Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme

Posted by samzenpus on from the broken-in-3-2-1 dept.

alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."

46 of 169 comments (clear)

  1. Really? by Anonymous Coward · · Score: 5, Funny

    I feel like they mind as well have asked me to paint a picture which best conveys my ex-girlfriend's LiveJournal post from 2001.

    1. Re:Really? by FriendlyLurker · · Score: 4, Funny

      mind as well have asked me to paint a picture which best conveys my ex-girlfriend's LiveJournal post from 2001.

      it is not a Rorschach test, silly.

      2001, you really do have to get over her and move on...

    2. Re:Really? by Jane+Q.+Public · · Score: 2

      2001, you really do have to get over her and move on...

      Tell that to the loony "doctors" who still use the Rorschach Test.

  2. tried it by Anonymous Coward · · Score: 5, Insightful

    Turns out i am a computer. Couldn't have figured it out myself!

    1. Re:tried it by Chatterton · · Score: 4, Informative

      You just don't need to remember 1 password, but 11 of them to log in... What an improvement !!! :)

    2. Re:tried it by evilviper · · Score: 2

      Turns out i am a computer. Couldn't have figured it out myself!

      Harrison Ford is on his way over, to shoot you in the head.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    3. Re:tried it by pla · · Score: 5, Insightful

      Turns out i am a computer. Couldn't have figured it out myself!

      This. Even with the answers, I can't recognize the features those descriptions supposedly refer to... "Little birdies facing eachother on the bottom and little bees flying away from eachother on top"??? WTF? Does anyone actually see the birds and bees the captions keep referring to?

      Dear security researchers - Any clever scheme that humans have trouble dealing with, will fail, no matter how "secure" you consider it. I can remember "correct horse battery staple" (with 1 through 9 tacked on at the end to get around annoying domain password history restrictions, of course - Case in point!). ln TFA's case, I'd probably need to keep a goddamned picture of my password in my wallet to compare against each time I log in.

    4. Re:tried it by Dachannien · · Score: 5, Informative

      Presumably, in a real-world scenario, you give your own labels when you register for an account. This would hopefully mean you would form a persistent correlation between the labels and the images. But their multicolor inkblots are so indistinct from each other that I think I would have difficulty labeling each image in the first place.

    5. Re:tried it by museumpeace · · Score: 2

      And what if you are color blind? I am not color blind and can't make heads or tails of these paintball shotgun patterns vs the text descriptions.

      Yes one objective is to frustrate bots ...but if you frustrate humans, as pla points out, then you are a non-starter. Go back to your room CMU compsci person 'cause I know you are smart enough to do better.

      --
      SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    6. Re:tried it by cdrudge · · Score: 2

      Technically you still only have to remember 1 password. The other 10 the machine remembers and tells you, you just have to correctly associate them to the inkblots.

    7. Re:tried it by CastrTroy · · Score: 5, Interesting

      Carrying around your password in your wallet is probably safe enough for most people. People carry money, credit cards, all kinds of valuable things in their wallet. Probably safer than using an insecure password.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. MechanicalTurk by snowgirl · · Score: 2

    They've already been shelling out free porn in exchange for people solving captchas for them... I don't think this will change anything...

    --
    WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    1. Re:MechanicalTurk by leonardluen · · Score: 3, Informative

      i believe what happens is that the "bad guys" set up a page containing free porn. but in order to view the porn you have to solve a captcha.

      when horny teenager shows up to look at the porn, a bot goes out to the target site you want to compromise and grabs their captcha. you then present the captcha to the horny teenager and have them solve it for you. the bot then enters the info on the target site and just "proved" it was human and so now can do things that only humans are allowed to do. meanwhile the horny teenager is happily looking at the free porn and will probably come back the next day to solve another captcha for you.

  4. Uh, right. by Anonymous Coward · · Score: 2, Funny

    I don't see any of these. e.g. How the F*** is that a robot on a skateboard?

    The only winning move is not to play.

  5. You've gotta be kidding me by artor3 · · Score: 5, Informative

    Did the researchers ever try having someone not on their team pass this test? There's no way anyone could figure out which ink blot is which unless they were involved in the naming process.

    1. Re:You've gotta be kidding me by JaredOfEuropa · · Score: 5, Insightful

      I find it rather hard as well. Imagine how well color-blind people will do at this test. Or people from other cultures / countries. People for whom English is a second language.

