Slashdot Mirror
Researchers Dare AI Experts To Crack New GOTCHA Password Scheme
alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."
I feel like they mind as well have asked me to paint a picture which best conveys my ex-girlfriend's LiveJournal post from 2001.
Turns out i am a computer. Couldn't have figured it out myself!
The source code for the challenge was written in the C# programming language
nice try Microsoft but i'm still not falling for it!
Anons need not reply. Questions end with a question mark.
They've already been shelling out free porn in exchange for people solving captchas for them... I don't think this will change anything...
WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
I don't see any of these. e.g. How the F*** is that a robot on a skateboard?
The only winning move is not to play.
Did the researchers ever try having someone not on their team pass this test? There's no way anyone could figure out which ink blot is which unless they were involved in the naming process.
According to this challenge, I'm totally failing the Turing test. Is http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge_files/Account%200Inkblot4.jpg really a "robot on a skateboard like thing" to anyone here? What am I missing?
Does it count as a password system if the legitimate users are not able to log in ?
Sounds like they'll be weeding out all the visually impaired Internet users along with the SPAMbots. I don't count this as progress. We already have silly "solve this simple math problem" and "copy the forth werd in this s3nt3nce" puzzle questions which are easier to solve and sometimes more effective than captchas. If we have to stare at ink blots and answer dumb trivia questions to use the Internet, we still haven't won this fight.
It may or may not be uncrackable. Woot. But it certainly is untenable, unwieldy, and unimplementable. I've got to generate 6+ random-ish images, assign descriptions, and then at some point in the future re-match them? Why not have me generate a one-time pad at the length needed and ask me to remember that?
I can't pass any one of those they've got posted.
I guess you need to be dropping acid for those to work.
I dare them to take their scheme to the streets and fairly find 1000 people that can get them right.
Using US-centric terms is certainly not going ti help the rest of the world ...
What about colorblind people?
I've got better things to do tonight than die.
GOTTTCHA!
Visit the Arcade Restoration Workshop @ http://www.arcaderestoration.com
Today's Google opener is Hermann Rorschach.
Is this story just a coincidence?
I wonder what he could have read out of peoples passwords?
Your account may be secure, but now the admin knows everything about your mother issues.
Am I the only one that gets a special feeling in my pants after seeing inkblot 2
Monstar L
This is I guess a fitting way to celebrate Herman Rorscach's 129th birthday. And today's Google Doodle makes about as much sense as this password scheme.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
with an LSD cartridge to make this work.
Why not put a live example online where people and computers can try this. And just a little test. These are the possible answer:
1. lady with pink bowtie and purple mustache
2. ugly narrow eyed person puckering up for a kiss
3. bees on top fling towards each other, big U in the middle
4. robot on a skateboard like thing
5. square faced guy with big nose and short yellow hair fuzz
6. hulk guy with tiny boxing gloves through the waist
7. The letter H
8. lipstick on a lady who takes steroids
9. linebacker with mustache and yellow nose
10.little birdies facing eachother on the bottom and little bees flying away from eachother on top
Now which one is http://houghi.org/Fun/blob.png ? ....
Please first look at the images on the original site and then look at this one. Do not go back to the original site. Extra points if you put some time in between the 'learning' and the 'verification'. Say an hour, a day,
Now use a computer and use `identify -verbose http://houghi.org/Fun/blob.png |grep signature` and do that with the originals.
I am sure many people will be able to figure out a program that can link the images.
So to me it looks as if there is a serious difference between the images when you are a computer. And this is only one parameter that shows a difference. There is creation date and what not.
So instead of some blobs, they could have use images of things that people can see. e.g. "a linebacker with mustache and yellow nose". The computer does not care what the image says.
Or they could try to be clever and make at least the identify part identical. Then we would have something to talk about.
For now the images make it more difficult for humans, not for computers. (Or did they think to trow off their Windows machines by saving png images as jpg?)
Don't fight for your country, if your country does not fight for you.
dare to write a propper head line,
they didnt dare
captchas don't effectively protect passwords and that shit looks random.
This is kind of like people used to design cryptography before there were sound mathematical and information theoretic results: "Hey, this looks complicated to us. It must be a good crypto algorithm. Bet you can't break it."
Unlike cryptography, this actually looks like a solution in search of a problem.
This is really pointless.
Spammers and other CAPTCHA breakers rely on overwhelming the resource protected by the CAPTCHA through sheer numbers. They don't care about being right 100% of the time because they can just try again, thousands and thousands of times. 90% success is totally OK. Even 10% success is probably enough to make money from the scheme. The less chance of success, the more it discourages the scheme.
The reason why words are used for CAPTCHA is because a typical 6 letter word has 26^6 = 308915776 possibilities. You can't guess it by chance, you have to do the word recognition to have a hope of being accurate.
These other schemes where there's a fixed list of possibilities and one is right have a probability of 1/length of being guessed correctly. If there are 5 options then you will have a 20% success rate without any code at all! This is why they're useless, no matter how much "nicer" they look than trying to decipher a word.
