Slashdot Mirror
Scientists Develop New Method To Improve Passwords
An anonymous reader writes "Scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany have developed a novel method to improve password security. A strong long password is split in two parts. The first part is memorized by a human. The second part is stored as a CAPTCHA-like image of a chaotic lattice system."
Well, It indeed silly. What is stopping us from just doing normal bruteforce?
Two days late, guys. HIYGCOTWO.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
That lists which authors of that paper endorse other papers.
Perhaps analyze this idea for its own worth rather than look for silly reasons to discard it? How about that it relies on generating a secure password already, which would be hard for people to memorize, how the blind couldn't use it, or how it's really just the combination of two already common ideas?
// MD_Update(&m,buf,j);
Heres an extra layer of security for your password.
You take another post it note and stick it to your monitor over the top of the one with your password on. To access your password just lift up the top sticky note.
mod down, goatse link, sage sage sage.
So if someone steals the password list off a server and wants to steal the admin passwords, all he has to do is to read the captcha himself, work it out (being a human and all that), then try to break the hash by adding the 'captcha answer' to the end of the string.
Sure it might make it harder for someone to try to steal passwords from a large list, but if you're only targetting admin (or specific ones) it'll actually make things less secure. You tell people they only need to remember half the password and the rest is "uberencrypted" and their half will be easy to remember stuff you can dictionary attack.
It causes "ePDFViewer" (the random PDF viewer firefox and/or linux decided to bring as default option when opening such link in firefox) to hang for a minute and use 100% CPU whenever scrolling or zooming.
Well, if you actually read the paper, you'd have answers to those questions.
What they are proposing is a method that uses CAPTCHA-like systems to make the automating brute-forcing of the password much more difficult (but, since it's a CAPTCHA, it's still easy for a human to handle). The idea is that then you don't need the human to memorize as strong of a password: you can get the same level of security with weaker passwords. This won't let people use trivial passwords, but would allow you to greatly decrease the crazy/silly password requirements, because the decryption side becomes so difficult to automate. (You could always brute-force using a mechanical Turk setup, so you would need the user to pick a decent password, but as long as the search space is at least a few hundred thousand or million passwords, it's going to be impractical to hire CAPTCHA-readers to break it...)
The details of how they split a single strong password into two halves (a short bit that the human can memorize and a longer more secure bit that the user releases using CAPTCHA, and thus doesn't have to memorize) is quite interesting. Worth a read. This implementation might have mistakes that make it less secure than it seems at first, but the overall idea is really quite amazing.
So let's just be clear, they've re-invented seeding a password?
Seriously... how does this help? Sure, it might give brute-force a harder time, but wouldn't people just brute-force the captcha? Hm.
The real solution is to let the user have their dumb password that is easy to remember, but require them to also scan some biometric like their fingerprint or iris. This way, the only way that they can be compromised is by an attacker having access to both some physical characteristic in combination with their easy-to-guess password.
Social Engineering Expert: Because there is no patch for stupidity.
I think the concept is fairly straightforward, though: If you make it hard for a computer to determine the difference between the plaintext and garbage, it will be hard to brute-force decrypt. In theory, by making the plaintext into a captcha the computer will no longer be able to tell when it has successfully decrypted the image, so (again in theory) after every password attempt a human will have to read the "decrypted" image to see if it is correct or not, so a brute force attack would (in theory) take an incredibly long period of time.
I see a few problems, though, in that (a) even if a computer can't read a captcha, it could probably tell the difference between it and random noise, (b) the computer could take "likely candidates" and farm them out to Mechanical Turk et al., and (c) it's not practical for anything but short text messages, since the message is no longer readable by a computer.
I could see it used for encrypting other passwords, though: Encrypt your files using a long random password, then encrypt that password using this captcha system and a password you can actually remember.
How can I believe you when you tell me what I don't want to hear?
as long as I am not able to select my own login AND password.
I have a multitude of different logins that were given to me and that I can not change. I have been given a multitude of passwords that I am unable to change, because I am not the only one to use that specific login.
Also have more then one security key.
