×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Dare AI Experts To Crack New GOTCHA Password Scheme

samzenpus posted about 5 months ago | from the broken-in-3-2-1 dept.

Security 169

alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

169 comments

Really? (5, Funny)

Anonymous Coward | about 5 months ago | (#45365791)

I feel like they mind as well have asked me to paint a picture which best conveys my ex-girlfriend's LiveJournal post from 2001.

Re:Really? (-1)

Anonymous Coward | about 5 months ago | (#45366249)

"MIND as well"...
WTF?

Let me guess - you're American...

Re:Really? (4, Funny)

FriendlyLurker (50431) | about 5 months ago | (#45366291)

mind as well have asked me to paint a picture which best conveys my ex-girlfriend's LiveJournal post from 2001.

it is not a Rorschach test [wikipedia.org], silly.

2001, you really do have to get over her and move on...

tried it (5, Insightful)

Anonymous Coward | about 5 months ago | (#45365795)

Turns out i am a computer. Couldn't have figured it out myself!

Re:tried it (0)

Anonymous Coward | about 5 months ago | (#45366135)

Yeah, same thing for me, and judging by all the other comments, no one can solve these.
I'm guessing this wasn't posted because it was good, but because it was timely. (Check Google's doodle if you don't know.)

Re:tried it (-1)

Anonymous Coward | about 5 months ago | (#45366407)

Check [some NSA collaborator's program, codename: D00DLE] if you don't know.

Nice try, shill/propagandist. I'll pass.

Re:tried it (4, Informative)

Chatterton (228704) | about 5 months ago | (#45366331)

You just don't need to remember 1 password, but 11 of them to log in... What an improvement !!! :)

Re:tried it (2)

evilviper (135110) | about 5 months ago | (#45366453)

Turns out i am a computer. Couldn't have figured it out myself!

Harrison Ford is on his way over, to shoot you in the head.

Re:tried it (5, Insightful)

pla (258480) | about 5 months ago | (#45366817)

Turns out i am a computer. Couldn't have figured it out myself!

This. Even with the answers, I can't recognize the features those descriptions supposedly refer to... "Little birdies facing eachother on the bottom and little bees flying away from eachother on top"??? WTF? Does anyone actually see the birds and bees the captions keep referring to?

Dear security researchers - Any clever scheme that humans have trouble dealing with, will fail, no matter how "secure" you consider it. I can remember "correct horse battery staple" (with 1 through 9 tacked on at the end to get around annoying domain password history restrictions, of course - Case in point!). ln TFA's case, I'd probably need to keep a goddamned picture of my password in my wallet to compare against each time I log in.

Re:tried it (5, Informative)

Dachannien (617929) | about 5 months ago | (#45366919)

Presumably, in a real-world scenario, you give your own labels when you register for an account. This would hopefully mean you would form a persistent correlation between the labels and the images. But their multicolor inkblots are so indistinct from each other that I think I would have difficulty labeling each image in the first place.

Really? (-1)

Anonymous Coward | about 5 months ago | (#45365803)

I feel like they mind as well have asked me to paint a picture which best represents my ex-girlfriend's LiveJournal post from 2001.

Challenge Declined (1)

Gravis Zero (934156) | about 5 months ago | (#45365811)

The source code for the challenge was written in the C# programming language

nice try Microsoft but i'm still not falling for it!

Re:Challenge Declined (5, Funny)

Alarash (746254) | about 5 months ago | (#45366021)

Too bad for you, because C# is an awesome language that absolutely doesn't require Windows or .NET or Mono.

Re:Challenge Declined (0, Troll)

narcc (412956) | about 5 months ago | (#45366075)

C# is a terrible language which epitomizes an evolutionary dead-end in programming language design.

"But it continues to change and improve!" you say. Sure, it continues to change. Have you seen C++ lately? Same problem. When you try to decorate a turd, everything just ends up covered in shit.

Re:Challenge Declined (0)

Anonymous Coward | about 5 months ago | (#45366321)

C# is a terrible language which epitomizes an evolutionary dead-end in programming language design.

Please, elaborate? Seriously.

