Some reactions on our posting of 'The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs'
by T.V. Laptyeva, S. Flach, K. Kladko (arXiv:1103.6219v1)
-
Some nice excerpts from Slashdot/Reddit )))
"Brilliant method, and very practical."
"Thank goodness, we're finally seeing some real innovation in this field.
The past two decades have been nothing but bullshit about how public-key cryptography will cure all of our authentication ills. A good example of this is those SSH users who insist that we should use keys to perform authentication. They talk about how it's so much more secure than passwords. But they fail to realize that the private key is nothing more than a lengthy password, and is in fact more susceptible to being stolen than a human-entered password is."
"I think the concept is fairly straightforward, though: If you make it hard for a computer to determine the difference between the plaintext and garbage, it will be hard to brute-force decrypt. In theory, by making the plaintext into a captcha the computer will no longer be able to tell when it has successfully decrypted the image, so (again in theory) after every password attempt a human will have to read the "decrypted" image to see if it is correct or not, so a brute force attack would (in theory) take an incredibly long period of time."
"I could see it used for encrypting other passwords, though: Encrypt your files using a long random password, then encrypt that password using this captcha system and a password you can actually remember."
"Well, if you actually read the paper, you'd have answers to those questions.
What they are proposing is a method that uses CAPTCHA-like systems to make the automating brute-forcing of the password much more difficult (but, since it's a CAPTCHA, it's still easy for a human to handle). The idea is that then you don't need the human to memorize as strong of a password: you can get the same level of security with weaker passwords. This won't let people use trivial passwords, but would allow you to greatly decrease the crazy/silly password requirements, because the decryption side becomes so difficult to automate. (You could always brute-force using a mechanical Turk setup, so you would need the user to pick a decent password, but as long as the search space is at least a few hundred thousand or million passwords, it's going to be impractical to hire CAPTCHA-readers to break it...)
The details of how they split a single strong password into two halves (a short bit that the human can memorize and a longer more secure bit that the user releases using CAPTCHA, and thus doesn't have to memorize) is quite interesting. Worth a read. This implementation might have mistakes that make it less secure than it seems at first, but the overall idea is really quite amazing."
"The CAPTCHA is encrypted with the "weak" password.
You need to brute force the weak password before you get a readable CAPTCHA. Automatically determining whether a CAPTCHA is readable should hopefully be computationally intensive and error prone, frustrating a brute force search."
"The idea is that the whole password cannot be decrypted in an automated way, because even though a computer program would quickly guess the short password (SP), the fact that the strong key (SK) is stored as a CAPTCHA prevents the computer program from obtaining it, even with the correct SP.
The point is not (as some seem to believe) to help the user memorize a longer password by storing part of it for him. This approach actually wouldn't introduce any added security, as you still have a single point of failure (the memorized short password)."
"The key to understanding this system is that there is a random file (Strong Key) which is encrypted with the SP (Simple Password). The Simple Password is used to decrypt the (encrypted) Strong Key, which is then used to encrypt/decrypt stuff. It looks like these fellows came up with a way for the user to verify that their Simple Password was right... (if they type in the wrong Simple Password, they are shown a mangled Strong Key Image). Think of this as something like VisualHostKey for ssh."
"his could be used with any existing password system. The changes required are only on the client side.
When the user chooses a password, he breaks it into two parts. One part is memorized and the other is turned into a CAPTCHA, evolved using some math, and encrypted. The encrypted image is stored to disk.
When the user wants to log in, he enters the memorized password. The client software decrypts the image from disk, derives the CAPTCHA with math and displays it. The user enters the CAPTCHA text. The client software can then send both parts of the password concatenated. So the server just gets one long password.
Assuming that no perfect AI exists for this, if someone compromises the client computer, then the password has a few more bits of strength than just the memorized password against brute force. If the server is compromised, then the password is hugely stronger than normal. Compare that to the case where if someone compromises the client computer without this system, then no hint to the password exists and it is impossible to guess the password. So while this system makes the server-side security stronger it greatly weakens the client-side.
Also note that it only works if the client system contains the encrypted CAPTCHA file. If you're trying to log into Faceville with this scheme from your sister's PC in another state then you don't want to leave hints of your password on her harddrive, and you don't want to be burdened by copying the file from your home computer. So it doesn't really work for a lot of common uses of passwords...
