Efficacy of Object-Based Passwords for User Authentication

Abstract: Traditional text-based password schemes are inherently weak. Users tend to choose passwords that are easy to remember, making them susceptible to various attacks that have matured over the years. ObPwd [5] has tried to address these issues by converting user-selected digital objects to high-entropy text passwords for user authentication. In this paper, we extend the ObPwd scheme with a new object based password scheme that performs majority of the computation at the server side. This paper essentially discusses two frameworks for object password schemes, an object hash-based scheme (where the client machine computes the hash of the object to be used as text password) and an object-based scheme (where the object is directly transmitted to the server as password). We also evaluate the performance of both the object password schemes against conventional text-based password schemes using prototypes of each of the frameworks. Implications with respect to ease of use, sharing and security are also discussed.