Forgot your password?
typodupeerror
Security AI

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme 169

Posted by samzenpus
from the broken-in-3-2-1 dept.
alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."
This discussion has been archived. No new comments can be posted.

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme

Comments Filter:
  • Really? (Score:5, Funny)

    by Anonymous Coward on Friday November 08, 2013 @03:09AM (#45365791)

    I feel like they mind as well have asked me to paint a picture which best conveys my ex-girlfriend's LiveJournal post from 2001.

  • tried it (Score:5, Insightful)

    by Anonymous Coward on Friday November 08, 2013 @03:10AM (#45365795)

    Turns out i am a computer. Couldn't have figured it out myself!

    • Re:tried it (Score:5, Informative)

      by Chatterton (228704) on Friday November 08, 2013 @05:17AM (#45366331) Homepage

      You just don't need to remember 1 password, but 11 of them to log in... What an improvement !!! :)

      • by cdrudge (68377)

        Technically you still only have to remember 1 password. The other 10 the machine remembers and tells you, you just have to correctly associate them to the inkblots.

    • by evilviper (135110)

      Turns out i am a computer. Couldn't have figured it out myself!

      Harrison Ford is on his way over, to shoot you in the head.

    • Re:tried it (Score:5, Insightful)

      by pla (258480) on Friday November 08, 2013 @07:24AM (#45366817) Journal
      Turns out i am a computer. Couldn't have figured it out myself!

      This. Even with the answers, I can't recognize the features those descriptions supposedly refer to... "Little birdies facing eachother on the bottom and little bees flying away from eachother on top"??? WTF? Does anyone actually see the birds and bees the captions keep referring to?

      Dear security researchers - Any clever scheme that humans have trouble dealing with, will fail, no matter how "secure" you consider it. I can remember "correct horse battery staple" (with 1 through 9 tacked on at the end to get around annoying domain password history restrictions, of course - Case in point!). ln TFA's case, I'd probably need to keep a goddamned picture of my password in my wallet to compare against each time I log in.
      • Re:tried it (Score:5, Informative)

        by Dachannien (617929) on Friday November 08, 2013 @07:52AM (#45366919)

        Presumably, in a real-world scenario, you give your own labels when you register for an account. This would hopefully mean you would form a persistent correlation between the labels and the images. But their multicolor inkblots are so indistinct from each other that I think I would have difficulty labeling each image in the first place.

        • by Agent0013 (828350)
          That would not be a replace the use of CAPTCHA, as even making an account usually requires verification of human interaction. If a bot can make a million accounts and add descriptions to the images, then they can spew spam or whatever they are doing with the bot accounts.
      • by Guru80 (1579277)
        I'm guessing in a real world situation the creator of the password would know exactly what it image refers too. As for not being able to recognize any features in the linked examples, while I could never guess them (and that's the point pretty much) I can definitely see how the caption and image relate to each other after reading it.
      • And what if you are color blind? I am not color blind and can't make heads or tails of these paintball shotgun patterns vs the text descriptions.

        Yes one objective is to frustrate bots ...but if you frustrate humans, as pla points out, then you are a non-starter. Go back to your room CMU compsci person 'cause I know you are smart enough to do better.
      • Re:tried it (Score:5, Interesting)

        by CastrTroy (595695) on Friday November 08, 2013 @09:47AM (#45367835) Homepage
        Carrying around your password in your wallet is probably safe enough for most people. People carry money, credit cards, all kinds of valuable things in their wallet. Probably safer than using an insecure password.
      • by TheCarp (96830)

        > I can't recognize the features those descriptions supposedly refer to.

        No you are just missing the point....it isn't YOUR password. If you could match them up, then it wouldn't be secure.

        The security of the system rests on the ability of a person who described a bunch of ink blots to match their own descriptions back up to the pictures they chose. You can think of it as a trick to use visual memory to help a person pick a random password and remember it.

