proceedings of the ACM SIGMOD International Conference on Management

of Data, pp. 207-216, 1993.

[9] S. Belongie, C. Carson, H. Greenspan, and J. Malik, Recognition of Images in Large Databases

using a Learning Framework, Technical Report TR 97-939, U.C. Berkeley, CS Division, pp. 1-8,

1997.

[10] L. Ahn, M. Blum, N.J. Hopper and J. Langford, CAPTCHA: Using Hard AI Problems for

Security, Proceedings of International Conference on the Theory and Applications of

Cryptographic Techniques, pp. 294, 2003.

[11] L. Ahn, M. Blum and J. Langford, Telling Humans and Computer Apart Automatically,

Communications of ACM 47, pp. 56-60, 2004.

[12] S. Li and H.Y. Shum, Secure Human-Computer Identification (Interface) Systems against

Peeping Attacks (SecHCI): A Survey, Technical Report, pp.1-53, 2003.

- 98 -

New Enhancing E-mail Security by CAPTCHA based Image Grid … · 2015. 7. 29. · Enhancing E-mail...

Documents

Transcript of New Enhancing E-mail Security by CAPTCHA based Image Grid … · 2015. 7. 29. · Enhancing E-mail...