Scientists Develop New Method To Improve Passwords

← Back to Stories (view on slashdot.org)

Scientists Develop New Method To Improve Passwords

Posted by timothy on Sunday April 3, 2011 @01:34AM from the start-thinking-of-random-things dept.

An anonymous reader writes "Scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany have developed a novel method to improve password security. A strong long password is split in two parts. The first part is memorized by a human. The second part is stored as a CAPTCHA-like image of a chaotic lattice system."

14 of 104 comments (clear)

Min score:

Reason:

Sort:

RTA? by del_diablo · 2011-04-03 01:37 · Score: 2

Well, It indeed silly. What is stopping us from just doing normal bruteforce?
1. Re:RTA? by pushing-robot · 2011-04-03 01:46 · Score: 4, Informative
  
  That's the one with the $5 wrench, right?
  
  --
  How can I believe you when you tell me what I don't want to hear?
2. Re:RTA? by del_diablo · 2011-04-03 01:53 · Score: 2
  
  No, from the article i got the idea was:
  1. Split password into 2 pieces, a normal password and a captcha part
  2. Now if you bruteforce, you could miss on the second part, meaning bruteforcing will just take a bit more time
  Meaning that "standard bruteforce" is still valid.
3. Re:RTA? by AC-x · 2011-04-03 02:27 · Score: 2
  
  Captcha image is encoded using the user's password. To brute force you'd either need to check the captcha images for each password combination or brute force the whole string (password+captcha) which is twice as long so will take an order of magnitude longer.
  There are plenty of other key stretching techniques so not sure why this is any better tho.
4. Re:RTA? by nanospook · 2011-04-03 03:03 · Score: 2
  
  If your password is to a system that is worth the effort, then it's likely going to lock out after 3 tries.. I realize you are speaking generically, but unless you can subvert that feature, you can't try more than N times without invalidating the account..
  
  --
  Have you fscked your local propeller head today?
5. Re:RTA? by zippthorne · 2011-04-03 03:11 · Score: 2
  
  So.. they've invented.. password salting?
  
  --
  Can you be Even More Awesome?!
6. Re:RTA? by hweimer · 2011-04-03 06:08 · Score: 2
  
  There are plenty of other key stretching techniques so not sure why this is any better tho.
  You can only see the CAPTCHA text when you enter the correct password, a wrong password will just lead to random noise. Their claim is now that the presence of the CAPTCHA text cannot be detected by algorithms because to an algorithm, the picture will basically look the same in both cases.
  I don't buy this. They study a system close to a continuous phase transition, meaning that it is self-similar, and there is no singular length-scale that shows up in any correlation function. By introducing the CAPTCHA text, however, they explicitly introduce such a scale, namely the size of the letters. This scale will result in a detectable feature in correlation functions, and of course only appears when the correct password has been entered. So, contrary to the authors' claim, it should be rather easy to spot when the correct password has been guessed.
  
  --
  OS Reviews: Free and Open Source Software
Re:Belated April Fool Joke? by kestasjk · 2011-04-03 01:52 · Score: 3, Insightful

That lists which authors of that paper endorse other papers.

Perhaps analyze this idea for its own worth rather than look for silly reasons to discard it? How about that it relies on generating a secure password already, which would be hard for people to memorize, how the blind couldn't use it, or how it's really just the combination of two already common ideas?

--
// MD_Update(&m,buf,j);
Maybe I should patent by rossdee · 2011-04-03 01:57 · Score: 5, Funny

Heres an extra layer of security for your password.
You take another post it note and stick it to your monitor over the top of the one with your password on. To access your password just lift up the top sticky note.
1. Re:Maybe I should patent by Haedrian · 2011-04-03 02:04 · Score: 4, Funny
  
  "The use of opaqueness of tree-derived substances in 3 dimensional space in order to secure against password disclosure through movement of waverforms through translucent media".
  There, picked out a name for you.
Re:Belated April Fool Joke? by pushing-robot · 2011-04-03 02:15 · Score: 2

I think the concept is fairly straightforward, though: If you make it hard for a computer to determine the difference between the plaintext and garbage, it will be hard to brute-force decrypt. In theory, by making the plaintext into a captcha the computer will no longer be able to tell when it has successfully decrypted the image, so (again in theory) after every password attempt a human will have to read the "decrypted" image to see if it is correct or not, so a brute force attack would (in theory) take an incredibly long period of time.
I see a few problems, though, in that (a) even if a computer can't read a captcha, it could probably tell the difference between it and random noise, (b) the computer could take "likely candidates" and farm them out to Mechanical Turk et al., and (c) it's not practical for anything but short text messages, since the message is no longer readable by a computer.
I could see it used for encrypting other passwords, though: Encrypt your files using a long random password, then encrypt that password using this captcha system and a password you can actually remember.

--
How can I believe you when you tell me what I don't want to hear?
This will not work by houghi · 2011-04-03 02:22 · Score: 2

as long as I am not able to select my own login AND password.
I have a multitude of different logins that were given to me and that I can not change. I have been given a multitude of passwords that I am unable to change, because I am not the only one to use that specific login.
Also have more then one security key.
Oh and I need to change some of them each month. I could easily remember a 32 character password. But not if I need to change it every month AND if I need to remember anywhere between 10-30 AND need to know what login it belongs to AND some can't be that long.
So sure, you can blame the human. However that IS a factor that will not go away. And as long as logins and password are basically a "Hey, I tried to protect the data, so I am safe"-thing for IT people, nothing will change.
To often I see people that are resposible for the security try to find a technological solution for the social problem. Security is not a technical issue. It is a social process.

--
Don't fight for your country, if your country does not fight for you.
Re:Finally, some real innovation. by icebraining · 2011-04-03 03:04 · Score: 4, Informative

But they fail to realize that the private key is nothing more than a lengthy password
You don't quite understand how PKI works, do you?

and is in fact more susceptible to being stolen than a human-entered password is.
Uh, no, it's not, because a private key stays in one place - you computer - while the password is sent to each server, and you have to trust them to secure it properly. Which, as we have seen with Gawker, won't happen.

--
Dilbert RSS feed
hunter2 tag by fractalVisionz · 2011-04-03 06:53 · Score: 2, Funny

From http://www.bash.org/?244321:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.