        There was some research a while back that showed p

      • Well - I'm glad that I'm not alone here. I just figured that I was experiencing yet another hardship due to bad color vision. The images made no sense to me at all - but then, I can't see the numbers on a color vision chart either.

    • I think I'd rather use a test that just asks me to click on the hot women real quick.

      http://bettercgi.com/images/face-turing-captcha.png [bettercgi.com]

    • by rjstanford (69735)

      The presentation is awful as well. Full screen width monospaced fonts with no introduction describing what they're doing.

    • by Pope (17780)

      Hey! Stop all the downloading!

    • by RDW (41497)

      Turns out i am a computer. Couldn't have figured it out myself!

      Eliza> How does that make you feel?

  • The source code for the challenge was written in the C# programming language

    nice try Microsoft but i'm still not falling for it!

    • by Alarash (746254) on Friday November 08, 2013 @03:54AM (#45366021)
      Too bad for you, because C# is an awesome language that absolutely doesn't require Windows or .NET or Mono.
      • by Tom (822)

        "awful" is more like it. I had more fun writing 8086 assembler than C# code. On a broken keyboard. With a toothpick in my mouth and both hands tied behind my back. By a sadistic Pascal teacher who kept going on about clean code structure and went on to describe Oberon when that wasn't enough.

        Also, it was more readable.

    • by Megane (129182)
      And isn't the # supposed to be at the front of the hashtag? Damn hipsters and their hashtag crap.
  • by snowgirl (978879) on Friday November 08, 2013 @03:17AM (#45365827) Journal

    They've already been shelling out free porn in exchange for people solving captchas for them... I don't think this will change anything...

    • by narcc (412956)

      They've already been shelling out free porn

      People still pay for pornography? Don't they have the internet? Are they solving printouts of CAPCHA's?

      Honestly, there's no need in this modern age to embarrass yourself at the gas-n-go, milling around waiting for the matronly old woman to take a break so that you can ask the pothead with the trainee badge to go round to the rack behind the counter. Anything you want is just a click away.

      • Re:MechanicalTurk (Score:4, Informative)

        by leonardluen (211265) on Friday November 08, 2013 @09:09AM (#45367423)

        i believe what happens is that the "bad guys" set up a page containing free porn. but in order to view the porn you have to solve a captcha.

        when horny teenager shows up to look at the porn, a bot goes out to the target site you want to compromise and grabs their captcha. you then present the captcha to the horny teenager and have them solve it for you. the bot then enters the info on the target site and just "proved" it was human and so now can do things that only humans are allowed to do. meanwhile the horny teenager is happily looking at the free porn and will probably come back the next day to solve another captcha for you.

  • Uh, right. (Score:2, Funny)

    by Anonymous Coward

    I don't see any of these. e.g. How the F*** is that a robot on a skateboard?

    The only winning move is not to play.

  • by artor3 (1344997) on Friday November 08, 2013 @03:17AM (#45365835)

    Did the researchers ever try having someone not on their team pass this test? There's no way anyone could figure out which ink blot is which unless they were involved in the naming process.

    • by JaredOfEuropa (526365) on Friday November 08, 2013 @03:42AM (#45365939) Journal
      I find it rather hard as well. Imagine how well color-blind people will do at this test. Or people from other cultures / countries. People for whom English is a second language.

      Not to mention the fact that if I'd find something this convoluted on an account creation page, I'd most likely leave and never come back. CAPTCHAs are already bad enough.
      • by Urza9814 (883915)

        It's not a CAPTCHA, it's a password.

        You don't match some strings they came up with to a bunch of pictures they came up with. They generate a bunch of pictures, and you create descriptions for them. Then when you try to login they give you a list of your previously entered descriptions with the same pictures and you have to match them up again.

        In other words, if you want you could just fill in the passwords as "TOP RIGHT" "BOTTOM LEFT" based on the location of the largest dot, or you could make them all the

    • by blane.bramble (133160) on Friday November 08, 2013 @03:53AM (#45366015) Homepage

      That is the whole point I believe - as part of the process *you* name the ink blots that were generated for you. Then next time you log in you match them back up.

