A new “inkblot” password system could provide a near-unbreakable layer of security for high-value information such as bank accounts – even if the password leaks as part of a large-scale site breach. The system relies on users describing patterns of blots, then matching descriptions to patterns – and should be foil the automated programs used by cybercriminals, the researchers say.
Scientists at Carnegie Mellon University devised their GOTCHA system as an additional layer of protection for “high-value” accounts, such as bank accounts or medical records. They have challenged other researchers to break it using AI.
Users are shown a series of ink blots, and describe them with a Rorschach-test-style phrase – for instance, “tree with leaves falling” or “evil clown” – the phrases are stored. When a user wants to access the account, they’re shown the blots AND their descriptions, but in random order – to get in, they match them.
“These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle,” said Jeremiah Blocki, a Ph.D. student who worked on the system.
The automated password-crunchers used by hackers may find the word-association more troublesome, the researchers hope. While passwords such as “123456” are very easy to crack – two million Adobe users relied on that password, as reported by We Live Security – computer programs can evaluate 250 million hashes a second, according to RedOrbit.
Even complex passwords will “fall” in the end. The blots, however, should be more indigestible to computers.
Even long, complex passwords are vulnerable to the latest “brute force” programs employed by cybercriminals – once a site has been breached, cybercriminals have a long time to “guess” passwords. But guessing GOTCHAs in this way would be impossible, the researchers claim.
“To crack the user’s password offline, the adversary must simultaneously guess the user’s password and the answer to the corresponding puzzle,” Datta said. “A computer can’t do that alone. And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes.”
The only problem, the researchers say, is to make people remember their own passwords. In theory, it’s easy – once they’ve described an inkblot, that description is stored – they don’t have to memorize it, merely pick it from a list.
However, when the researchers performed a user study with 70 participants, where each user was asked to describe 10 inkblots with creative titles, such as “evil clown” or “lady with poofy dress,” of the 58 participants who participated in the second round of testing, one-third correctly matched all of the inkblots and more than two-thirds got half right ten days later.
Blocki said that the user study may have had design flaws – including low “financial incentives”. The difficulty in identifying patterns could also be overcome by forcing users to use longer descriptions, such as “a happy guy on the ground protecting himself from ticklers,” he said.
Author Rob Waugh, We Live Security