I bet if you train a neural net or genetic algorithm on these things for a couple of weeks it'll do a lot better than me.
I can barely tell the difference between the images, let alone see anything in them.
All they have done is taken the old security question idea and replaced questions with images. While that makes it harder to circumvent using personal information ,such as mother's maiden name or where were you born, it's really not that much better than if you simply give nonsense answers that you can still remember. After all, it would be just as hard for a bot or person to find out I was born on Moon Base Piper or lived on German Shepard Lane as match answer to blot. Depending on the number of tries allowed, brute forcing by recognizing the blot and going through possible answers would yield a match. The one advantage I see is you can give nonsense answers that are more easily recalled since the blot can trigger the memory while a bot would need to guess. If the use 3 inserts and 3 blots the bot has a 1 in 3 chance of getting it right the first time.
Perhaps there is more to it than simple match the picture with a phrase?
I'm a consultant - I convert gibberish into cash-flow.
...there are armies of developing-world workers willing to solve these things for fractions of a penny per GOTCHA. If only we could align incentives properly to harm scammers and their armies of solvers, without being a pain in the arse for legitimate users.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
I'm guessing not.
Let's say they present 10 options for each GOTCHA. That means that I could pick an option at random and have a 10% chance of getting it right. I could have 10 machines on my botnet try the same sign-up post and statistically one of them should guess the right answer, which for a sufficient number of attempts is more or less providing a known success rate. How is the system supposed to tell which of all those unique IPs giving correct answers are my guessing bots and which are real people? I'm also pretty sure that a fully automated 10% hit rate via a bot is going to be a lot quicker and cheaper at getting past the system than paying people a few cents an hour in some third world country to manually process the current CAPTCHA system.
Sorry guys, but not withstanding all the issues with people who are colour blind or have perception issues with inkblot images, I don't think this is going to improve the situation at all.
UNIX? They're not even circumcised! Savages!
The title should read:
Researchers Prevent Humans From Cracking New GOTCHA Password Scheme
Literally every single one looks like a spider looking right at me to me.
They are pointless when armies of wokers from India and other parts of the third world can blast through them by the thousands per day. These services are available for outsourcing just like any other service.
They must be smoking some good stuff!
Why not just present the user with a few images of book covers, famous landmarks, or sports stars? Let them pick their favourite. Problem solved, no?
systemd is Roko's Basilisk.
Seriously. These just look like blob collections. I'm not even sure I could tell if one of the inkblots changed to another one, even with the phrases. I'm sure this is secure, but not at all sure it's useful.
I think I'd rather use a test that just asks me to click on the hot women real quick.
http://bettercgi.com/images/face-turing-captcha.png
I'm back from using the GOTCHA system and I can tell you that it's easy to remember and use;
Naked Lady, gazoongas, two naked ladies, more gazoongas, someone stabbing mommy, mommy gazoongas, more stabbing, a side-boob.
Someone else might call those six circle blobs and two triangles, but I'll remember! Now even though this system might not work for everyone, it will help identify people who don't like their mommies!
>>"ad space available -- low rates!!!"
It fails at what it was designed for, in a worse way than captcha.
The theory behind such passwords or passwords enhancement, it to introduce something which is pretty damn simple for a human to perform (reading and typing something down, or making a few simple cognitive tasks), while being awully complicated for a bot to do in order to slow down automated attempts.
Even if you have 10 such images to match each with one of 10 user-generated phrases, that *only* has 10! combinations, which more or less is equivalent (21bits of security), to a 4-5 letters case-*IN*sensitive password (or 3 signs long "mixed case, alphanum with punctuations" passwod). That's something that's absolutely trivial to brute froce for a computer.
If they use the test password as a generator for the images, this is only like extending it by a couple of caracters. Not even doubling the size of the password (doubling would have been better).
Meanwhile, trying to make some sense out of this ugly colored mess is quite taxing on the human brain.
These image don't mean anything directly. And if you try using imagination, it's going to be very hard remembering which is what. If you're not in the same mood, it could take quite some time to remember which of the two collection of colored dot reminded you of "a bunch of kittens in a basket" and which one looked more "jesus face appearing on the surface of a peanut buttered toast".
By the time you finish wondering, a brute force method would have already found the answer several times in a row.
Things get even worse if they use the text password as a generator of images:
maybe the reason that you cannot find which image was the "fat lady spanking a midget" is that you mistyped the password and thus generated the wrong set of pictures.
Only two methods to help:
- ask user to use a very simple password:
congratulation, you've successfully reduced the security of the whole system. you've combined a very easy password to brute force, with something that's almost trivial (only extends the security by 21bits).
- proceed in two rounds: first validate the password against (preferably against a KDF like Scrypt, but will very probably be only a easier-to-bruteforce hash in most applications). And then a second step using images generated using the now guaranteed correct password. As said above, such a second step is almost trivial to brute-force. Most of the time spent in bruteforcing such 2-step authentication would go in the first step. The presence of the 2nd step doesn't pose much problems to a brute-forcer, while being a real pain in the ass for humans.