      • by gsslay (807818)

        I'm happy to admit I've missed something here, as the description given about how it would be used in actual practice is not at all clear to me.

        Am I correct in thinking that this does not remove the need for a password, it just means you need to match up the blobs with the descriptions and supply the password?

        In which case, interesting idea, but very laborious. And a description you give on one day for blobs may completely elude you the next.

      • by Rockoon (1252108) on Friday November 08, 2013 @07:38AM (#45366871)

        And I go over to the psychologist, and he says, "Emo, what does this inkblot look like to you?"
        I said, "Oh, it's kind of embarrassing."
        He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."
        I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness."
        ..and he gets kind of depressed.
        I said, "Okay, it's a butterfly." and he cheers up.

        He said, "What does this inkblot look like?"
        I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."
        He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."
        "Oh," I said, "was I far off?"
        He said, "No. That's the sad part."

        - Emo Philips

    • by dido (9125) <didoNO@SPAMimperium.ph> on Friday November 08, 2013 @04:19AM (#45366129)

      I not only read the article but also the associated paper, and it seems that the proposed scheme involves precisely that. They generate some random inkblots and you have to give them some imaginative descriptions. Nevertheless I remain unconvinced that this is a good idea from a usability standpoint. I haven't even been able to find a link to a working mock-up of the system in action, so I could try it out.

  • by ignoramus (544216) on Friday November 08, 2013 @03:18AM (#45365841) Homepage
    According to this challenge, I'm totally failing the Turing test. Is http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge_files/Account%200Inkblot4.jpg [cmu.edu] really a "robot on a skateboard like thing" to anyone here? What am I missing?
    • by ignoramus (544216)
      P.S. I get that they're user selected mnemonics... it's mostly that I'd have a pretty hard time assigning meaning to most of the generated blobs...
      • It fails at what it was designed for, in a worse way than captcha.

        The theory behind such passwords or passwords enhancement, it to introduce something which is pretty damn simple for a human to perform (reading and typing something down, or making a few simple cognitive tasks), while being awully complicated for a bot to do in order to slow down automated attempts.

        Even if you have 10 such images to match each with one of 10 user-generated phrases, that *only* has 10! combinations, which more or less is equi

    • by houghi (78078) on Friday November 08, 2013 @04:05AM (#45366069)

      You can not fail the Turing test. It is just to test if you are a robot or not. You are clearly a robot.

      They now use a variation of the test to determine if you are danger to the USofA. (Or perhaps it is the same test.)

      Oh, and if you can swim, you are a witch.

      • Doesn't the Test assume that you're a computer to begin with? You 'win' if you convince them there's at least a 50% chance you're a computer. Technically you could also win by influencing the human somehow into giving computer-like answers.

    • by oobayly (1056050)

      From TFA:

      The user describes each inkblot with a text phrase. These phrases are then stored in a random order along with the password. When the user returns to the site and signs in with the password, the inkblots are displayed again along with the list of descriptive phrases; the user then matches each phrase with the appropriate inkblot.”

      You name the images, so as you've proved, it's a lot harder for somebody to break into your account as these descriptions are completely subjective. The big problem may be remembering which descriptions were which - as it may depend on the mood or state of mind you were in at the time.

      • by oreaq (817314)
        So it's basically like having two passwords instead of one?
      • "hen the user returns to the site and signs in with the password, the inkblots are displayed again "

        So, the inkblots aren't displayed unless the password was correct? Isn't that the signal to the bot that it has the correct password? What is being gained with these images again?

    • by fatphil (181876)
      Nope, that's a classic "Lesbian Bloodbath" image if there ever was one. Quite how to distinguish it from the other 9 Lesbian Bloodbath images is the tricky thing.
      • by fatphil (181876)
        G/f says it's "clown with a knife", but I think she had a scarred childhood.
      • by kbg (241421)

        All I see is woman with large breasts, woman with medium breasts, woman with small breasts, and this one looks like you... with breasts.