Oh and I need to change some of them each month. I could easily remember a 32 character password. But not if I need to change it every month AND if I need to remember anywhere between 10-30 AND need to know what login it belongs to AND some can't be that long.
So sure, you can blame the human. However that IS a factor that will not go away. And as long as logins and password are basically a "Hey, I tried to protect the data, so I am safe"-thing for IT people, nothing will change.
To often I see people that are resposible for the security try to find a technological solution for the social problem. Security is not a technical issue. It is a social process.
Don't fight for your country, if your country does not fight for you.
That will work really well for remote access.
Idiots.
Contrary to the popular belief, there indeed is no God.
to improve password security and not to make a fail safe method. In a way that users can still create passwords like "123456" (they allways will, if they are allowed to), but by adding the captcha they will be harder to crack.
Sig? Heil
You don't need a bunch of mumbo jumbo to make a brute force attack ineffective, all you need to do is lock the account after x failed login attempts.
But they fail to realize that the private key is nothing more than a lengthy password
You don't quite understand how PKI works, do you?
and is in fact more susceptible to being stolen than a human-entered password is.
Uh, no, it's not, because a private key stays in one place - you computer - while the password is sent to each server, and you have to trust them to secure it properly. Which, as we have seen with Gawker, won't happen.
Dilbert RSS feed
then your "solution" will be to suggest the use of a private key, which is nothing more than a lengthy password that's often stored in a file that can be easily stolen.
Except that if someone steals the USB dongle on my keychain, I'm likely to notice.
Sure, it's possible that there's malware on the computer copying all of my keys as I speak, but the same could be said for the keylogger copying all my passwords, so its pretty easy to establish that public/private keypairs are more secure than just plain passwords, given that they are significantly harder to brute force, for any reasonable protocol the key is never sent over the wire (the server asks the client to encrypt something in order to prove that it possesses the private key matching the public key), and they can provide for positive identification of both sides of the connection (given that the server has its own private key).
If I have been able to see further than others, it is because I bought a pair of binoculars.
Different systems have different parameters. One required 5-8 characters, including 1 number and 1 capital letter. I ran into one that had to be exactly 6 characters, but no other restrictions. One had a requirement of a 'special' character, i.e. $ * # ! ) etc. I understand the restrictions, somewhat, but my passwords tend to be 10-15 characters long with numbers but no special characters. Sometimes a capital letter or 2.
Instead of creating new schemes, just let me use this-
"ijustgotanewpuppyandinamedhimbippyandhesverycute"
Brute force that for my Amazon account. It's a whole lot better than "borked" for that 6 character password scheme I mentioned above.
Vote monkeys into Congress. They are cheaper and more trustworthy.
There are 3 basic ways a person can identify themselves:
1. What you know - like a password
2. What you have - like a keycard, or a one time password generator
3. What you are - biometrics
The advantage of 1 is that it can only be stolen when being used.
The advantage of 2 is that it can't be easily copied without removing it from the person.
The advantage of 3 is that it can't be stolen, but can be copied without being used.
I've seen places like air ports that use all 3. Swipe your card, punch in the pin, and scan your fingerprint. However, it is often not practical to require users to use all 3. A password is easy to give out, but can be easily forgotten. A keycard or password generator is a physical device that has to be issued to the individual. Biometrics requires special hardware that many users don't have, or you can afford to install on your building doors. Having fingerprint readers on your computer won't really help too much against if your computer gets compromised, while #2 can help deter this. On the other hand, if fingerprint readers become standard issue on computers, then many web sites can add it to their log in requirements (your computer would send a hash of your fingerprint based on the certificate of the requesting web site to avoid it being used for another site).
because a private key stays in one place - you computer
I think that is what he is pointing out. A regular password is stored in your brain. A private key is stored someplace on your computer and the computer itself could be stolen, or the data could be copied (border security Gestapo is an example). I also remember some articles about freezing active memory to retrieve stored keys in memory on systems that are secured (locked) but still running.
Of course it is not as simple as that and there is more to consider. Just pointing out that is what I think he meant by more easily stolen. He certainly does not compare the two methods fairly or thoroughly.