Another problem with this system is that it is too complicated: it would be very difficult to prove p-CAPTCHA is secure. I don't like relying on "round-off" approximations. This seems unnecessary for security, so an integer-based system would be preferred. I think all the weird chaos math is just to make the images look texty to make it harder to use an AI on. So instead of pretending it is adding security it would be better to pick a good bubbly procedural texture generator...
Another user mentioned that this is similar to password seeding. What he means is that your password can be used as a seed for a pseudo-random number generator, and before you send the password to the server your client PC will extend the password. As long as the attacker doesn't know what algorithm you chose, your account will be more secure than other users. You could also just hash your password and truncate the hash to the desired expanded password length. Password seeding is great because you don't need to drag a CAPTCHA file around with you. This would be a great browser plugin, hmmmm... So long as only a small percentage of users are using extended passwords, attackers probably won't take the time to break them."
"So, as I understand this... the user memorizes half of the password, and when they go to decrypt, a CAPTCHA is produced showing the rest of the password. Automated attacks can't verify that a guessed first-half password is correct without powerful OCR."
-
Some comments in German:
@-adrian- ich hab jetzt gar nicht verstanden wie das ueberhaupt funktinoiert.. also erst hat man nen feld in dem nach eingabe vom passwort nen captcha erscheint und das muss man dann eingeben oder wie? .. oder erscheint ein zweites ausgewaehltes word als captcha und das muss man dann eingeben? sodass man im prinzip sich einfach 2 woerter merken muss die man dann hintereinander eingeben kann..
[re:1] gibbons am 04.04.11 10:51 Uhr
@-adrian-: Nur bei der korrekten Eingabe deines Passwortes wird ein lesbares Captcha generiert (rechtes Bild), bei einer falschen Eingabe kommt nur Müll heraus (linkes Bild). Was ist daran nicht zu verstehen gewesen? Text lesen!
-
This story has 104 Comments
Read similar stories with these tags
captcha security cryptography
*
You may also like to read,
Submission: Scientists Develop New Method to Improve Passwords
Click here to find out more!
Scientists Develop New Method To Improve Passwords 54 More | Reply Login
Scientists Develop New Method To Improve Passwords
Comments Log In/Create an Account Search Discussion
50
Post a Comment
7 Full 43 Abbreviated 0 Hidden
Score:
5
4
3
2
1
0
-1
54 More | Reply Login
Username Password Public terminal
Join Forgot password?
Close
Loading... please wait.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
*
RTA? (Score:2)
by del_diablo (1747634) writes: on Sunday April 03, @09:37AM (#35699038)
Well, It indeed silly. What is stopping us from just doing normal bruteforce?
Reply to This
o
o
Re:RTA? (Score:5, Informative)
by pushing-robot (1037830) writes: on Sunday April 03, @09:46AM (#35699090)
That's the one with the $5 wrench, right?
Reply to This Parent
+
+
Re:RTA? (Score:2)
by del_diablo (1747634) writes: on Sunday April 03, @09:53AM (#35699120)
No, from the article i got the idea was:
1. Split password into 2 pieces, a normal password and a captcha part
2. Now if you bruteforce, you could miss on the second part, meaning bruteforcing will just take a bit more time
Meaning that "standard bruteforce" is still valid.
Reply to This Parent
#
#
Re:RTA? (Score:2)
by Haedrian (1676506) writes: on Sunday April 03, @10:17AM (#35699284)
Standard bruteforce was valid?
There are [Dictionary]^[PasswordLength] possible combinations.
If I write an 8 character password with the keys I can see on my keyboard at the moment, you get - 6,095,689,385,410,816 permutations.
Using my 'very quick' calculations which are more than probably not very accurate- if using a 3.5 GHz processor which can hash and check each password in a single cycle (which is a very funny proposition indeed) - it'll take you 20 days. If the system upgrades to a 9 character password, that increases the choices and time by a factor of the Dictionary size, which is a bit less than 100.
Reply to This Parent
*
*
Re:RTA? (Score:3)
by nanospook (521118) writes: on Sunday April 03, @11:03AM (#35699566)
If your password is to a system that is worth the effort, then it's likely going to lock out after 3 tries.. I realize you are speaking generically, but unless you can subvert that feature, you can't try more than N times without invalidating the account..
