Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Release Working Prototype Of CAPTCHA-Based Password Assistant

Posted by timothy on from the holding-out-for-retinal-scans dept.

An anonymous reader writes "Last year Slashdot ran a story on scientists from the Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany developing a novel method to improve password security. A strong long password is split in two parts; the first part is memorized by a human, and the second part is stored as a CAPTCHA-like image of a chaotic lattice system. Today, after a year of work, the same group at Max Planck Institute released a working prototype online, where everybody can try this technology to encrypt files (Java plugin required)."

15 of 86 comments (clear)

  1. Re:um by Anonymous Coward · · Score: 3, Informative

    Actually, this is better -- it prevents brute-force attacks unless you have a very, very good method of solving CAPTCHAs. Even if you can solve the CAPTCHA, though... there's no guarantee that you'll get a good CAPTCHA based on the password you're trying.

  2. is there any good analysis in the year since? by Trepidity · · Score: 4, Insightful

    Rather than attempting to personally evaluate the paper, not being an expert in this area, it'd be interesting if a third party has done some analysis, even preliminarily, on the system, so we can rely on more than the authors' own views. The paper itself was published in a somewhat strange venue for a new cryptosystem, Europhysics Letters, which isn't really a problem, but doesn't provide strong assurance that cryptography experts have vetted it, either (but perhaps they have elsewhere?).

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  3. Requires self-signed applet with full privileges by Plouf · · Score: 4, Interesting

    This requires self-signed applet with full privileges so by using this new security solution I will put my computer at risk. Isn't that great? I would have expected that people working in the security domain would not have the "I don't bother about actual rights I need so let us request full access" attitude.

  4. NOT SIGNED code, could be harmfull by Anonymous Coward · · Score: 3, Interesting

    WARNING

    My java said that the code was not signed. It could be swapped or faked. Don't run it unless it is signed and verified properly. It also gains full acess to your computer... so don't run it until it is restricted.

  5. Re:Requires self-signed applet with full privilege by Anonymous Coward · · Score: 4, Informative

    Plouf - we need these permissions in order to read the files :-)

    As far as self-signed goes - we did not want to spend $500 on a chunk of bytes :-) Please trust us :-))

    Konstantin

  6. Re:um by dgatwood · · Score: 3, Insightful

    Of course, it's a security scheme designed using Java just two days after a story about a security hole in Java that allowed automatic installation of a trojan. Thanks, but no thanks. You can keep your security if that's the language you want to use to implement it.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  7. Re:Requires self-signed applet with full privilege by SashaMan · · Score: 5, Insightful

    Absolutely - I couldn't believe the irony of this great security solution requesting full access to my machine with a self-signed certificate. I wonder if this actually a psychology experiment to show that even when people are thinking about security that they're still willing to give up the keys to the kingdom as long as you ask nicely and state that you're a "security researcher".

  8. Re:um by errandum · · Score: 3, Interesting

    Because they are, clearly, associated.

    Most encryption algorithms and libraries in java follow the standards implementation. If used properly they are as secure as possible.

    Don't confuse the relative security of a language (in allowing you to run code outside of the VM) with encryption algorithms. That's completely idiotic. It's like saying you should not eat meat because it's raining (yep, as idiotic as that).

  9. Re:um by theshowmecanuck · · Score: 4, Funny

    I heard a story about a virus written in C. That's why I'm writing this on Slashdot with an abacus.

    --
    -- I ignore anonymous replies to my comments and postings.
  10. A better mousetrap? by hairyfish · · Score: 3, Insightful

    These stories seem to pop up every week about how we have a new system that is better than a regular password. You can't get better than a regular password because the weakest link in the whole password process is the human. Make the authentication process any more complex and the human becomes an even weaker link. The other big miss that none of these stories never seem to cover (esp biometrics) is that the great strength of a password is its portability. If I need someone to do something on my behalf I can tell them the password and they can do it, and it gets done. This may sound like a weakness on the surface, but the alternative non-portable method would mean all those things wouldn't otherwise have been done, and ultimately systems are designed to do things. Therefore, too strong an authentication makes the overall system less effective. Security is about balance. You can't build a house without doors and windows, and I think the regular old password is the best balance you'll ever get to authentication. Why waste energy trying to build a better mousetrap?

