Graphical passwords are implemented as an alternative scheme to replace alphanumeric passwords to help users to memorize their password. However, most of the graphical password systems are vulnerable to shoulder-surfing attack due to the usage of the visual interface. In this research, a method that uses shifting condition with digraph substitution rules is proposed to address shoulder-surfing attack problem. The proposed algorithm uses both password images and decoy images throughout the user authentication procedure to confuse adversaries from obtaining the password images via direct observation or watching from a recorded session. The pass-images generated by this suggested algorithm are random and can only be generated if the algorithm is fully understood. As a result, adversaries will have no clue to obtain the right password images to log in. A user study was undertaken to assess the proposed method's effectiveness to avoid shoulder-surfing attacks. The results of the user study indicate that the proposed approach can withstand shoulder-surfing attacks (both direct observation and video recording method).The proposed method was tested and the results showed that it is able to resist shoulder-surfing and frequency of occurrence analysis attacks. Moreover, the experience gained in this research can be pervaded the gap on the realm of knowledge of the graphical password.

翻译：图形密码作为替代字母数字密码的方案被提出，旨在帮助用户记忆密码。然而，由于视觉界面的使用，大多数图形密码系统容易受到肩窥攻击。本研究提出一种结合有向图替换规则与转移条件的方法，以解决肩窥攻击问题。该算法在用户认证过程中同时使用密码图像和诱饵图像，通过混淆攻击者的直接观察或录像回放来防止其获取密码图像。该算法生成的密码图像具有随机性，且只有完全理解算法逻辑才能生成正确密码图像。因此，攻击者无法获得正确登录密码图像。通过用户研究评估该方法防范肩窥攻击的有效性，结果表明该方法能够抵御肩窥攻击（包括直接观察和视频录制方式）。经测试验证，该方法可有效抵抗肩窥攻击与频率分析攻击。此外，本研究积累的经验可填补图形密码领域现存的知识空白。