After several years of trying to figure out how to get people to create passwords that are secure against hackers, Carnegie Mellon University (CMU) computer scientists have developed a system called Generating panOptic Turing Tests to Tell Computers and Humans Apart (GOTCHA).

GOTCHA is a password system that uses inkblots to add extra security when passwords are stolen from websites.

“The ultimate goal is for this to become a tool that software developers could use when implementing a password system,” said Jeremiah Blocki, a Ph.D. student in computer science who developed GOTCHAs along with his advisors, Manuel Blum, professor of computer science, and Anupam Datta, associate professor of computer science and electrical and computer engineering.

GOTCHA
A user described this inkblot image as “Miss Crabtree puckers for a kiss.”

Powerful hack attacks are a common occurrence that has plagued companies such as Adobe, Gawker, LinkedIn and Sony. According to Blocki, security breaches are common when passwords are stored as cryptographic hash functions, such as bcrypt and scrypt. In these hash functions, passwords of any length are converted into strings of bits of uniform length. While a hacker can’t decipher these hashes, they can mount an automated offline dictionary attack, which was the specific type of attack that motivated researchers to develop GOTCHA.

While these hash functions are considered reliable for preventing attacks, Blocki and his advisors believe there are limitations.

“If a large company like Amazon or Google adopts bcrypt or scrypt with a high security parameter, an offline dictionary attack would be a lot more extensive for a hacker,” he said. “But it is also true that Amazon or Google would be spending a lot more of their time and energy evaluating those hash functions when legitimate users log in every day.”

Every second, a computer can evaluate as many as 250 million possible hash values, Blocki noted.

The way GOTCHA works is when a user creates a password on a website, his or her computer will then generate a number of random, multi-colored inkblots for the user to describe with a text phrase. The phrases are stored along with the password in a random order so that when the user returns to that specific site and enters their password, the inkblots are shown along with their list of descriptive phrases. The user must then match the phrases with the correct inkblot.

“These are puzzles that are easy for a human to solve, but hard for a computer to solve, even if it has the random bits used to generate the puzzle,” said Blocki.

The researchers believe what makes this password system significant is that a person is needed to decipher the inkblots and match it with a corresponding answer, a computer program alone wouldn’t be enough to break into an account.

“To crack the user’s password offline, the adversary must simultaneously guess the user’s password and the answer to the corresponding puzzle,” Datta said. “A computer can’t do that alone. And if the computer must constantly interact with a human to solve the puzzle, it no longer can bring its brute force to bear to crack hashes.”

To test if users could accurately get through a GOTCHA, the researchers performed a user study where 70 people, hired through Mechanical Turk, were asked to describe 10 inkblots with imaginative titles. Ten days later, those same people were asked to match those titles with the inkblots. Of the 58 participants who participated in the second round of testing, only one-third matched all inkblots correctly.

According to Blocki, the design of the user study along with the low financial incentives could account for the less-than-stellar performance, but there are always different ways to make descriptions more memorable.

“Right now we are still in the development phase,” said Block. “We want to improve usability of our GOTCHA construction before we actually look to implement it.”

Security researchers are invited to try to attack the GOTCHA password scheme using artificial intelligence techniques through their online GOTCHA Challenge.

The CMU researchers stress that while GOTCHA sounds like (and is similar to) the Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) that Blum and his colleagues created, they do not perform the same task and are not meant to serve as an alternative to each other.