typodupeerror

## Scientists Develop New Method To Improve Passwords104

Posted by timothy
from the start-thinking-of-random-things dept.
An anonymous reader writes "Scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany have developed a novel method to improve password security. A strong long password is split in two parts. The first part is memorized by a human. The second part is stored as a CAPTCHA-like image of a chaotic lattice system."
This discussion has been archived. No new comments can be posted.

## Scientists Develop New Method To Improve Passwords

• #### RTA? (Score:2)

Well, It indeed silly. What is stopping us from just doing normal bruteforce?

• #### Re:RTA? (Score:5, Informative)

on Sunday April 03, 2011 @09:46AM (#35699090)

That's the one with the \$5 wrench, right?

• #### Re: (Score:2)

No, from the article i got the idea was:
1. Split password into 2 pieces, a normal password and a captcha part
2. Now if you bruteforce, you could miss on the second part, meaning bruteforcing will just take a bit more time
Meaning that "standard bruteforce" is still valid.

• #### Re: (Score:2)

Standard bruteforce was valid?

There are [Dictionary]^[PasswordLength] possible combinations.

If I write an 8 character password with the keys I can see on my keyboard at the moment, you get - 6,095,689,385,410,816 permutations.

Using my 'very quick' calculations which are more than probably not very accurate- if using a 3.5 GHz processor which can hash and check each password in a single cycle (which is a very funny proposition indeed) - it'll take you 20 days. If the system upgrades to a 9 character password

• #### Re: (Score:3)

If your password is to a system that is worth the effort, then it's likely going to lock out after 3 tries.. I realize you are speaking generically, but unless you can subvert that feature, you can't try more than N times without invalidating the account..
• #### Re: (Score:2)

I am assuming the worst case scenario, in which an attacker has copied the passwords and usernames from the database server, and is trying to break the hash.

if there are 3 tries, then there's absolutely no point in putting the CAPTCHA thing suggested by the article, since it'll be a human trying them out.

• #### Re: (Score:1)

How do you unlock it? Second password, probably. Also, many, many secure systems don't lock you out because it's a pain in the ass to get it unlocked. If you want to mess someone up and can't guess their password then lock their account up.

• #### Re: (Score:2)

Standard bruteforce has always been generally valid, though there are cases where it doesn't work as well such as account lockout and those places where logs are watched carefully.

If the password database can be retrieved, it generally works better, though a bit of salting helps to address that. Distributed computing solutions for rainbow tables help cut down the time needed to break these, and I imagine that places like the NSA devote both dedicated and spare cycles to building up their own rainbow tables

• #### Re: (Score:2)

That's the one with the \$5 wrench, right?

Where did you manage to find a wrench for \$5?

• #### Re: (Score:3)

Captcha image is encoded using the user's password. To brute force you'd either need to check the captcha images for each password combination or brute force the whole string (password+captcha) which is twice as long so will take an order of magnitude longer.

There are plenty of other key stretching techniques so not sure why this is any better tho.

• #### Re: (Score:2)

...or brute force the whole string (password+captcha) which is twice as long so will take an order of magnitude longer.

So 1,000,000 is an order of magnitude more than 1,000? Is has twice as many zeros...
You have a weird definition for "order of magnitude".

• #### Re: (Score:1)

Im assuming its 3 orders of magnitude since its 10^3 times greater? correct me if im wrong... oh wait you will http://xkcd.com/386/ [xkcd.com]
• #### Re: (Score:3)

There are plenty of other key stretching techniques so not sure why this is any better tho.

You can only see the CAPTCHA text when you enter the correct password, a wrong password will just lead to random noise. Their claim is now that the presence of the CAPTCHA text cannot be detected by algorithms because to an algorithm, the picture will basically look the same in both cases.

I don't buy this. They study a system close to a continuous phase transition, meaning that it is self-similar, and there is no singular length-scale that shows up in any correlation function. By introducing the CAPTCHA tex

• #### Re: (Score:1)

A bot can't keep a list of checked passwords, because it's impossible to tell whether the password failed because of the static part or the part which is changing with every attempt (the captcha). Therefore there's no guarantee that your bruteforce will succeed in a certain time, that is after a certain number of attempts.

• #### Re: (Score:3)

So.. they've invented.. password salting?

• #### Belated April Fool Joke? (Score:1)

Not only does this not look to me like a particularly professional reporting site, if you follow the link on the page 'Which authors of this paper are endorsers?' you get the following;-

"No authors of 1103.6219 can endorse.
The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs
Tetyana Laptyeva V.: Is registered as an author of this paper.
Not currently an endorser.
S. Flach and K. Kladko are not registered as owners of this paper"

If nobody is willing to endorse the paper then surely it's n

• #### Re:Belated April Fool Joke? (Score:4, Insightful)

on Sunday April 03, 2011 @09:52AM (#35699116) Homepage
That lists which authors of that paper endorse other papers.

Perhaps analyze this idea for its own worth rather than look for silly reasons to discard it? How about that it relies on generating a secure password already, which would be hard for people to memorize, how the blind couldn't use it, or how it's really just the combination of two already common ideas?
• #### Re: (Score:3)

I think the concept is fairly straightforward, though: If you make it hard for a computer to determine the difference between the plaintext and garbage, it will be hard to brute-force decrypt. In theory, by making the plaintext into a captcha the computer will no longer be able to tell when it has successfully decrypted the image, so (again in theory) after every password attempt a human will have to read the "decrypted" image to see if it is correct or not, so a brute force attack would (in theory) take

• #### Epc fail (Score:2)

Two days late, guys. HIYGCOTWO.