    • Try the "word association test" [youtu.be]. A very GOTCHA kind of a test, that can prove anything you want it to prove.

  • hooray, eggheads (Score:3, Interesting)

    by Anonymous Coward on Friday November 08, 2013 @03:24AM (#45365865)

    It may or may not be uncrackable. Woot. But it certainly is untenable, unwieldy, and unimplementable. I've got to generate 6+ random-ish images, assign descriptions, and then at some point in the future re-match them? Why not have me generate a one-time pad at the length needed and ask me to remember that?

    • The images generated are definitely difficult (and painful) to try to decipher. It's all of the colors and the dots everywhere... Makes me a bit nauseous, actually.

      The concept doesn't really seem to be any better than just choosing a secure password in the form of a sentence. You don't need an image for that, you just need users that can remember "1234 is the password to my luggage." instead of "1234".

      • by fuzzyfuzzyfungus (1223518) on Friday November 08, 2013 @03:39AM (#45365919) Journal
        It might actually be worse, since the scheme describes providing a list of descriptions to choose from, one of which is the one that the user originally provided when the inkblot was generated.

        Any CAPTCHA-style scheme that has to rely on a list of options (either because the cues are too vague, or because the answers aren't trivially expressible with a mouse and keyboard(or, now, a touchscreen...) inherently runs into the issue that even a bot of essentially zero skill can now achieve a 1/n success rate, for an n length list of options; by pure chance. Unless you want to piss off your users a lot, 1/n is probably actually going to be unnervingly good starting odds, for a trivial scraper-level bot, and the options list also means that any more sophisticated AI approach has a relatively small and discrete universe of possibilities to deal with.
        • by tftp (111690) on Friday November 08, 2013 @04:02AM (#45366063) Homepage

          A common man who cares about being able to remember an inkblot later on would describe it with specifics, like "five blue on top and three blue on bottom." This is quite parseable by a computer. The associative descriptions that the authors are hoping for are just not going to happen. Never. An association is a fleeting thing, especially when you are dealing with a random inkblot.

          Far more importantly, the inconvenience of matching those images will be so great that the web sites will lose audience, and the site owner will drop this stupidity.

          Most importantly, the method does not protect the customer - it only protects the web site owner. (A hacker can always figure out, with patience and time, which description fits what inkblot.) This means that millions of customers will be forced to endure this torture just for convenience of the site operator. This isn't going to fare well.

          • by fuzzyfuzzyfungus (1223518) on Friday November 08, 2013 @04:30AM (#45366173) Journal
            I suspect that this scheme is also approximately as ADA (and I assume the EU has an equivalent, it's the sort of thing that they would do) compliant as prior CAPCHAs, which is more or less 'HAHA, ocular cripple, no website for you!', possibly with an audio variant that is either broken and simply not actually a substitute, clear enough to be within attack range of commercially available text-to-speech software, or something allegedly human; but about as comprehensible as a heavy metal vocalist screaming a language you don't know through a couple of tin cans and a piece of string, from underwater...

            I'm not sure how more sites don't get smacked for that.
            • heavy metal vocalist screaming a language you don't know through a couple of tin cans and a piece of string, from underwater...

              Stop spying on my music listening habits!
        • by rjstanford (69735)

          Well said.

          To expand on that a little, if someone's trying to crack your account then they can probably afford to have a human involved who will have a somewhat reasonable chance of getting your clues correct. Most people don't care about the accounts they get though, and with millions to choose from getting the correct number cut down to 1% of what it would otherwise have been just doesn't matter any more. Web scale helps them in that case.

          • Well said. To expand on that a little, if someone's trying to crack your account then they can probably afford to have a human involved who will have a somewhat reasonable chance of getting your clues correct.

