Communications of the ACM
Forget Captcha, Try Inkblots
A new password mechanism called Gotcha is based on a randomized puzzle-generation protocol that involves human-computer interaction.
Credit: Wikipedia
Carnegie Mellon University researchers have developed Generating panOptic Turing Tests to Tell Computers and Humans Apart (Gotcha), a password mechanism based on a randomized puzzle-generation protocol that involves computer-human interaction.
Gotcha works by generating an inkblot and then asking the user to enter a text description. The site then stores both the inkblot and description for whenever the user returns, at which point it displays the inkblot and asks the user to recognize their previous description from multiple potential selections.
The researchers say the system "relies on the usability assumption that users can recognize the phrases that they originally used to describe each inkblot image."
Gotcha could be used to prevent attackers from grabbing password files from servers, then cracking them offline, which continues to be a pervasive problem. "Any adversary who has obtained the cryptographic hash of a user's password can mount an automated brute-force attack to crack the password by comparing the cryptographic hash of the user's password with the cryptographic hashes of likely password guesses," the researchers note.
They say by using Gotchas, businesses could "mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack."
From InformationWeek
View Full Article
Abstracts Copyright © 2013 Information Inc., Bethesda, Maryland, USA
No entries found