Re:Challenge Declined (1)

VortexCortex (1117377) | about 5 months ago | (#45366529)

Have you seen C++ lately? Same problem. When you try to decorate a turd, everything just ends up covered in shit.

What? I agree C++ is pretty shitty -- Language features with odd edge-cases newbs and intermediates rarely run into (diamond inheritance) but are severely limiting to advanced users who would wield the full set of language features at once but can't because they can't be used together without breaking (polymorphism + method overloading + multiple inheritance + template classes = NOPE). IMO, this means there is actually no complete implementation of C++, it can't be implemented because in many cases (diamond inheritance) implementation details have seeped up into the language itself (like an overfull septic tank), as more shit was addeded.

However, C is not the shit that's getting decorated here. Try to design the lowest level language for Von Neumann architecture machines that's still cross platform and you get C. I've done it before -- Created my own replacement for C to add co-routines. It ended up just like C in so many way's it's almost scary. In that regard C is a glorious product of its environment that gives you cross platform language features which describe the hardware features closely (like pointers / indexable arrays of memory, indirection via function pointers, etc). C++ can blame a lot of it's shittyness on having to bend to C's syntax, but that's not C's fault the C++ implementers were skid-marking along on its coat tails.

C may be in the shit, but it's not the shit that C++ is. C is the golden kernel of goodness left unmolested by the shit filled, broken by design, committee produced, cluster of crap. When you wash away the filth, it remains useful as ever -- just smells funny running it through a C++ composting compiler is all.

Re:Challenge Declined (1)

narcc (412956) | about 5 months ago | (#45366685)

However, C is not the shit that's getting decorated here

I couldn't agree more.

Try to design the lowest level language for Von Neumann architecture machines that's still cross platform and you get C.

Unless you get Forth. That happens occasionally.

Re:Challenge Declined (2)

Tom (822) | about 5 months ago | (#45366791)

"awful" is more like it. I had more fun writing 8086 assembler than C# code. On a broken keyboard. With a toothpick in my mouth and both hands tied behind my back. By a sadistic Pascal teacher who kept going on about clean code structure and went on to describe Oberon when that wasn't enough.

Also, it was more readable.

Re:Challenge Declined (2)

Megane (129182) | about 5 months ago | (#45367029)

And isn't the # supposed to be at the front of the hashtag? Damn hipsters and their hashtag crap.

Piss BUH (-1)

Anonymous Coward | about 5 months ago | (#45365815)

Muhammad he was evil
A paedophile, a perv
To call him self a holy man
He had a fucking nerve

Re:Piss BUH (-1)

Anonymous Coward | about 5 months ago | (#45366585)

Yeah, did you hear that Marvel is going to make a Muslim super hero?
Someone should have told them that Super Bomberman has already been done.

MechanicalTurk (2)

snowgirl (978879) | about 5 months ago | (#45365827)

They've already been shelling out free porn in exchange for people solving captchas for them... I don't think this will change anything...

Re:MechanicalTurk (1)

narcc (412956) | about 5 months ago | (#45366105)

They've already been shelling out free porn

People still pay for pornography? Don't they have the internet? Are they solving printouts of CAPCHA's?

Honestly, there's no need in this modern age to embarrass yourself at the gas-n-go, milling around waiting for the matronly old woman to take a break so that you can ask the pothead with the trainee badge to go round to the rack behind the counter. Anything you want is just a click away.

Uh, right. (2, Funny)

Anonymous Coward | about 5 months ago | (#45365829)

I don't see any of these. e.g. How the F*** is that a robot on a skateboard?

The only winning move is not to play.

You've gotta be kidding me (5, Informative)

artor3 (1344997) | about 5 months ago | (#45365835)

Did the researchers ever try having someone not on their team pass this test? There's no way anyone could figure out which ink blot is which unless they were involved in the naming process.

Re:You've gotta be kidding me (5, Insightful)

JaredOfEuropa (526365) | about 5 months ago | (#45365939)

I find it rather hard as well. Imagine how well color-blind people will do at this test. Or people from other cultures / countries. People for whom English is a second language.

