Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security AI

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme 169

Posted by samzenpus from the broken-in-3-2-1 dept.
alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."
This discussion has been archived. No new comments can be posted.

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme More

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme

Comments Filter:

  • tried it (Score:5, Insightful)

    by Anonymous Coward on Friday November 08, 2013 @04:10AM (#45365795)

    Turns out i am a computer. Couldn't have figured it out myself!

  • Re:hooray, eggheads (Score:5, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Friday November 08, 2013 @04:39AM (#45365919) Journal
    It might actually be worse, since the scheme describes providing a list of descriptions to choose from, one of which is the one that the user originally provided when the inkblot was generated.

    Any CAPTCHA-style scheme that has to rely on a list of options (either because the cues are too vague, or because the answers aren't trivially expressible with a mouse and keyboard(or, now, a touchscreen...) inherently runs into the issue that even a bot of essentially zero skill can now achieve a 1/n success rate, for an n length list of options; by pure chance. Unless you want to piss off your users a lot, 1/n is probably actually going to be unnervingly good starting odds, for a trivial scraper-level bot, and the options list also means that any more sophisticated AI approach has a relatively small and discrete universe of possibilities to deal with.

  • Re:You've gotta be kidding me (Score:5, Insightful)

    by JaredOfEuropa ( 526365 ) on Friday November 08, 2013 @04:42AM (#45365939) Journal
    I find it rather hard as well. Imagine how well color-blind people will do at this test. Or people from other cultures / countries. People for whom English is a second language.

    Not to mention the fact that if I'd find something this convoluted on an account creation page, I'd most likely leave and never come back. CAPTCHAs are already bad enough.

  • Re:hooray, eggheads (Score:5, Insightful)

    by tftp ( 111690 ) on Friday November 08, 2013 @05:02AM (#45366063) Homepage

    A common man who cares about being able to remember an inkblot later on would describe it with specifics, like "five blue on top and three blue on bottom." This is quite parseable by a computer. The associative descriptions that the authors are hoping for are just not going to happen. Never. An association is a fleeting thing, especially when you are dealing with a random inkblot.

    Far more importantly, the inconvenience of matching those images will be so great that the web sites will lose audience, and the site owner will drop this stupidity.

    Most importantly, the method does not protect the customer - it only protects the web site owner. (A hacker can always figure out, with patience and time, which description fits what inkblot.) This means that millions of customers will be forced to endure this torture just for convenience of the site operator. This isn't going to fare well.

  • Re:Colorblind? (Score:4, Insightful)

    by oobayly ( 1056050 ) on Friday November 08, 2013 @05:20AM (#45366137)

    It doesn't matter, as they're the ones coming up with the description, not the website owners. In fact, for colour blind people it adds an extra layer of security as the image they perceive (and describe) may be completely different from how the majority would perceive it.

  • like bad cryptography (Score:5, Insightful)

    by stenvar ( 2789879 ) on Friday November 08, 2013 @05:53AM (#45366251)

    This is kind of like people used to design cryptography before there were sound mathematical and information theoretic results: "Hey, this looks complicated to us. It must be a good crypto algorithm. Bet you can't break it."

    Unlike cryptography, this actually looks like a solution in search of a problem.

  • Re:tried it (Score:5, Insightful)

    by pla ( 258480 ) on Friday November 08, 2013 @08:24AM (#45366817) Journal
    Turns out i am a computer. Couldn't have figured it out myself!

    This. Even with the answers, I can't recognize the features those descriptions supposedly refer to... "Little birdies facing eachother on the bottom and little bees flying away from eachother on top"??? WTF? Does anyone actually see the birds and bees the captions keep referring to?

    Dear security researchers - Any clever scheme that humans have trouble dealing with, will fail, no matter how "secure" you consider it. I can remember "correct horse battery staple" (with 1 through 9 tacked on at the end to get around annoying domain password history restrictions, of course - Case in point!). ln TFA's case, I'd probably need to keep a goddamned picture of my password in my wallet to compare against each time I log in.

Slashdot Top Deals

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh

Close