Scientists Release Working Prototype Of CAPTCHA-Based Password Assistant 86
An anonymous reader writes "Last year Slashdot ran a story on scientists from the Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany developing a novel method to improve password security. A strong long password is split in two parts; the first part is memorized by a human, and the second part is stored as a CAPTCHA-like image of a chaotic lattice system. Today, after a year of work, the same group at Max Planck Institute released a working prototype online, where everybody can try this technology to encrypt files (Java plugin required)."
Requires self-signed applet with full privileges (Score:5, Interesting)
NOT SIGNED code, could be harmfull (Score:3, Interesting)
WARNING
My java said that the code was not signed. It could be swapped or faked. Don't run it unless it is signed and verified properly. It also gains full acess to your computer... so don't run it until it is restricted.
Re:Requires self-signed applet with full privilege (Score:2, Interesting)
A security researcher asking people to blindly trust strangers........
IMO they really aren't. As it is uploaded unobfusacated and anyone can download it. It then takes 2 seconds to drop it in to the one of many java decompilers and you can read it yourself.
Who can blame them for not spending a couple of hundred dollars on a sining cert? I can't for a proof of concept.
Re:um (Score:4, Interesting)
Because they are, clearly, associated.
Most encryption algorithms and libraries in java follow the standards implementation. If used properly they are as secure as possible.
Don't confuse the relative security of a language (in allowing you to run code outside of the VM) with encryption algorithms. That's completely idiotic. It's like saying you should not eat meat because it's raining (yep, as idiotic as that).
Re:Requires self-signed applet with full privilege (Score:5, Interesting)
There are too many oddities for me to try out the service, sorry.
1. The service isn't hosted on a .edu domain.
2. The about page [www.crpt.me] makes a remarkably strong and vague claim for a group of scientists: "We are currently the strongest online encryption service available on the Internet."
3. The story was submitted anonymously rather than with a "full disclosure" warning.
4. There's no link on the web site to any supporting institutions, grants, or anything like that, even though the summary twice mentions the Max Planck Institute.
5. The unsigned software wants full access to my machine.
For all I know, this is an elaborate ruse to get a few poor saps to run untrusted code. I have nothing but the web site's word and the word of an anonymous commenter to go on balanced against the above weirdness, so I'm going to play it safe and move on.
As for you, "Konstantin," perhaps you're just a weird person, but there are way too many oddities for me to simply believe that you're the K. Kladko from the paper.
1. Your grammar and style are remarkably informal for an academic. You write like a teenager. /. comments about their work, or if they do their posts are highly informative (eg. The Bad Astronomer).
2. You use way too many smilies for a security researcher.
3. You sign your name while posting anonymously--just sign up for an account already.
4. You expect me to run untrusted code on my machine as a security researcher just because you say, "Please trust us". Seriously? Seriously? (It bears repeating.)
5. You're making lots of comments here. Usually scientists don't make any appearance on
My strong suspicion is that you're just rather young and naive and don't have enough supervision on this project. I'm not trying the software though.
Re:um (Score:4, Interesting)
Why bother having the user set the word that is going to be displayed as a CAPTCHA? Why not just have the user set a password in the conventional way, and then show them a random CAPTCHA (also in the conventional way)? You'd get the same defence against a computerized brute-force or dictionary attack, but without the added security weakness of the user giving away the second part of the password (such as by key logger, or nosy desk neighbour, or writing it on a post-it).
I suspect the reason most systems don't ask for a CAPTCHA alongside password entry is because CAPTCHA is a pain in the rear for users- which the system in TFA would still be.
Re:um (Score:4, Interesting)
So in what way is this an improvement over a regular CAPTCHA (with a random set of letters and numbers, not set by the user)? A conventional random CAPTCHA will defend against brute force attacks in exactly the same way.
TFA's proposed method would mean that either a) users will manage to remember the second part of their password (in which case why display it on screen- why not treat it like a regular password and keep it in the user's head) or b) users will need to read the CAPTCHA and enter the word as they see it (in which case why keep the word the same each time, why not randomise it like normal).