Not to mention the fact that if I'd find something this convoluted on an account creation page, I'd most likely leave and never come back. CAPTCHAs are already bad enough.

Re:You've gotta be kidding me (5, Informative)

blane.bramble (133160) | about 5 months ago | (#45366015)

That is the whole point I believe - as part of the process *you* name the ink blots that were generated for you. Then next time you log in you match them back up.

Re:You've gotta be kidding me (1)

Anonymous Coward | about 5 months ago | (#45366197)

How does that help to prevent bots? Or are we specifically targeting bots that are incapable of remembering a string/image combination? I'm pretty sure a bot could remember what it called a set of images far more accurately than I could. Just use the hash of the image as the name or something.

Re:You've gotta be kidding me (1)

hAckz0r (989977) | about 5 months ago | (#45366695)

It simply forces the Bots, like everyone else who is turning off tracking, to accept cookies so that they can be tracked across the Internet. Sounds like a _real_ solution to me </not>.

The original idea is way too obtuse and subjective for anyone to get the singular answer correct. How many people will describe the same pattern in a Rorschach test, when everybody visually sees the pattern in them just a little different, and then uses a different vocabulary of experience to describe them. This would be much a better technology for generating personal encryption keys that nobody else can guess.

Re:You've gotta be kidding me (2)

gsslay (807818) | about 5 months ago | (#45366341)

I'm happy to admit I've missed something here, as the description given about how it would be used in actual practice is not at all clear to me.

Am I correct in thinking that this does not remove the need for a password, it just means you need to match up the blobs with the descriptions and supply the password?

In which case, interesting idea, but very laborious. And a description you give on one day for blobs may completely elude you the next.

Re:You've gotta be kidding me (5, Funny)

Rockoon (1252108) | about 5 months ago | (#45366871)

And I go over to the psychologist, and he says, "Emo, what does this inkblot look like to you?"
I said, "Oh, it's kind of embarrassing."
He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."
I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness."
..and he gets kind of depressed.
I said, "Okay, it's a butterfly." and he cheers up.

He said, "What does this inkblot look like?"
I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."
He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."
"Oh," I said, "was I far off?"
He said, "No. That's the sad part."

- Emo Philips

Re:You've gotta be kidding me (0)

Anonymous Coward | about 5 months ago | (#45366095)

unless they were involved in the naming process.

Re:You've gotta be kidding me (4, Informative)

dido (9125) | about 5 months ago | (#45366129)

I not only read the article but also the associated paper, and it seems that the proposed scheme involves precisely that. They generate some random inkblots and you have to give them some imaginative descriptions. Nevertheless I remain unconvinced that this is a good idea from a usability standpoint. I haven't even been able to find a link to a working mock-up of the system in action, so I could try it out.

Re: You've gotta be kidding me (0)

Anonymous Coward | about 5 months ago | (#45366611)

I agree as half of the blots look the damn same period. I'd never remember one from another. Maybe if they were black and not all "robot on steroids" or whatever shaped it would help

Even I can't crack these... (2, Informative)

ignoramus (544216) | about 5 months ago | (#45365841)

According to this challenge, I'm totally failing the Turing test. Is http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge_files/Account%200Inkblot4.jpg [cmu.edu] really a "robot on a skateboard like thing" to anyone here? What am I missing?

Re:Even I can't crack these... (2)

ignoramus (544216) | about 5 months ago | (#45365851)

P.S. I get that they're user selected mnemonics... it's mostly that I'd have a pretty hard time assigning meaning to most of the generated blobs...

Re:Even I can't crack these... (0)

Anonymous Coward | about 5 months ago | (#45366037)

Maybe it makes more sense when you're high? Like, really, really, high. Because I didn't have a problem so much.

Re:Even I can't crack these... (3, Funny)

houghi (78078) | about 5 months ago | (#45366069)

You can not fail the Turing test. It is just to test if you are a robot or not. You are clearly a robot.

They now use a variation of the test to determine if you are danger to the USofA. (Or perhaps it is the same test.)

Oh, and if you can swim, you are a witch.

