Science & Technology
3:23 pm
Fri November 8, 2013

CMU Researchers Use Inkblots To Improve Password Security

Psychiatrists have been using inkblots to reach into the minds of their patients for almost a century, but now, researchers at Carnegie Mellon University are using the splotches to protect your passwords.

The new security setting, called GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart) has users create a password. The computer then generates several colorful inkblots and asks the user to describe each image with a phrase. When the user returns, they’re asked to input their password and match the inkblots with their custom phrases.

GOTCHA developer Jeremiah Blocki, a CMU Ph.D student, said the next level security code creates a puzzle computers alone can’t hack.

”(Hackers) can actually try sometimes upwards of 250 million password guesses per second,” he said. “Even users who are fairly conscientious about picking strong passwords are often times vulnerable to these brute force dictionary attacks.”

Most passwords are currently stored as cryptographic hash functions, where the information is converted into uniform strings of data on a company’s local server, but with computers becoming more powerful, that data is becoming less secure.

Last month, more than 38 million Adobe users had their account information hacked by what Blocki called “brute force” attacks. Using GOTCHA technology, large companies could protect their passwords from these automated computer attacks.

These CMU researchers previously created CAPTCHAs, the tiny two word security puzzles used to stump automated hacking programs. While the two security methods utilize images and phrases, Blocki said they have different purposes.

“CAPTCHAs are these little garbled text strings that you see that are supposed to keep spammers from automatically signing up for accounts,” he said. “So, GOTCHAs are not actually intended to be used to solve that problem.”

While the GOTCHA may add an extra level of security, usability becomes a question.

Using the Amazon Mechanical Turk, an online crowdsourcing tool, researchers asked 70 participants to identify and name ten inkblots. Ten days later, the group was asked to match their phrases with the images, and of the 58 participants that returned, about one in three people were able to match all the inkblots. More than 66 percent could match half of the images.

But Blocki isn’t discouraged by the results. He said the study was flawed and users should create more imaginative phrases to make their passwords more memorable.

“Right now, we’re still exploring ways to improve the construction so that all of the users can match the inkblots accurately.”