• #### Maybe I should patent (Score:5, Funny)

on Sunday April 03, 2011 @09:57AM (#35699142)

Heres an extra layer of security for your password.
You take another post it note and stick it to your monitor over the top of the one with your password on. To access your password just lift up the top sticky note.

• #### Re:Maybe I should patent (Score:5, Funny)

on Sunday April 03, 2011 @10:04AM (#35699198)

"The use of opaqueness of tree-derived substances in 3 dimensional space in order to secure against password disclosure through movement of waverforms through translucent media".

There, picked out a name for you.

• #### Re: (Score:2)

I was going to go with self-destructing sticky notes, disappearing-ink sticky notes, but yours is elegant in its simplicity.

• #### Right so... (Score:2)

So if someone steals the password list off a server and wants to steal the admin passwords, all he has to do is to read the captcha himself, work it out (being a human and all that), then try to break the hash by adding the 'captcha answer' to the end of the string.

Sure it might make it harder for someone to try to steal passwords from a large list, but if you're only targetting admin (or specific ones) it'll actually make things less secure. You tell people they only need to remember half the password and

• #### Something is wrong with that PDF (Score:2)

It causes "ePDFViewer" (the random PDF viewer firefox and/or linux decided to bring as default option when opening such link in firefox) to hang for a minute and use 100% CPU whenever scrolling or zooming.

• #### Seeding... (Score:2)

So let's just be clear, they've re-invented seeding a password?
• #### Wasn't April Fools a couple of days back? (Score:1)

Seriously... how does this help? Sure, it might give brute-force a harder time, but wouldn't people just brute-force the captcha? Hm.
• #### This will not work (Score:3)

on Sunday April 03, 2011 @10:22AM (#35699306)

as long as I am not able to select my own login AND password.
I have a multitude of different logins that were given to me and that I can not change. I have been given a multitude of passwords that I am unable to change, because I am not the only one to use that specific login.

Also have more then one security key.

Oh and I need to change some of them each month. I could easily remember a 32 character password. But not if I need to change it every month AND if I need to remember anywhere between 10-30 AND need to know what login it belongs to AND some can't be that long.

So sure, you can blame the human. However that IS a factor that will not go away. And as long as logins and password are basically a "Hey, I tried to protect the data, so I am safe"-thing for IT people, nothing will change.

To often I see people that are resposible for the security try to find a technological solution for the social problem. Security is not a technical issue. It is a social process.

• #### Re: (Score:2)

I read a lot about password security here, and I fail to grasp one basic thing.

How many passwords are "necessary"? In the sense lives or large amounts of money would be lost if they were breached?

How many passwords are more of dutiful "security"?

In a sense, how many passwords do you have, that someone would be willing, capable and likely; to bust your head open and steal the password from your pocket?

I have one important password, to my WoW account (yeah I know...). The rest are unimportant in the gran

• #### Re: (Score:1)

...because I am not the only one to use that specific login.

I cannot think of a single circumstance where this is necessary or a good idea.

Excuses for why is it the way it is don't count.

• #### I think the key with this idea is (Score:1)

to improve password security and not to make a fail safe method. In a way that users can still create passwords like "123456" (they allways will, if they are allowed to), but by adding the captcha they will be harder to crack.
• #### waste of verbage (Score:2, Informative)

The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

You don't need a bunch of mumbo jumbo to make a brute force attack ineffective, all you need to do is lock the account after x failed login attempts.

• #### Re: (Score:1)

And now you've just opened up a new way do a denial of service!
• #### Re: (Score:2)

If brute-force attacks are inefficient, compromised password files are less dangerous.

• #### Re: (Score:1)

I found the method used by an old phone (don't remember brand and model) effective. If you enter incorrect password for the first time, it make you wait 10 seconds before you can try again. A second time, wait 20 seconds, third time, 40 seconds, 4th time, that 80 seconds for you, and it keeps going like that. It gives the real owner of the phone a chance to get it right, but if you brute force, the wait time goes up quickly
• #### Just my own problem with password systems (Score:2)

Different systems have different parameters. One required 5-8 characters, including 1 number and 1 capital letter. I ran into one that had to be exactly 6 characters, but no other restrictions. One had a requirement of a 'special' character, i.e. \$ * # ! ) etc. I understand the restrictions, somewhat, but my passwords tend to be 10-15 characters long with numbers but no special characters. Sometimes a capital letter or 2.

Instead of creating new schemes, just let me use this-
"ijustgotanewpuppyandiname

• #### The key to understanding this system (Score:1)

...is that the whole password cannot be decrypted in an automated way, because even though a computer program would quickly guess the short password (SP), the fact that the strong key (SK) is stored as a CAPTCHA prevents the computer program from obtaining it, even with the correct SP.

The point is not (as some seem to believe) to help the user memorize a longer password by storing part of it for him. This approach actually wouldn't introduce any added security, as you still have a single point of failure (t

• #### hunter2 tag (Score:3, Funny)

on Sunday April 03, 2011 @02:53PM (#35701244) Homepage
From http://www.bash.org/?244321 [bash.org]:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
• #### How is this new? (Score:1)

Sorry, but I don't understand how this could possibly be any better than combining existing password and CAPTCHA systems, which I am fairly certain has been done before. If the CAPTCHA and password didn't have a link between them it would likely be more secure. Their system only provides some benefit until someone leaks the algorithm for generating the CAPTCHA.

Is there something that I am missing?
• #### i still prefer pixelock (Score:1)

"Whom are you?" said he, for he had been to night school. -- George Ade

Working...