Re:Even I can't crack these... (1)

oobayly (1056050) | about 5 months ago | (#45366109)

From TFA:

The user describes each inkblot with a text phrase. These phrases are then stored in a random order along with the password. When the user returns to the site and signs in with the password, the inkblots are displayed again along with the list of descriptive phrases; the user then matches each phrase with the appropriate inkblot.”

You name the images, so as you've proved, it's a lot harder for somebody to break into your account as these descriptions are completely subjective. The big problem may be remembering which descriptions were which - as it may depend on the mood or state of mind you were in at the time.

Re:Even I can't crack these... (1)

oreaq (817314) | about 5 months ago | (#45366349)

So it's basically like having two passwords instead of one?

Re: Even I can't crack these... (1)

Anonymous Coward | about 5 months ago | (#45366653)

No. It's like having 11 password instead of one. You have to match up your descriptions of the 10 not-a-bot blots to the blots and enter your password.

Re:Even I can't crack these... (0)

Anonymous Coward | about 5 months ago | (#45367063)

Even worse.. all the damn things look identical to me. Maybe if they were all black and different shapes instead of all the same general shape with different colors tossed around..

Re:Even I can't crack these... (1)

fatphil (181876) | about 5 months ago | (#45366263)

Nope, that's a classic "Lesbian Bloodbath" image if there ever was one. Quite how to distinguish it from the other 9 Lesbian Bloodbath images is the tricky thing.

Re:Even I can't crack these... (2)

fatphil (181876) | about 5 months ago | (#45366277)

G/f says it's "clown with a knife", but I think she had a scarred childhood.

Re:Even I can't crack these... (2)

kbg (241421) | about 5 months ago | (#45366547)

All I see is woman with large breasts, woman with medium breasts, woman with small breasts, and this one looks like you... with breasts.

Re:Even I can't crack these... (0)

Anonymous Coward | about 5 months ago | (#45366657)

War.
Bombs.
Guts.
Guns.
Guts and guns.
Butterfy... with a bomb

too hard ? (1)

Anonymous Coward | about 5 months ago | (#45365847)

Does it count as a password system if the legitimate users are not able to log in ?

Accesibility? (1)

Anonymous Coward | about 5 months ago | (#45365861)

Sounds like they'll be weeding out all the visually impaired Internet users along with the SPAMbots. I don't count this as progress. We already have silly "solve this simple math problem" and "copy the forth werd in this s3nt3nce" puzzle questions which are easier to solve and sometimes more effective than captchas. If we have to stare at ink blots and answer dumb trivia questions to use the Internet, we still haven't won this fight.

hooray, eggheads (3, Interesting)

Anonymous Coward | about 5 months ago | (#45365865)

It may or may not be uncrackable. Woot. But it certainly is untenable, unwieldy, and unimplementable. I've got to generate 6+ random-ish images, assign descriptions, and then at some point in the future re-match them? Why not have me generate a one-time pad at the length needed and ask me to remember that?

Re:hooray, eggheads (2)

KermodeBear (738243) | about 5 months ago | (#45365875)

The images generated are definitely difficult (and painful) to try to decipher. It's all of the colors and the dots everywhere... Makes me a bit nauseous, actually.

The concept doesn't really seem to be any better than just choosing a secure password in the form of a sentence. You don't need an image for that, you just need users that can remember "1234 is the password to my luggage." instead of "1234".

Re:hooray, eggheads (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#45365919)

It might actually be worse, since the scheme describes providing a list of descriptions to choose from, one of which is the one that the user originally provided when the inkblot was generated.

Any CAPTCHA-style scheme that has to rely on a list of options (either because the cues are too vague, or because the answers aren't trivially expressible with a mouse and keyboard(or, now, a touchscreen...) inherently runs into the issue that even a bot of essentially zero skill can now achieve a 1/n success rate, for an n length list of options; by pure chance. Unless you want to piss off your users a lot, 1/n is probably actually going to be unnervingly good starting odds, for a trivial scraper-level bot, and the options list also means that any more sophisticated AI approach has a relatively small and discrete universe of possibilities to deal with.