Reply to This Parent
o
o
Re:RTA? (Score:2)
by Haedrian (1676506) writes: on Sunday April 03, @11:16AM (#35699672)
I am assuming the worst case scenario, in which an attacker has copied the passwords and usernames from the database server, and is trying to break the hash.
if there are 3 tries, then there's absolutely no point in putting the CAPTCHA thing suggested by the article, since it'll be a human trying them out.
Reply to This Parent
+
*
Re:RTA? (Score:2)
by Martin Blank (154261) writes: on Sunday April 03, @03:47PM (#35701724) Journal
Standard bruteforce has always been generally valid, though there are cases where it doesn't work as well such as account lockout and those places where logs are watched carefully.
If the password database can be retrieved, it generally works better, though a bit of salting helps to address that. Distributed computing solutions for rainbow tables help cut down the time needed to break these, and I imagine that places like the NSA devote both dedicated and spare cycles to building up their own rainbow tables (or more elegant but less well-known mechanisms).
Reply to This Parent
o
+
Re:RTA? (Score:2)
by mjwx (966435) writes: on Sunday April 03, @08:34PM (#35703854)
That's the one with the $5 wrench, right?
Where did you manage to find a wrench for $5?
Reply to This Parent
#
o
Re:RTA? (Score:3)
by AC-x (735297) writes: on Sunday April 03, @10:27AM (#35699324)
Captcha image is encoded using the user's password. To brute force you'd either need to check the captcha images for each password combination or brute force the whole string (password+captcha) which is twice as long so will take an order of magnitude longer.
There are plenty of other key stretching techniques so not sure why this is any better tho.
Reply to This Parent
+
+
Re:RTA? (Score:2)
by the_other_chewey (1119125) writes: on Sunday April 03, @12:06PM (#35700066)
...or brute force the whole string (password+captcha) which is twice as long so will take an order of magnitude longer.
So 1,000,000 is an order of magnitude more than 1,000? Is has twice as many zeros...
You have a weird definition for "order of magnitude".
Reply to This Parent
#
+
Re:RTA? (Score:3)
by hweimer (709734) writes: on Sunday April 03, @02:08PM (#35700900) Homepage
There are plenty of other key stretching techniques so not sure why this is any better tho.
You can only see the CAPTCHA text when you enter the correct password, a wrong password will just lead to random noise. Their claim is now that the presence of the CAPTCHA text cannot be detected by algorithms because to an algorithm, the picture will basically look the same in both cases.
I don't buy this. They study a system close to a continuous phase transition, meaning that it is self-similar, and there is no singular length-scale that shows up in any correlation function. By introducing the CAPTCHA text, however, they explicitly introduce such a scale, namely the size of the letters. This scale will result in a detectable feature in correlation functions, and of course only appears when the correct password has been entered. So, contrary to the authors' claim, it should be rather easy to spot when the correct password has been guessed.
Reply to This Parent
#
#
*
*
Re: (Score:2)
by hweimer (709734) writes:
If you read our paper you will see that for an incorrect password you will still be in a vicinity of the correct initial condition. The Lyapunov exponents will get this difference multiplied, but the picture for the final evolution will still be very similar nomatter whether the password is correct or not correct.
Sorry, but I still don't understand why your approach is different from a key stretching function. I suppose the result of the time evolution should be quite different as one will reveal the CAPTCHA text and one will not. But as I said, there will be signatures of the presence of the text in the correlations functions, from which you can deduce that you guessed the correct password.
o
o
Re:RTA? (Score:1)
by Sky Cry (872584) writes: on Sunday April 03, @10:29AM (#35699340)
A bot can't keep a list of checked passwords, because it's impossible to tell whether the password failed because of the static part or the part which is changing with every attempt (the captcha). Therefore there's no guarantee that your bruteforce will succeed in a certain time, that is after a certain number of attempts.
Reply to This Parent
+
+
Re:RTA? (Score:3)
by zippthorne (748122) writes: on Sunday April 03, @11:11AM (#35699642) Journal
So.. they've invented.. password salting?