As for the article I am not really sure how innovative this is. CAPTCHA is a dying technology in its current implementation. It is purely based upon the premise the a human brain is a much better pattern recognition device then any artificial device we can currently come up with. This is inevitably being proven false. I give it two decades max. After which Turing tests are going to have to evolve to physically inspect the devices themselves similar to Blade Runner. They did not ask the "device" to recognize a pattern, only how it felt about a turtle on its back. Ohhh, and the testing was a little more dangerous to the tester.
Bruteforcing of interfaces is the simplest thing to defend against. My preferred method is using geometric progression to add a delay for every failed attempt. Lockout after three tries is a bit simplistic and user unfriendly. Brute forcing is going to use a hell of a lot more than three. Geometric progression makes more sense to me and is more user friendly.
...is that the whole password cannot be decrypted in an automated way, because even though a computer program would quickly guess the short password (SP), the fact that the strong key (SK) is stored as a CAPTCHA prevents the computer program from obtaining it, even with the correct SP.
The point is not (as some seem to believe) to help the user memorize a longer password by storing part of it for him. This approach actually wouldn't introduce any added security, as you still have a single point of failure (the memorized short password).
Of course, that whole massive procedure around three-factor authentication goes to hell when the first guy holds the door open for the two people standing behind him. The biggest issue always has and will likely always be social - the person walking around in a jumpsuit with a toolbelt will, in almost all locations, be assumed to be on the maintenance staff and will go completely unquestioned as he attaches mystery devices to the network wiring. Basically, the sooner that we're taken over by the machines, the sooner we can finally have effective security.
How are sites slashdotted when nobody reads TFAs?
From http://www.bash.org/?244321:
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
Sorry, but I don't understand how this could possibly be any better than combining existing password and CAPTCHA systems, which I am fairly certain has been done before. If the CAPTCHA and password didn't have a link between them it would likely be more secure. Their system only provides some benefit until someone leaks the algorithm for generating the CAPTCHA.
Is there something that I am missing?
~$ cd down
/home/jthill/down
~/down$ java -jar pcaptcha.jar
Failed to load Main-Class manifest attribute from
pcaptcha.jar
~/down$ java main -jar pcaptcha.jar
Exception in thread "main" java.lang.NoClassDefFoundError: main
Caused by: java.lang.ClassNotFoundException: main
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:321)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
Could not find the main class: main. Program will exit.
~/down$
Here's my try at a non-academic rendering:
Password cracking is generally "known ciphertext" -- they have /etc/shadow or whatever, probably because they just confiscated your filesystem, and can brute-force keys looking for one that produces the ciphertext they stole. Humans practically never memorize passwords long enough to defeat a brute-force search.
This makes that not work, because what's stored isn't the ciphertext. Instead, what's stored is combined with the password you supply to produce an image, which you then iteratively modify a few hundred times. Whether you've supplied the right password or not, all the modifications will look similar -- except that if you've supplied the right password, one of the iterations, while looking a lot like all the others, will also be a captcha. The authors implicitly claim that it's as hard to answer the "is-it-a-captcha-at-all" question as it is to to decipher one, leaving a would-be brute-forcer the task of solving hundreds of thousands of captchas to find even a criminally weak password like 'm0ney'. Solving the right captcha gets you the rest of the real password, which will be a strong one, long and random.
==
Somebody else already questioned that implicit claim, and I'll point out that the paper is written as if the number of iterations is secret ("The attacker attempting a brute-force attack has to visually analyze each image obtained by time-evolution of each incorrect state") -- as if the legitimate user is going to eyeball 350 images at every login, looking for the right one.
But the real question is whether or not it's really that hard to distinguish the payload iteration from the rest.
As always, all IMO. Insert "I think" everywhere grammatically possible.
https://www.pixelock.com/
double penetration;
The password for nvidia-latest.crpt is "foo". Please decipher the captcha. It turns out your demo, along with turning less than 1K of shell script into 400K of encrypted file, also wiped the original. I've tried q, w, u, n, j, jv for the last letter(s). I figure you need the annoyance a lot more than I do.
As always, all IMO. Insert "I think" everywhere grammatically possible.