            I recall reading, a few years ago, that some were using pr0n sites as a way to have humans answers CAPCHAs. They rigged their pr0n sites to "proxy" the CAPCHAs from the target websites. Once a human successfully answered a CAPCHA, a bot could then get into the target site while the human continued to browse the pr0n site.

        • It might actually be worse, since the scheme describes providing a list of descriptions to choose from, one of which is the one that the user originally provided when the inkblot was generated.

          It is worse. The bot can just "choose" randomly. If the list is new each time. the correct answer will be the one item that is always in the list. If the items are the same each time, it will eventually get the right answer.

          True, limiting the number of guesses at a given time will slow the bots down, but they can do a single to each account in a list long enough to provide enough delay between attempts with out having to idle between attempts.

  • by meerling (1487879) on Friday November 08, 2013 @03:25AM (#45365869)
    I can't pass any one of those they've got posted.
    I guess you need to be dropping acid for those to work.
  • Bwahaha! (Score:5, Funny)

    by Ignacio (1465) on Friday November 08, 2013 @03:26AM (#45365873)

    I dare them to take their scheme to the streets and fairly find 1000 people that can get them right.

    • by tftp (111690)

      I dare them to find enough commercial web sites who are willing to show such a finger to their paying audience. They would be far better off generating realistic "oil on canvas" images in impressionist style.

    • "Woman with large breasts, woman with medium breasts, woman with small breasts, this one looks like you... with breasts."
    • by Toad-san (64810)

      In the entire Known Universe! I couldn't even begin to recognize a single one of them.

  • What about colorblind people?

    • Re:Colorblind? (Score:4, Insightful)

      by oobayly (1056050) on Friday November 08, 2013 @04:20AM (#45366137)

      It doesn't matter, as they're the ones coming up with the description, not the website owners. In fact, for colour blind people it adds an extra layer of security as the image they perceive (and describe) may be completely different from how the majority would perceive it.

      • by Zedrick (764028)
        It does matter, a colourblind person (like me) can't see anything but random dots. How can I possibly come up with a description (that I will remember) for random dots?
        • by Imsdal (930595)
          You are assuming that people who see colour see anything other than random dots. I can understand why you would believe that, but in this case it is wrong. It IS just random dots. The colouration just adds to the confusion.
    • by tippe (1136385)

      Never mind them, what about those with trypophobia? Why won't anyone think of the trypophobics??

      • by retech (1228598)
        Mod this person up!
        • by tippe (1136385)

          You aren't by any chance trypophobic, are you?

          Say, what do you think of my new sig? I call it "swarming holes"...

          -----
          ooOoOOOoOOooOOOOoO
          oooOOOooOoOOOoOoOo
          OOOoOOoOooOoOOOoOo
          ooOOoOoOoOooOOOOooO

  • GOTTTCHA!

  • by zAPPzAPP (1207370) on Friday November 08, 2013 @03:51AM (#45365995)

    Today's Google opener is Hermann Rorschach.
    Is this story just a coincidence?

    I wonder what he could have read out of peoples passwords?
    Your account may be secure, but now the admin knows everything about your mother issues.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Your haiku doesn't work.

  • by Trogre (513942)

    This is I guess a fitting way to celebrate Herman Rorscach's 129th birthday. And today's Google Doodle makes about as much sense as this password scheme.

  • Why not put a live example online where people and computers can try this. And just a little test. These are the possible answer:
    1. lady with pink bowtie and purple mustache
    2. ugly narrow eyed person puckering up for a kiss
    3. bees on top fling towards each other, big U in the middle
    4. robot on a skateboard like thing
    5. square faced guy with big nose and short yellow hair fuzz
    6. hulk guy with tiny boxing gloves through the waist
    7. The letter H
    8. lipstick on a lady who takes steroids
    9. linebacker wit

    • by zAPPzAPP (1207370)

      I believe it is intended that you came up with those associations yourself,.
      So when presented with the list of your past answers and the same group of pictures, you will be able to do it again.
      Trying to reverse another persons association-list will be much harder (and that is kind of the point here i guess).