Reply to This Parent
#
#
*
*
Re: (Score:2)
by zippthorne (748122) writes:
But captchas are already broken...
o
*
Belated April Fool Joke? (Score:1)
by Tigger's Pet (130655) writes: on Sunday April 03, @09:43AM (#35699074) Homepage
Not only does this not look to me like a particularly professional reporting site, if you follow the link on the page 'Which authors of this paper are endorsers?' you get the following;-
"No authors of 1103.6219 can endorse.
The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs
Tetyana Laptyeva V.: Is registered as an author of this paper.
Not currently an endorser.
S. Flach and K. Kladko are not registered as owners of this paper"
If nobody is willing to endorse the paper then surely it's not been peer-reviewed and is, consequently at this time, worthless. It's no different to if I put a paper out there stating that I was going to produce safe passwords by generating random characters from snail-trails.
Reply to This
o
o
Re:Belated April Fool Joke? (Score:4, Insightful)
by kestasjk (933987) * writes: on Sunday April 03, @09:52AM (#35699116) Homepage
That lists which authors of that paper endorse other papers.
Perhaps analyze this idea for its own worth rather than look for silly reasons to discard it? How about that it relies on generating a secure password already, which would be hard for people to memorize, how the blind couldn't use it, or how it's really just the combination of two already common ideas?
Reply to This Parent
+
o
Re:Belated April Fool Joke? (Score:3)
by pushing-robot (1037830) writes: on Sunday April 03, @10:15AM (#35699268)
I think the concept is fairly straightforward, though: If you make it hard for a computer to determine the difference between the plaintext and garbage, it will be hard to brute-force decrypt. In theory, by making the plaintext into a captcha the computer will no longer be able to tell when it has successfully decrypted the image, so (again in theory) after every password attempt a human will have to read the "decrypted" image to see if it is correct or not, so a brute force attack would (in theory) take an incredibly long period of time.
I see a few problems, though, in that (a) even if a computer can't read a captcha, it could probably tell the difference between it and random noise, (b) the computer could take "likely candidates" and farm them out to Mechanical Turk et al., and (c) it's not practical for anything but short text messages, since the message is no longer readable by a computer.
I could see it used for encrypting other passwords, though: Encrypt your files using a long random password, then encrypt that password using this captcha system and a password you can actually remember.
Reply to This Parent
+
*
Epc fail (Score:2)
by Hognoxious (631665) writes: on Sunday April 03, @09:47AM (#35699098) Homepage Journal
Two days late, guys. HIYGCOTWO.
Reply to This
o
*
Maybe I should patent (Score:5, Funny)
by rossdee (243626) writes: on Sunday April 03, @09:57AM (#35699142)
Heres an extra layer of security for your password.
You take another post it note and stick it to your monitor over the top of the one with your password on. To access your password just lift up the top sticky note.
Reply to This
o
o
Re:Maybe I should patent (Score:5, Funny)
by Haedrian (1676506) writes: on Sunday April 03, @10:04AM (#35699198)
"The use of opaqueness of tree-derived substances in 3 dimensional space in order to secure against password disclosure through movement of waverforms through translucent media".
There, picked out a name for you.
Reply to This Parent
+
o
Re:Maybe I should patent (Score:2)
by jpellino (202698) writes: on Monday April 04, @09:37AM (#35707174)
I was going to go with self-destructing sticky notes, disappearing-ink sticky notes, but yours is elegant in its simplicity.
Reply to This Parent
+
*
Right so... (Score:2)
by Haedrian (1676506) writes: on Sunday April 03, @09:59AM (#35699162)
So if someone steals the password list off a server and wants to steal the admin passwords, all he has to do is to read the captcha himself, work it out (being a human and all that), then try to break the hash by adding the 'captcha answer' to the end of the string.
Sure it might make it harder for someone to try to steal passwords from a large list, but if you're only targetting admin (or specific ones) it'll actually make things less secure. You tell people they only need to remember half the password and the rest is "uberencrypted" and their half will be easy to remember stuff you can dictionary attack.
Reply to This
o
*
Something is wrong with that PDF (Score:2)
by Lord Lode (1290856) writes: on Sunday April 03, @10:01AM (#35699176)
It causes "ePDFViewer" (the random PDF viewer firefox and/or linux decided to bring as default option when opening such link in firefox) to hang for a minute and use 100% CPU whenever scrolling or zooming.
Reply to This
o
*
Seeding... (Score:2)
by Manip (656104) writes: on Sunday April 03, @10:03AM (#35699190)
So let's just be clear, they've re-invented seeding a password?
