November 7, 2013
GOTCHA Security Software Uses Inkblots Instead Of Passwords
Lee Rannals for redOrbit.com – Your Universe Online
Computer scientists are now moving to inkblots to help provide an extra measure of security on the Internet.
Scientists at Carnegie Mellon University have created the Generating panOptic Turing Tests to Tell Computers and Humans Apart (GOTCHA) in order to protect online back accounts, medical records or other sensitive information.
When using GOTCHA, a user would choose a password while a computer generates several random, multicolored inkblots. A user then describes each inkblot with a text phrase, which is stored in a random order along with the password. When users return to the site and sign in, the inkblots are displayed again along with the list of descriptive phrases, which they are prompted to match with the appropriate inkblot.
"These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle," Jeremiah Blocki, a PhD student in computer science who helped develop GOTCHA, said in a press release.
The researchers believe GOTCHA would prove to be a significant asset now when website security breaches can result in the loss of millions of user passwords.
Passwords that have been stolen from companies like LinkedIn, Sony and Gawker are stored as cryptographic functions, which can become victim to an automated offline dictionary attack. Computers are able to evaluate as many as 250 million possible hash values every second.
While passwords like “123456” or “password” are easy to crack, even harder passwords become vulnerable to computer hackers these days. However, with GOTCHA a computer program wouldn’t be enough to break into an account.
"To crack the user's password offline, the adversary must simultaneously guess the user's password and the answer to the corresponding puzzle," Anupam Datta, associate professor of computer science and electrical and computer engineering at Carnegie Mellon University, said in a press release. "A computer can't do that alone. And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes."
Researchers performed a user study with 70 people hired through Mechanical Turk to see how reliable GOTCHA was. Each user was asked to describe ten inkblots with creative titles, like “evil clown” or “lady with poofy dress.” Ten days later the participants were asked to match those titles with the inkblots.
The study shows a third of the participants were able to correctly match all of the inkblots, while two-thirds were able to get half of them right. Blocki said there are ways to help make the descriptions even more memorable, including using more elaborate stories like “a happy guy on the ground protecting himself from ticklers.”
The computer scientists have invited fellow security researchers to apply artificial intelligence techniques to try and crack the password scheme through the “GOTCHA Challenge.”