  • by stenvar (2789879) on Friday November 08, 2013 @04:53AM (#45366251)

    This is kind of like people used to design cryptography before there were sound mathematical and information theoretic results: "Hey, this looks complicated to us. It must be a good crypto algorithm. Bet you can't break it."

    Unlike cryptography, this actually looks like a solution in search of a problem.

    • Actually you bring up a point that is the major flaw in this GOTCHA system; you aren't really trying to hack a random series of characters, you are hacking the "most likely" responses from people who see the images.

      So if some enterprising criminal is looking at the system, they try and get a database or a survey of "most common responses" -- so you might find about 24 most frequent responses like "bat". The system for practical reasons, won't be too tight on how it accepts descriptions, as a user isn't goin

  • All they have done is taken the old security question idea and replaced questions with images. While that makes it harder to circumvent using personal information ,such as mother's maiden name or where were you born, it's really not that much better than if you simply give nonsense answers that you can still remember. After all, it would be just as hard for a bot or person to find out I was born on Moon Base Piper or lived on German Shepard Lane as match answer to blot. Depending on the number of tries allo

  • ...there are armies of developing-world workers willing to solve these things for fractions of a penny per GOTCHA. If only we could align incentives properly to harm scammers and their armies of solvers, without being a pain in the arse for legitimate users.
  • I'm guessing not.

    Let's say they present 10 options for each GOTCHA. That means that I could pick an option at random and have a 10% chance of getting it right. I could have 10 machines on my botnet try the same sign-up post and statistically one of them should guess the right answer, which for a sufficient number of attempts is more or less providing a known success rate. How is the system supposed to tell which of all those unique IPs giving correct answers are my guessing bots and which are real peo
  • by nuckfuts (690967) on Friday November 08, 2013 @06:39AM (#45366615)

    The title should read:

    Researchers Prevent Humans From Cracking New GOTCHA Password Scheme

  • Literally every single one looks like a spider looking right at me to me.

  • They are pointless when armies of wokers from India and other parts of the third world can blast through them by the thousands per day. These services are available for outsourcing just like any other service.

  • Why not just present the user with a few images of book covers, famous landmarks, or sports stars? Let them pick their favourite. Problem solved, no?

    • Okay, no, I suppose you could glean some of those things from social media these days. I forgot to allow for the stupidity of Facebookers. There's got to be a less inconvenient way to do this than blots, though.

  • I'm back from using the GOTCHA system and I can tell you that it's easy to remember and use;
    Naked Lady, gazoongas, two naked ladies, more gazoongas, someone stabbing mommy, mommy gazoongas, more stabbing, a side-boob.

    Someone else might call those six circle blobs and two triangles, but I'll remember! Now even though this system might not work for everyone, it will help identify people who don't like their mommies!

  • I claim that your associations and extrapolations are based on your sum life experience, not just who you are as a lump of genomes.
    As you live on your experiences may change you and you may no longer be able to see the same things in the blots.
    How would this system deal with the fact that the creator of the password no longer has the same associative views?
  • as hard to break and useful as captcha/gotcha.

    Step 1 Display something and let the user/ai enter a response

    Step 2 Always reject every response

    See, works as well as those 2 schemes and is much easier to implement.(I'm only being somewhat sarcastic btw.)

  • by PPH (736903)

    All I can see are terrorists.

    -- TSA Employee

  • Oh great. Another system to enforce segregation between organic and inorganic.
    When will this senseless discrimination end?

  • Each puzzle has a specific solution. Computers can recognize specific images quite easily. A person can feed image/solution pairs into their GOTCHA-solving script faster than you can make them.

    I'd like to be the first to solve this but I think it'll be done before I finish my lunch break.

  • hasn't anyone besides me played on Google's front page today? #rorsachdoodle for you twittospherics.

Life would be so much easier if we could just look at the source code. -- Dave Olson

Working...