Re:hooray, eggheads (5, Insightful)

tftp (111690) | about 5 months ago | (#45366063)

A common man who cares about being able to remember an inkblot later on would describe it with specifics, like "five blue on top and three blue on bottom." This is quite parseable by a computer. The associative descriptions that the authors are hoping for are just not going to happen. Never. An association is a fleeting thing, especially when you are dealing with a random inkblot.

Far more importantly, the inconvenience of matching those images will be so great that the web sites will lose audience, and the site owner will drop this stupidity.

Most importantly, the method does not protect the customer - it only protects the web site owner. (A hacker can always figure out, with patience and time, which description fits what inkblot.) This means that millions of customers will be forced to endure this torture just for convenience of the site operator. This isn't going to fare well.

Re:hooray, eggheads (3, Funny)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#45366173)

I suspect that this scheme is also approximately as ADA (and I assume the EU has an equivalent, it's the sort of thing that they would do) compliant as prior CAPCHAs, which is more or less 'HAHA, ocular cripple, no website for you!', possibly with an audio variant that is either broken and simply not actually a substitute, clear enough to be within attack range of commercially available text-to-speech software, or something allegedly human; but about as comprehensible as a heavy metal vocalist screaming a language you don't know through a couple of tin cans and a piece of string, from underwater...

I'm not sure how more sites don't get smacked for that.

Re:hooray, eggheads (1)

Anonymous Coward | about 5 months ago | (#45366335)

A common man who cares about being able to remember an inkblot later on would describe it with specifics, like "five blue on top and three blue on bottom."

If one day I find this system installed on a site that I absolutely have to visit and there's no alternative anywhere, I'm going to simply describe the images with single letters A-F and then take a screen grab and save it in a file.

Bwahaha! (5, Funny)

Ignacio (1465) | about 5 months ago | (#45365873)

I dare them to take their scheme to the streets and fairly find 1000 people that can get them right.

Re:Bwahaha! (2)

tftp (111690) | about 5 months ago | (#45365925)

I dare them to find enough commercial web sites who are willing to show such a finger to their paying audience. They would be far better off generating realistic "oil on canvas" images in impressionist style.

Re:Bwahaha! (2)

JaredOfEuropa (526365) | about 5 months ago | (#45366001)

"Woman with large breasts, woman with medium breasts, woman with small breasts, this one looks like you... with breasts."

What's a linebacker (1)

Anonymous Coward | about 5 months ago | (#45365897)

Using US-centric terms is certainly not going ti help the rest of the world ...

Re:What's a linebacker (2)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#45365923)

Using US-centric terms is certainly not going ti help the rest of the world ...

We only expect people to be able to solve these puzzles. That's the whole point.

Re:What's a linebacker (-1, Troll)

magic maverick (2615475) | about 5 months ago | (#45365997)

I'm'a ganna pissina youra corn flakes OK?

And then I'm going to slice your nipples off. And then tie you up, and subject you to Chinese water torture until you die (perhaps of starvation, or maybe of loss of blood, whatever, I don't care).

OK dickface?

Re:What's a linebacker (0)

Anonymous Coward | about 5 months ago | (#45366019)

And my point is that most of the people in the world have NO CLUE what a linebacker is.

Re:What's a linebacker (1)

archont (1215492) | about 5 months ago | (#45366235)

I'm not american, but I think it's a job you do, as part of your training, before you join the riot police.

Re:What's a linebacker (0)

Anonymous Coward | about 5 months ago | (#45366207)

Using US-centric terms is certainly not going ti help the rest of the world ...

We only expect people to be able to solve these puzzles. That's the whole point.

Oh dear. That response doesn't really inspire confidence!

Colorblind? (1)

Hamsterdan (815291) | about 5 months ago | (#45365903)

What about colorblind people?

Re:Colorblind? (3, Insightful)

oobayly (1056050) | about 5 months ago | (#45366137)

It doesn't matter, as they're the ones coming up with the description, not the website owners. In fact, for colour blind people it adds an extra layer of security as the image they perceive (and describe) may be completely different from how the majority would perceive it.

Re:Colorblind? (2)

Zedrick (764028) | about 5 months ago | (#45366269)

It does matter, a colourblind person (like me) can't see anything but random dots. How can I possibly come up with a description (that I will remember) for random dots?

