Security Challenge: Crack Passwords Protected by Inkblots

GOTCHA system uses inkblots to stop password crackers.

Researchers at Carnegie Mellon University have developed a new password system designed to help prevent the exposure of passwords stolen from public Websites.

The plan, known as GOTCHA (for Generating Panoptic Turing Tests to Tell Computers and Humans Apart), requires a human to identify multi-colored inkblots (rather than oddly typeset letters and numbers) in order to prove they’re not ‘bots.

GOTCHA allows users to create a password, then generates an array of different-sized, multicolored inkblots. Users describe each inkblot using a text phrase; the text phrases are stored in random order along with the password. When users return to a site and type in the password, GOTCHA retrieves the password, inkblots and text phrases. Users are required to match the inkblot to the text phrase.

“These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle,” according to a statement from Jeremiah Blocki, a Ph.D. student in computer science at Carnegie Mellon, and a member of the three-person team that developed GOTCHA.

The system could filter humans from bots – as CAPTCHA does – but is designed to make it more difficult for hackers to crack the encryption on passwords stolen from commercial Websites.

The process of matching text descriptions to inkblots before putting in a password could be easy enough to figure out – the number of inkblots isn’t large – but would nonetheless prove difficult to bypass using tools that ordinarily crack thousands of millions of password at a time.

GOTCHA doesn’t allow users to try to input their passwords until after they’ve identified the inkblots, so human intervention is required for each password, which would fatally delay any effort to crack the hashes on hundreds or thousands of stolen passwords – forcing password decryptors to call a human hacker for help before beginning each new password. It would also be effective against automated hacking programs.

“If the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes,” according to Anupam Datta, associate professor of computer science and electrical and computer engineering.

Researchers are testing the technique at Carnegie Mellon and inviting security researchers to help by pointing hack tools or artificial intelligence engines at a version of the software hosted at the GOTCHA Challenge site.

 

Image: Carnegie Mellon University

Related