In short, it looks like this Dilbert strip.
Very inconvenient to put in practice.
And that's not even counting disabilities that would prevent a human from even being able to operate this: I'm not even thinking about weird disabilities propopagnosia (impossibility to distinguish faces), but much more frequent and mundane like colourblindness (and thus striping one information you could use to distinguish between image, like "picture 1 is 'redest of the serie' and picture 5 'has the most gree') or simply being a socially awkward geek (and having a much smaller reference pool in term of faces).
If you're not confident enough on relying on Pass-*phrases to increase brute-force search space, at least use something that is not too cumbersome for the end-user (2-factors identification. Either get an SMS or sign something with a private key in you QR-code enabled smartphone).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I am partially colorblind. All I saw was a bunch of numbers that those eye doctors kept telling me where in THEIR dot pictures.
Lying doctors! They hid their numbers in these OTHER pictures.
You have to match up your descriptions of the 10 not-a-bot blots to the blots and enter your password.
You need to correctly think and remember 11 passwords (well 10 of them are mutually exclusive, but it's still 10 things to remember).
Hard for humans.
A computer brute-forcing this only need 10! combination, which is about equivalent of a 3 character "numbers, mixed-case letters and signs" password. i.e.: something absolutely trivial for a computer.
By the time you finish wondering how to log-in, an offline brute-forcer would have managed to break quite a few of your colleagues credentials.
This "solutions" puts more hassle to a human than to a brute-forcing algorithm.
For me this is a *Fail*
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The system above IS in use on some tranny sites!
I claim that your associations and extrapolations are based on your sum life experience, not just who you are as a lump of genomes.
As you live on your experiences may change you and you may no longer be able to see the same things in the blots.
How would this system deal with the fact that the creator of the password no longer has the same associative views?
Step 1 Display something and let the user/ai enter a response
Step 2 Always reject every response
See, works as well as those 2 schemes and is much easier to implement.(I'm only being somewhat sarcastic btw.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
No wonder Slashdot's owners make so much money each year from this site- almost none of it from the visible ads.
Of course companies pitching their products use this ploy to gain publicity and potential (sucker) customers. The uncrackable safe, the unpickable lock- the method has been a favourite in the USA for more than one hundred years.
To address the nonsense directly, NO Turing test can be generated and then judged by a computer, by definition. And there can be no such thing as genuine AI. Thus, all computer generated, computer moderated CAPTCHAs are vulnerable to computer attack.
Here we seem to have an example of the massive pre-existing database fallacy. The idea is to somehow how the CAPTCHAs generated and 'judged' by Humans, by using some (usually pre-existing, pre-labelled) dataset that can be mined to provide both valid questions and (correct) answers.
Usually this database will be a photo-library, for obvious reasons. Better con-men will attempt to hide this fact by extracting elements from the photos, and re-rendering them in a way that keeps their 'identity' but fools suckers (investors, potential customers) into thinking something clever is happening. The usual attacks work trivially against such an approach, which is why most CAPTCHAs don't even bother TRULY mining real world data.
But the desperation of a new company means money in the pockets of Slashdot's owners, and THAT isn't a bad thing, is it? Well, at least it is better than Slashdot taking money from the US government to endless bash targets like Iran and Korea, and endlessly promote Israel.
Try the "word association test". A very GOTCHA kind of a test, that can prove anything you want it to prove.
All I can see are terrorists.
-- TSA Employee
Have gnu, will travel.
Oh great. Another system to enforce segregation between organic and inorganic.
When will this senseless discrimination end?
Are they sure HUMANS can figure that stuff out? Those inkblots looked like a bunch of colored circles to me
... or at least it will be.
but the "researchers" that break it, won't tell you. they'll just exploit their findings after the new scheme is in use on a site that they want to exploit themselves.
Each puzzle has a specific solution. Computers can recognize specific images quite easily. A person can feed image/solution pairs into their GOTCHA-solving script faster than you can make them.
I'd like to be the first to solve this but I think it'll be done before I finish my lunch break.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Great, now it will take me ten minutes to fill out a freaking authenticate screen and if my psychiatrist tweaks my medication I won't be able to log in at all.
hasn't anyone besides me played on Google's front page today? #rorsachdoodle for you twittospherics.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
(NT) = "No Text"
If people can't tell if something is red vs pink vs brown vs green, then if this goes into widespread use where they have to be able to distinguish colors in order to answer the questions, they'll be screwed.
Don't change your password to SHRDLU.
"... and more and more now there are all kinds of electronic goodies available" -- Pink Floyd 1972
Stare at THIS for a few minutes.
You're cured!
If not, there's always Hypnotoad. All Glory to the Hypnotoad!
This is security by obscurity taken to the extreme. We may be good at recognizing patterns, but if fed enough information a computer can be much better.