Re:Colorblind? (2)

Imsdal (930595) | about 5 months ago | (#45366575)

You are assuming that people who see colour see anything other than random dots. I can understand why you would believe that, but in this case it is wrong. It IS just random dots. The colouration just adds to the confusion.

Should that be.... (1)

ArcadeNut (85398) | about 5 months ago | (#45365933)

GOTTTCHA!

Re:Should that be.... (0)

Anonymous Coward | about 5 months ago | (#45365987)

Please explain

Re:Should that be.... (0)

Anonymous Coward | about 5 months ago | (#45366189)

*facepalm* Never mind - I must have zoned out while reading "Generating panOptic Turing Tests to Tell Computers and Humans Apart".

Hermann Rorschach (2)

zAPPzAPP (1207370) | about 5 months ago | (#45365995)

Today's Google opener is Hermann Rorschach.
Is this story just a coincidence?

I wonder what he could have read out of peoples passwords?
Your account may be secure, but now the admin knows everything about your mother issues.

Re:Hermann Rorschach (2, Funny)

Anonymous Coward | about 5 months ago | (#45366343)

Your haiku doesn't work.

Okaaay (1)

Trogre (513942) | about 5 months ago | (#45366113)

This is I guess a fitting way to celebrate Herman Rorscach's 129th birthday. And today's Google Doodle makes about as much sense as this password scheme.

You need a printer (0)

Anonymous Coward | about 5 months ago | (#45366171)

with an LSD cartridge to make this work.

A live example (1)

houghi (78078) | about 5 months ago | (#45366187)

Why not put a live example online where people and computers can try this. And just a little test. These are the possible answer:
1. lady with pink bowtie and purple mustache
2. ugly narrow eyed person puckering up for a kiss
3. bees on top fling towards each other, big U in the middle
4. robot on a skateboard like thing
5. square faced guy with big nose and short yellow hair fuzz
6. hulk guy with tiny boxing gloves through the waist
7. The letter H
8. lipstick on a lady who takes steroids
9. linebacker with mustache and yellow nose
10.little birdies facing eachother on the bottom and little bees flying away from eachother on top

Now which one is http://houghi.org/Fun/blob.png [houghi.org] ?
Please first look at the images on the original site and then look at this one. Do not go back to the original site. Extra points if you put some time in between the 'learning' and the 'verification'. Say an hour, a day, ....

Now use a computer and use `identify -verbose http://houghi.org/Fun/blob.png [houghi.org] |grep signature` and do that with the originals.
I am sure many people will be able to figure out a program that can link the images.

So to me it looks as if there is a serious difference between the images when you are a computer. And this is only one parameter that shows a difference. There is creation date and what not.

So instead of some blobs, they could have use images of things that people can see. e.g. "a linebacker with mustache and yellow nose". The computer does not care what the image says.

Or they could try to be clever and make at least the identify [imagemagick.org] part identical. Then we would have something to talk about.

For now the images make it more difficult for humans, not for computers. (Or did they think to trow off their Windows machines by saving png images as jpg?)

Re:A live example (1)

zAPPzAPP (1207370) | about 5 months ago | (#45366257)

I believe it is intended that you came up with those associations yourself,.
So when presented with the list of your past answers and the same group of pictures, you will be able to do it again.
Trying to reverse another persons association-list will be much harder (and that is kind of the point here i guess).

dare (0)

Anonymous Coward | about 5 months ago | (#45366191)

dare to write a propper head line,

they didnt dare

Bad article and bad science (0)

Anonymous Coward | about 5 months ago | (#45366237)

captchas don't effectively protect passwords and that shit looks random.

like bad cryptography (5, Insightful)

stenvar (2789879) | about 5 months ago | (#45366251)

This is kind of like people used to design cryptography before there were sound mathematical and information theoretic results: "Hey, this looks complicated to us. It must be a good crypto algorithm. Bet you can't break it."

Unlike cryptography, this actually looks like a solution in search of a problem.

