GOTCHA password hackers!

  title={GOTCHA password hackers!},
  author={Jeremiah Blocki and Manuel Blum and Anupam Datta},
  journal={Proceedings of the 2013 ACM workshop on Artificial intelligence and security},
We introduce GOTCHAs (Generating panOptic Turing Tests to Tell Computers and Humans Apart) as a way of preventing automated offline dictionary attacks against user selected passwords. A GOTCHA is a randomized puzzle generation protocol, which involves interaction between a computer and a human. Informally, a GOTCHA should satisfy two key properties: (1) The puzzles are easy for the human to solve. (2) The puzzles are hard for a computer to solve even if it has the random bits used by the… 

Figures and Tables from this paper

GOTCHA Challenge (Un)Solved

An improved brute-force attack that revealed each of the 7- digit password in less than 0.5 h and the 8-digit password in approximately 1.5h on a personal laptop is presented.

Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

The feasibility of applying ideas from Bayesian Persuasion to password authentication is explored and it is shown that the noise distribution for the signal can often be tuned so that a rational attacker will crack fewer passwords.

Human Computable Passwords

The general hypercontractivity theorem is applied to lower bound the statistical dimension of the distribution over challenge-response pairs induced by f and $\sigma$, and lower bounds apply to arbitrary functions $f $ (not just to functions that are easy for a human to evaluate).

Just In Time Hashing

Just in Time Hashing is introduced, a client side key-stretching algorithm to protect user passwords against offline brute-force cracking attempts without increasing delay for the user and security analysis demonstrates that JIT can substantially increase guessing costs over traditional key-Stretching algorithms with equivalent authentication delay.

CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection

Cost Asymmetric Secure Hash (CASH), a randomized key-stretching mechanism that minimizes the fraction of passwords that would be cracked by a rational offline attacker without increasing amortized authentication costs for the legitimate authentication server is introduced.

Usable Human Authentication: A Quantitative Treatment

The thesis is that user models and security models can guide the development of password management schemes with analyzable usability and security properties and introduces Naturally Rehearsing Password schemes and Human Computable Password schemes, which leverage human capabilities for simple arithmetic operations.

Designing Proof of Human-Work Puzzles for Cryptocurrency and Beyond

The novel notion of a Proof of Human-work PoH is introduced and the first distributed consensus protocol from hard Artificial Intelligence problems is presented, which uses proofs of human work to develop a password authentication scheme which provably protects users against offline attacks.

Advances in Cryptology – CRYPTO 2016

This paper defines a notion of adversary-dependent lossy trapdoor functions (ad-LTDFs) that is a weaker variant of LTDFs and constructs the first factoringbased deterministic encryption scheme that satisfies the security notion defined by Boldyreva et al. (CRYPTO’08) without relying on a decision assumption.

Enhancing the Security of Image CAPTCHAs Through Noise Addition

This paper presents a generalized methodology to transform existing images by applying various noise generation algorithms into variants that are resilient to attacks, thus improving the overall security provided by Image CAPTCHAs.

μcaptcha: Human Interaction Proofs Tailored to Touch-Capable Devices via Math Handwriting

Online services are often protected with captchas that typically must be solved by typing on a keyboard. Now that smartphones and tablets are increasingly being used to browse the web, new captchas



A text graphics character CAPTCHA for password authentication

A new construct, the Text-Graphics Character (TGC) CAPTCHA, is proposed for preventing dictionary attacks against password authenticated systems allowing remote access via dumb terminals, and its utility is demonstrated in a prototype based on the SSH protocol suite.

POSH: a generalized captcha with security applications

The above scheme is implemented as an extension to the Mozilla Firefox web browser, where it is used to protect user certificates and saved passwords and defines certain aspects of the threat model for the implementation more precisely.

Naturally Rehearsing Passwords

This work presents Shared Cues — a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security.

Mitigating Dictionary Attacks on Password-Protected Local Storage

This work proposes an approach for limiting off-line dictionary attacks in this setting without relying on secret storage or secure hardware, and describes a simple protocol using this approach, which raises a host of modeling and technical issues, such as new properties of human-solvable puzzles and some seemingly hard combinatorial problems.

The Password Thicket: Technical and Market Failures in Human Authentication on the Web

The first large-scale empirical analysis of password implementations deployed on the Internet, including 150 websites which offer free user accounts for a variety of purposes, finds a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security.

Of passwords and people: measuring the effect of password-composition policies

A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.

The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords

  • Joseph Bonneau
  • Computer Science
    2012 IEEE Symposium on Security and Privacy
  • 2012
It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.

No Plaintext Passwords

The San Diego Supercomputer Center (SDSC) has managed to eliminate plaintext password transmission, while continuing to deliver services to a widely distributed user base.

CAPTCHA: Using Hard AI Problems for Security

This work introduces captcha, an automated test that humans can pass, but current computer programs can't pass; any program that has high success over a captcha can be used to solve an unsolved Artificial Intelligence (AI) problem; and provides several novel constructions of captchas, which imply a win-win situation.

Where do security policies come from?

It is concluded that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability, and those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.