  11. Enough wisecracks, let's start thinking. by goodmanj · · Score: 5, Insightful

    Slashdot comments usually contain at least a few insightful comments, but so far people have been going for wisecracks and low-hanging fruit.

    Yes, using a self-signed certificate in a security product is stupid. Yes, trusting physicists to come up with a good encryption scheme is like hiring a plumber to do heart bypass surgery (I am a physicist). But those are boring criticisms. A more interesting question: is the basic idea actually any good?

    If you play with it, it looks like it boils down to using a short easy password to generate a chaotic bit pattern; this bit pattern is XORed against a Captcha image. The result is easy for humans to read. If you try to decrypt with the wrong password, you get a different chaotic bit pattern that can't be read. But a computer has to do a lot of work to figure out if each bit pattern contains readable text or not.

    The goal here is not to increase the entropy of the password, or to use an asymmetric algorithm that's much easier to encode than decode. Instead, they're trying to make each decryption attempt require enough compute cycles that it's impractical to brute-force even a short password.

    The obvious direct attack is to write a very good, very fast captcha detector. It doesn't actually have to be able to *read* the captcha at all: it just has to be able to filter out "obviously doesn't contain text" from "probably contains text", and present the likely candidates to a human for final analysis. Some sort of noisy edge detection algorithm might work well.

    If you hate writing computer vision algorithms, a simple Mechanical Turk approach might also work. If you presented a full-screen grid of 100 candidate decryptions to a human, they could probably identify one that contains text in a couple of seconds. A single human should be able to complete an English dictionary attack in a day.

  12. Re:um by tepples · · Score: 3, Insightful

    First, it's Java, not JavaScript. Second, if you've installed Kaspersky AV or any ElcomSoft product or even played Tetris®, you've run Russian code on your machine.

  13. Re:Requires self-signed applet with full privilege by FrootLoops · · Score: 5, Interesting

    There are too many oddities for me to try out the service, sorry.

    1. The service isn't hosted on a .edu domain.
    2. The about page makes a remarkably strong and vague claim for a group of scientists: "We are currently the strongest online encryption service available on the Internet."
    3. The story was submitted anonymously rather than with a "full disclosure" warning.
    4. There's no link on the web site to any supporting institutions, grants, or anything like that, even though the summary twice mentions the Max Planck Institute.
    5. The unsigned software wants full access to my machine.

    For all I know, this is an elaborate ruse to get a few poor saps to run untrusted code. I have nothing but the web site's word and the word of an anonymous commenter to go on balanced against the above weirdness, so I'm going to play it safe and move on.

    As for you, "Konstantin," perhaps you're just a weird person, but there are way too many oddities for me to simply believe that you're the K. Kladko from the paper.

    1. Your grammar and style are remarkably informal for an academic. You write like a teenager.
    2. You use way too many smilies for a security researcher.
    3. You sign your name while posting anonymously--just sign up for an account already.
    4. You expect me to run untrusted code on my machine as a security researcher just because you say, "Please trust us". Seriously? Seriously? (It bears repeating.)
    5. You're making lots of comments here. Usually scientists don't make any appearance on /. comments about their work, or if they do their posts are highly informative (eg. The Bad Astronomer).

    My strong suspicion is that you're just rather young and naive and don't have enough supervision on this project. I'm not trying the software though.

  14. Re:um by Patch86 · · Score: 3, Interesting

    Why bother having the user set the word that is going to be displayed as a CAPTCHA? Why not just have the user set a password in the conventional way, and then show them a random CAPTCHA (also in the conventional way)? You'd get the same defence against a computerized brute-force or dictionary attack, but without the added security weakness of the user giving away the second part of the password (such as by key logger, or nosy desk neighbour, or writing it on a post-it).

    I suspect the reason most systems don't ask for a CAPTCHA alongside password entry is because CAPTCHA is a pain in the rear for users- which the system in TFA would still be.

  15. Re:um by Patch86 · · Score: 3, Interesting

    So in what way is this an improvement over a regular CAPTCHA (with a random set of letters and numbers, not set by the user)? A conventional random CAPTCHA will defend against brute force attacks in exactly the same way.

    TFA's proposed method would mean that either a) users will manage to remember the second part of their password (in which case why display it on screen- why not treat it like a regular password and keep it in the user's head) or b) users will need to read the CAPTCHA and enter the word as they see it (in which case why keep the word the same each time, why not randomise it like normal).