Forget Captcha, Try Inkblots

  /     /     /  
Publicated : 22/11/2024   Category : security


Forget Captcha, Try Inkblots


Researchers propose using an inkblot-matching scheme, dubbed Gotcha, to defeat dictionary-based hacks of the Captcha system.



9 Android Apps To Improve Security, Privacy (click image for larger view)
Psychoanalysis fans, rejoice: You might soon be able to log in to websites using inkblots. So goes the pitch for a new password mechanism developed by researchers at Carnegie Mellon University.
The three researchers have dubbed their new system Gotchas -- for Generating panOptic Turing Tests to Tell Computers and Humans Apart -- which they said boils down to a randomized puzzle generation protocol, which involves interaction between a computer and a human, according to a summary of their research. Theyre scheduled to present a related
Gotcha Password Hackers! paper
at the 2013 ACM Workshop on Artificial Intelligence and Security (AISec) next month in Berlin.
Heres how a Gotcha works: First, an inkblot gets generated, and a user is asked to enter a text description. The site then stores both inkblot and description for whenever the user returns, at which point it displays the inkblot and asks the user to recognize their previous description from multiple potential selections.
Information security researchers have already tested inkblots -- which of course recall the Swiss Freudian psychiatrist and psychoanalyst Hermann Rorschachs
pioneering, eponymous work
-- as an authentication mechanism. But previous approaches forced users to recall the exact phrase theyd first used to describe the stored inkblot, which created a usability challenge, the Carnegie Mellon researchers argued. By comparison, the construction of their system relies on the usability assumption that users can recognize the phrases that they originally used to describe each inkblot image, they said.
[ What other personal info is the National Security Agency grabbing? Read
NSA Harvests Personal Contact Lists, Too
. ]
One use for Gotcha would be to prevent attackers from grabbing password files from servers, then cracking them offline, which continues to be a pervasive problem. Any adversary who has obtained the cryptographic hash of a users password can mount an automated brute-force attack to crack the password by comparing the cryptographic hash of the users password with the cryptographic hashes of likely password guesses, the researchers said in their paper. This attack is called an offline dictionary attack, and ... [such attacks] are -- unfortunately -- powerful and commonplace. Indeed, numerous companies, including
Gawker
,
LinkedIn
,
Sony
and
Zappos
, have seen their users passwords compromised in this manner.
By using Gotchas, businesses could mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack, the researchers said. In other words, even if attackers recovered usernames and passwords via an offline dictionary attack, theyd still need a human to manually handle one or more Gotcha challenges before gaining access to any given account. From an economic standpoint, such attacks likely wouldnt be worth an attackers time.
New inkblot test?
As the name Gotcha suggests, the proposed new system might also serve as a replacement for the
reviled Captcha tests
currently employed by many sites as a challenge-response mechanism. Captcha -- based on the word capture -- is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. The technique, likewise developed at Carnegie Mellon, but back in 2000, was intended to allow a computer to tell if it was dealing with a human or another machine.
Since its debut, the Captcha has become a standard challenge-response system for everything from ticket-buying sites to online comment boxes. The underlying goal has always been to make the puzzles easy for real people to solve, and difficult -- if not impossible -- for a computer to conquer. Unfortunately, however, spam syndicates and online criminals keep improving their ability to bypass Captchas, in some cases by
designing more automated attack tools
, and in other cases by tricking people into solving a sites Captchas for them, for example by
offering free porn
.
Will the new Gotcha system be stronger than the Captcha that people have come to know and despise? To test that possibility, the Carnegie Mellon researchers have issued an open call to security researchers to try to break their inkblot-matching Gotcha construction techniques via their
Gotcha Challenge website
. The goal of this challenge is to see if artificial intelligence techniques can be applied to attack our Gotcha construction, they said.
Participants can download five files associated with passwords generated using Gotcha inkblot-generating techniques. Depending on how tough these password files get cracked, website users might soon be describing inkblots. The psychoanalysis is optional.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Forget Captcha, Try Inkblots