GOTCHAs Outsmart Brute Force Password Thieves
Scientists at Carnegie Mellon University (CMU) have developed a new password system that incorporates inkblots to provide an extra measure of protection when lists of passwords are stolen from websites. A computer program alone would not be enough to break into an account – so this new type of password, dubbed a GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart), would be suitable for protecting high-value accounts, such as bank accounts, medical records, and other sensitive information.
To create a GOTCHA, you choose a password and a computer then generates several random, multi-colored inkblots. You describe each inkblot with a text phrase, and these phrases are stored in random order along with the password. When you return to the site and sign in with the password, the inkblots are displayed again along with the list of descriptive phrases. You then match each phrase with its corresponding inkblot.
"These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle," says Jeremiah Blocki, a PhD student in computer science who developed GOTCHAs together with Manuel Blum, professor of computer science, and Anupam Datta, associate professor of computer science and electrical and computer engineering.
GOTCHAs sound much like CAPTCHAs, the scrambled-letter puzzles that Blum and his CMU colleagues created to protect websites from rogue automated programs. Like GOTCHAs, the widely used CAPTCHAs rely on people having visual skills that are superior to those of computers. The researchers emphasized, however, that GOTCHAs do not perform the same task and are not an alternative to CAPTCHAs.
The researchers have invited fellow security researchers to use artificial intelligence techniques to attack the GOTCHA password scheme at their GOTCHA Challenge online. Challenges 6, 7, and 10 have already been released.
"To crack the user's password offline, the adversary must simultaneously guess the user's password and the answer to the corresponding puzzle," Datta explains. "A computer can't do that alone. And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes." -- by Amber Harmon, © i SGTW