Journal of Theoretical and Applied Information Technology 15 th May 2018. Vol.96. No 09 © 2005 – ongoing JATIT & LLS ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 2546 A SMOOTH TEXTUAL PASSWORD AUTHENTICATION SCHEME AGAINST SHOULDER SURFING ATTACK MOHAMMED A. FADHIL AL-HUSAINY*, DIAA MOHAMMED ULIYAN Department of Computer Science, Faculty of Information Technology, Middle East University, Amman, Jordan Emails: *dralhusainy@gmail.com, *mal-husainy@meu.edu.jo, diaa_uliyan@hotmail.com, duliyan@meu.edu.jo ABSTRACT Authentication is a common approach to protect user information in the online information systems such as ATMs. One of the easiest ways for user authentication uses Personal Identification Number (PIN). PINs are vulnerable to malicious attacks. The tendency of users to select easy passwords or short password makes the passwords vulnerable to many attacks like camera recording attack and adversary shoulder attacks. In this paper, the proposed textual password authentication scheme is introduced as an alternative to graphical password schemes. In this technique, no need to use the traditional keyboard or even pressing the keys that represent the password characters. This technique gives the user a more secure session to enter the password and solves most of the defects exist in the authentication systems that depend on the use of the textual or graphical passwords. Keywords: Shoulder surfing attack, textual password authentication, information security, Matrix Transpose 1. INTRODUCTION User authentication is a censorious element in information security. Many online information systems have widely used password based mechanisms to keep services secured from illegal access [1]. A user has to be authenticated using his own password before performing any transaction or open safely his personal information. The password is defined as a pre-arranged textual, graphical or numerical inputs through the user log in interface . A conventional password should fulfil the fundamental requirements to be more secure: a) Password needs to be easy to recall, and the user authentication mechanism should run swiftly. (b) Passwords should be hard to guess by attackers. Therefore, it is mandatory to lock and unlock online applications or mobile terminals based on a password authentication method like Personal Identification Numbers (PINs). If unauthorized access is given to a wrong person, the entire security of one system will crumble. This issue could happen when the users tend to use weak passwords and forget to follow the guidelines of the creation of secured passwords. Furthermore, password submission process is vulnerable to direct observational attacks. For instance, the entry of password can be observed easily by nearby attackers in the crowded places . This type of attack is defined as shoulder surfing. There are four types of attacks considered for designing an authentication scheme to protect users from illegal access [2]. (1) Shoulder surfing attack: A passive adversary who attempts to obtain the user’s PIN during user login process. In a good password authentication scheme, it should be extremely difficult to catch the user’s password by recording or watching to encumber the shoulder surfers [3]. (2) Dictionary attacks: tried to recognize user’s password that will be most probably selected and employing them to defraud the system. These threats could be more effective if ordered entries are applied to inspect the most probable passwords [4]. (3) Brute Force Attack: it works similarly to the dictionary attack, but the main difference is that every possible password is created and used to attack the original password. The brute force attacks may be applied either online or offline. The benefit is that a match will be determined with enough computing time and