| Advertisement |
Computer scientists at Carnegie Mellon University have developed a new inkblot password system called GOTCHA to increase security against online password thefts. GOTCHA, short for Generating panOptic Turing Tests to Tell Computers and Humans Apart, allows a user to create a new password, and then generates several random inkblots.
Advertisement
The user will create unique captions for these inkblot images, which are saved along with the password. When the user next signs in, they will provide their password, and will then have to match their phrases to the correct inkblot.
"These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle," said Jeremiah Blocki, a Ph.D. student, in a statement.
The inkblots would help secure websites, especially when a major breach results in the loss of thousands or millions of passwords -- as has happened in the past to LinkedIn, Gawker and Sony, to name a few.
Most passwords are stored using a cryptic hash function. While a human cannot decipher these bits of information, computers can evaluate as many as 250 million hash values every second. Many people still use easy passwords like "123456" or "password" which can be easily deciphered.
But even difficult passwords can fall prey to such brute force attacks.
With GOTCHA, an automated computer program would need a human to help decipher the inkblot captions, and with millions of passwords this is not easy job.
"To crack the user's password offline, the adversary must simultaneously guess the user's password and the answer to the corresponding puzzle," said Anupam Datta, associate professor at the university. "A computer can't do that alone. And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes."
Researchers had 70 people each describe 10 inkblots with creative phrases like "evil clown" or "lady with poofy dress." Ten days later, 58 participants who returned for round two of testing were asked to match the images to their phrases. A third were able to match all inkblots accurately, while two-thirds got at least half right.
Prof. Manuel Blum, who was part of this project, also contributed to CAPTCHA, the scrambled letter puzzles that currently serve as a standard for identifying humans online. Blum pointed out that GOTCHA is not a replacement for CAPTCHA, as they perform different security functions.
The GOTCHA team has invited security researchers to apply artificial intelligence techniques to crack the inkblot match test through their online GOTCHA Challenge. Artificial intelligence startup Vicarious just announced last week that it has defeated modern text CAPTCHAs.
