Efficacy of Object-Based Passwords for User Authentication

TL;DR

This paper explores object-based password schemes that convert user-selected digital objects into high-entropy passwords, aiming to improve security and usability over traditional text passwords.

Contribution

It introduces two new object password frameworks, evaluates their performance against traditional schemes, and discusses security, sharing, and usability implications.

Findings

Object hash-based scheme reduces client-side computation.

Object-based scheme simplifies password transmission.

Both schemes outperform traditional passwords in security metrics.

Abstract

Traditional text-based password schemes are inherently weak. Users tend to choose passwords that are easy to remember, making them susceptible to various attacks that have matured over the years. ObPwd [5] has tried to address these issues by converting user-selected digital objects to high-entropy text passwords for user authentication. In this paper, we extend the ObPwd scheme with a new object based password scheme that performs majority of the computation at the server side. This paper essentially discusses two frameworks for object password schemes, an object hash-based scheme (where the client machine computes the hash of the object to be used as text password) and an object-based scheme (where the object is directly transmitted to the server as password). We also evaluate the performance of both the object password schemes against conventional text-based password schemes using prototypes of each of the frameworks. Implications with respect to ease of use, sharing and security are also discussed.