      Not to mention the fact that if I'd find something this convoluted on an account creation page, I'd most likely leave and never come back. CAPTCHAs are already bad enough.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:You've gotta be kidding me by blane.bramble · · Score: 5, Informative

      That is the whole point I believe - as part of the process *you* name the ink blots that were generated for you. Then next time you log in you match them back up.

    3. Re:You've gotta be kidding me by dido · · Score: 4, Informative

      I not only read the article but also the associated paper, and it seems that the proposed scheme involves precisely that. They generate some random inkblots and you have to give them some imaginative descriptions. Nevertheless I remain unconvinced that this is a good idea from a usability standpoint. I haven't even been able to find a link to a working mock-up of the system in action, so I could try it out.

      --
      Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
    4. Re:You've gotta be kidding me by gsslay · · Score: 2

      I'm happy to admit I've missed something here, as the description given about how it would be used in actual practice is not at all clear to me.

      Am I correct in thinking that this does not remove the need for a password, it just means you need to match up the blobs with the descriptions and supply the password?

      In which case, interesting idea, but very laborious. And a description you give on one day for blobs may completely elude you the next.

    5. Re:You've gotta be kidding me by Rockoon · · Score: 5, Funny

      And I go over to the psychologist, and he says, "Emo, what does this inkblot look like to you?"
      I said, "Oh, it's kind of embarrassing."
      He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."
      I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness."
      ..and he gets kind of depressed.
      I said, "Okay, it's a butterfly." and he cheers up.

      He said, "What does this inkblot look like?"
      I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."
      He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."
      "Oh," I said, "was I far off?"
      He said, "No. That's the sad part."

      - Emo Philips

      --
      "His name was James Damore."
  6. Even I can't crack these... by ignoramus · · Score: 2, Informative

    According to this challenge, I'm totally failing the Turing test. Is http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge_files/Account%200Inkblot4.jpg really a "robot on a skateboard like thing" to anyone here? What am I missing?

    1. Re:Even I can't crack these... by ignoramus · · Score: 2

      P.S. I get that they're user selected mnemonics... it's mostly that I'd have a pretty hard time assigning meaning to most of the generated blobs...

    2. Re:Even I can't crack these... by houghi · · Score: 3, Funny

      You can not fail the Turing test. It is just to test if you are a robot or not. You are clearly a robot.

      They now use a variation of the test to determine if you are danger to the USofA. (Or perhaps it is the same test.)

      Oh, and if you can swim, you are a witch.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Even I can't crack these... by fatphil · · Score: 2

      G/f says it's "clown with a knife", but I think she had a scarred childhood.

      --
      Also FatPhil on SoylentNews, id 863
    4. Re:Even I can't crack these... by kbg · · Score: 2

      All I see is woman with large breasts, woman with medium breasts, woman with small breasts, and this one looks like you... with breasts.

  7. hooray, eggheads by Anonymous Coward · · Score: 3, Interesting

    It may or may not be uncrackable. Woot. But it certainly is untenable, unwieldy, and unimplementable. I've got to generate 6+ random-ish images, assign descriptions, and then at some point in the future re-match them? Why not have me generate a one-time pad at the length needed and ask me to remember that?

    1. Re:hooray, eggheads by KermodeBear · · Score: 2

      The images generated are definitely difficult (and painful) to try to decipher. It's all of the colors and the dots everywhere... Makes me a bit nauseous, actually.

      The concept doesn't really seem to be any better than just choosing a secure password in the form of a sentence. You don't need an image for that, you just need users that can remember "1234 is the password to my luggage." instead of "1234".

      --
      Love sees no species.
    2. Re:hooray, eggheads by fuzzyfuzzyfungus · · Score: 5, Insightful

      It might actually be worse, since the scheme describes providing a list of descriptions to choose from, one of which is the one that the user originally provided when the inkblot was generated.

      Any CAPTCHA-style scheme that has to rely on a list of options (either because the cues are too vague, or because the answers aren't trivially expressible with a mouse and keyboard(or, now, a touchscreen...) inherently runs into the issue that even a bot of essentially zero skill can now achieve a 1/n success rate, for an n length list of options; by pure chance. Unless you want to piss off your users a lot, 1/n is probably actually going to be unnervingly good starting odds, for a trivial scraper-level bot, and the options list also means that any more sophisticated AI approach has a relatively small and discrete universe of possibilities to deal with.

    3. Re:hooray, eggheads by tftp · · Score: 5, Insightful

      A common man who cares about being able to remember an inkblot later on would describe it with specifics, like "five blue on top and three blue on bottom." This is quite parseable by a computer. The associative descriptions that the authors are hoping for are just not going to happen. Never. An association is a fleeting thing, especially when you are dealing with a random inkblot.

