Computer scientists at Carnegie Mellon University in Pittsburgh devised a technique using inkblots to provide an extra layer of security for passwords stored for authenticating online user accounts. The developers — doctoral student Jeremiah Blocki, and faculty members Manuel Blum and Anupam Datta — described their system called Generating panOptic Turing Tests to Tell Computers and Humans Apart or GOTCHA earlier this week at Association for Computing Machinery’s Workshop on Artificial Intelligence and Security in Berlin, Germany.
Blum and colleagues at Carnegie Mellon developed the familiar CAPTCHA scrambled letter system for filtering out automated rogue programs, when accessing online resources.
The researchers developed GOTCHA to protect high-value online data, such as those stored in financial accounts or medical records. The technique, say the researchers, requires simultaneous human and computer interaction, thus negating brute-force hacking attempts that rely on sheer computing power and speed to run through all possible character combinations to break a password.
GOTCHA creates a series of multi-colored inkblots when the customer creates a password, and the customer then adds a brief text phrase to describe each inkblot. When customers sign in again to the site and enter their passwords, the inkblots are displayed, but with the descriptions in random order. Customers must then match the phrases to the inkblots to access their accounts.
The need for simultaneous computer response and human judgement adds the robust layer of security, should a hacker steal a list of accounts with passwords encrypted in hash codes, then try to break the passwords offline. “A computer can’t do that alone,” says Datta in a university statement. “And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes.”
A test of GOTCHA, with 70 participants recruited through Mechanical Turk, Amazon.com’s online workforce marketplace, shows Blocki and colleagues may need to refine the system before it’s ready for large-scale use. The test asked participants to describe 10 inkblots with short, but creative titles. Ten days later, when 58 returning participants tried to match the descriptions to the inkblots, only about one-third of the group correctly matched all of the descriptions to the images. Another one-third were able to match half of the inkblots to the phrases.
Nonetheless, the researchers constructed a crowdsourcing challenge to the computer science community to try and break GOTCHA in a simulated offline dictionary attack, as might be used in a server breach.
Read more:
- NSF Awards $20 Million for Cyber Security, Privacy R&D
- Research to Develop Peer-to-Peer VoIP Security Protocol
- Weaknesses Found in Online Banking, Facebook Security
- Color X-Ray System Devised for Health, Security, Industry
- National Lab Builds Android Network for Security Simulations
* * *
You must be logged in to post a comment.