Probabilities (0)

Anonymous Coward | about 5 months ago | (#45366395)

This is really pointless.

Spammers and other CAPTCHA breakers rely on overwhelming the resource protected by the CAPTCHA through sheer numbers. They don't care about being right 100% of the time because they can just try again, thousands and thousands of times. 90% success is totally OK. Even 10% success is probably enough to make money from the scheme. The less chance of success, the more it discourages the scheme.

The reason why words are used for CAPTCHA is because a typical 6 letter word has 26^6 = 308915776 possibilities. You can't guess it by chance, you have to do the word recognition to have a hope of being accurate.

These other schemes where there's a fixed list of possibilities and one is right have a probability of 1/length of being guessed correctly. If there are 5 options then you will have a 20% success rate without any code at all! This is why they're useless, no matter how much "nicer" they look than trying to decipher a word.

Computers are better at this than I am (0)

Anonymous Coward | about 5 months ago | (#45366411)

I bet if you train a neural net or genetic algorithm on these things for a couple of weeks it'll do a lot better than me.
I can barely tell the difference between the images, let alone see anything in them.

Not really a new idea (1)

Registered Coward v2 (447531) | about 5 months ago | (#45366431)

All they have done is taken the old security question idea and replaced questions with images. While that makes it harder to circumvent using personal information ,such as mother's maiden name or where were you born, it's really not that much better than if you simply give nonsense answers that you can still remember. After all, it would be just as hard for a bot or person to find out I was born on Moon Base Piper or lived on German Shepard Lane as match answer to blot. Depending on the number of tries allowed, brute forcing by recognizing the blot and going through possible answers would yield a match. The one advantage I see is you can give nonsense answers that are more easily recalled since the blot can trigger the memory while a bot would need to guess. If the use 3 inserts and 3 blots the bot has a 1 in 3 chance of getting it right the first time.

Perhaps there is more to it than simple match the picture with a phrase?

Will still fail as long as... (1)

sydbarrett74 (74307) | about 5 months ago | (#45366521)

...there are armies of developing-world workers willing to solve these things for fractions of a penny per GOTCHA. If only we could align incentives properly to harm scammers and their armies of solvers, without being a pain in the arse for legitimate users.

Do they consider stats & botnet sizes at all? (1)

Zocalo (252965) | about 5 months ago | (#45366577)

I'm guessing not.

Let's say they present 10 options for each GOTCHA. That means that I could pick an option at random and have a 10% chance of getting it right. I could have 10 machines on my botnet try the same sign-up post and statistically one of them should guess the right answer, which for a sufficient number of attempts is more or less providing a known success rate. How is the system supposed to tell which of all those unique IPs giving correct answers are my guessing bots and which are real people? I'm also pretty sure that a fully automated 10% hit rate via a bot is going to be a lot quicker and cheaper at getting past the system than paying people a few cents an hour in some third world country to manually process the current CAPTCHA system.

Sorry guys, but not withstanding all the issues with people who are colour blind or have perception issues with inkblot images, I don't think this is going to improve the situation at all.

Pointless (1)

onyxruby (118189) | about 5 months ago | (#45366783)

They are pointless when armies of wokers from India and other parts of the third world can blast through them by the thousands per day. These services are available for outsourcing just like any other service.

WTF? (0)

Anonymous Coward | about 5 months ago | (#45366925)

They must be smoking some good stuff!

This seems overly complicated (1)

wonkey_monkey (2592601) | about 5 months ago | (#45366945)

Why not just present the user with a few images of book covers, famous landmarks, or sports stars? Let them pick their favourite. Problem solved, no?

Re:This seems overly complicated (1)

wonkey_monkey (2592601) | about 5 months ago | (#45367005)

Okay, no, I suppose you could glean some of those things from social media these days. I forgot to allow for the stupidity of Facebookers. There's got to be a less inconvenient way to do this than blots, though.

Computers? I can't see this stuff. (0)

Anonymous Coward | about 5 months ago | (#45367111)

Seriously. These just look like blob collections. I'm not even sure I could tell if one of the inkblots changed to another one, even with the phrases. I'm sure this is secure, but not at all sure it's useful.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...