      Far more importantly, the inconvenience of matching those images will be so great that the web sites will lose audience, and the site owner will drop this stupidity.

      Most importantly, the method does not protect the customer - it only protects the web site owner. (A hacker can always figure out, with patience and time, which description fits what inkblot.) This means that millions of customers will be forced to endure this torture just for convenience of the site operator. This isn't going to fare well.

    4. Re:hooray, eggheads by fuzzyfuzzyfungus · · Score: 3, Funny

      I suspect that this scheme is also approximately as ADA (and I assume the EU has an equivalent, it's the sort of thing that they would do) compliant as prior CAPCHAs, which is more or less 'HAHA, ocular cripple, no website for you!', possibly with an audio variant that is either broken and simply not actually a substitute, clear enough to be within attack range of commercially available text-to-speech software, or something allegedly human; but about as comprehensible as a heavy metal vocalist screaming a language you don't know through a couple of tin cans and a piece of string, from underwater...

      I'm not sure how more sites don't get smacked for that.

  8. Fail by meerling · · Score: 2

    I can't pass any one of those they've got posted.
    I guess you need to be dropping acid for those to work.

  9. Bwahaha! by Ignacio · · Score: 5, Funny

    I dare them to take their scheme to the streets and fairly find 1000 people that can get them right.

    1. Re:Bwahaha! by tftp · · Score: 2

      I dare them to find enough commercial web sites who are willing to show such a finger to their paying audience. They would be far better off generating realistic "oil on canvas" images in impressionist style.

    2. Re:Bwahaha! by JaredOfEuropa · · Score: 2

      "Woman with large breasts, woman with medium breasts, woman with small breasts, this one looks like you... with breasts."

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  10. Re:What's a linebacker by fuzzyfuzzyfungus · · Score: 2

    Using US-centric terms is certainly not going ti help the rest of the world ...

    We only expect people to be able to solve these puzzles. That's the whole point.

  11. Hermann Rorschach by zAPPzAPP · · Score: 2

    Today's Google opener is Hermann Rorschach.
    Is this story just a coincidence?

    I wonder what he could have read out of peoples passwords?
    Your account may be secure, but now the admin knows everything about your mother issues.

    1. Re:Hermann Rorschach by Anonymous Coward · · Score: 2, Funny

      Your haiku doesn't work.

  12. Re:Challenge Declined by Alarash · · Score: 5, Funny

    Too bad for you, because C# is an awesome language that absolutely doesn't require Windows or .NET or Mono.

  13. Re:Colorblind? by oobayly · · Score: 3, Insightful

    It doesn't matter, as they're the ones coming up with the description, not the website owners. In fact, for colour blind people it adds an extra layer of security as the image they perceive (and describe) may be completely different from how the majority would perceive it.

  14. like bad cryptography by stenvar · · Score: 5, Insightful

    This is kind of like people used to design cryptography before there were sound mathematical and information theoretic results: "Hey, this looks complicated to us. It must be a good crypto algorithm. Bet you can't break it."

    Unlike cryptography, this actually looks like a solution in search of a problem.

  15. Re:Colorblind? by Zedrick · · Score: 2

    It does matter, a colourblind person (like me) can't see anything but random dots. How can I possibly come up with a description (that I will remember) for random dots?

  16. Re:Colorblind? by Imsdal · · Score: 2

    You are assuming that people who see colour see anything other than random dots. I can understand why you would believe that, but in this case it is wrong. It IS just random dots. The colouration just adds to the confusion.

  17. Bad Summary by nuckfuts · · Score: 2

    The title should read:

    Researchers Prevent Humans From Cracking New GOTCHA Password Scheme

  18. Re:Challenge Declined by Tom · · Score: 2

    "awful" is more like it. I had more fun writing 8086 assembler than C# code. On a broken keyboard. With a toothpick in my mouth and both hands tied behind my back. By a sadistic Pascal teacher who kept going on about clean code structure and went on to describe Oberon when that wasn't enough.

    Also, it was more readable.

    --
    Assorted stuff I do sometimes: Lemuria.org
  19. Re:Challenge Declined by Megane · · Score: 2

    And isn't the # supposed to be at the front of the hashtag? Damn hipsters and their hashtag crap.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  20. Re:Colorblind? by tippe · · Score: 2

    Never mind them, what about those with trypophobia? Why won't anyone think of the trypophobics??