Reply to This
o
*
Wasn't April Fools a couple of days back? (Score:1)
by beaverdownunder (1822050) writes: on Sunday April 03, @10:07AM (#35699212)
Seriously... how does this help? Sure, it might give brute-force a harder time, but wouldn't people just brute-force the captcha? Hm.
Reply to This
o
*
This will not work (Score:3)
by houghi (78078) writes: on Sunday April 03, @10:22AM (#35699306)
as long as I am not able to select my own login AND password.
I have a multitude of different logins that were given to me and that I can not change. I have been given a multitude of passwords that I am unable to change, because I am not the only one to use that specific login.
Also have more then one security key.
Oh and I need to change some of them each month. I could easily remember a 32 character password. But not if I need to change it every month AND if I need to remember anywhere between 10-30 AND need to know what login it belongs to AND some can't be that long.
So sure, you can blame the human. However that IS a factor that will not go away. And as long as logins and password are basically a "Hey, I tried to protect the data, so I am safe"-thing for IT people, nothing will change.
To often I see people that are resposible for the security try to find a technological solution for the social problem. Security is not a technical issue. It is a social process.
Reply to This
o
o
Re:This will not work (Score:2)
by stonewallred (1465497) writes: on Sunday April 03, @11:31AM (#35699774)
I read a lot about password security here, and I fail to grasp one basic thing.
How many passwords are "necessary"? In the sense lives or large amounts of money would be lost if they were breached?
How many passwords are more of dutiful "security"?
In a sense, how many passwords do you have, that someone would be willing, capable and likely; to bust your head open and steal the password from your pocket?
I have one important password, to my WoW account (yeah I know...). The rest are unimportant in the grand scheme of life, forums, email, FB, etc.
I don't bank online, or that would be an important one also.
I don't access any of these places other than on my personal computer, or work computer. Both which are located in my home, one in my study and the other in my office.
Reply to This Parent
+
+
#
#
Re: (Score:2)
by stonewallred (1465497) writes:
Got a different password for each of my email accounts, which are different from my social networking sites, which are different from my WoW account.
Plus all my sites are under different email accounts, a separate email account for each site.
Only place I got a concern is fucktarded blizzard which requires you to use your email address as an account name, and the same email address and password on the game, the battlenet account management and on the forums.
Guess a better way to rephrase my question is, h
*
*
I think the key with this idea is (Score:1)
by fragfoo (2018548) writes: on Sunday April 03, @10:33AM (#35699370)
to improve password security and not to make a fail safe method. In a way that users can still create passwords like "123456" (they allways will, if they are allowed to), but by adding the captcha they will be harder to crack.
Reply to This
o
*
waste of verbage (Score:2, Informative)
by danwesnor (896499) writes: on Sunday April 03, @10:39AM (#35699418)
The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.
You don't need a bunch of mumbo jumbo to make a brute force attack ineffective, all you need to do is lock the account after x failed login attempts.
Reply to This
o
o
Re:waste of verbage (Score:1)
by whrde (1120405) writes: on Sunday April 03, @11:08AM (#35699612) Homepage
And now you've just opened up a new way do a denial of service!
Reply to This Parent
+
o
Re:waste of verbage (Score:2)
by ftobin (48814) * writes: on Sunday April 03, @11:10AM (#35699620) Homepage
If brute-force attacks are inefficient, compromised password files are less dangerous.
Reply to This Parent
+
+
Re:waste of verbage (Score:1)
by zome (546331) writes: on Sunday April 03, @11:15AM (#35699666)
I found the method used by an old phone (don't remember brand and model) effective. If you enter incorrect password for the first time, it make you wait 10 seconds before you can try again. A second time, wait 20 seconds, third time, 40 seconds, 4th time, that 80 seconds for you, and it keeps going like that. It gives the real owner of the phone a chance to get it right, but if you brute force, the wait time goes up quickly
Reply to This Parent
#
*
Just my own problem with password systems (Score:2)
by bryan1945 (301828) writes: on Sunday April 03, @12:27PM (#35700184) Journal
Different systems have different parameters. One required 5-8 characters, including 1 number and 1 capital letter. I ran into one that had to be exactly 6 characters, but no other restrictions. One had a requirement of a 'special' character, i.e. $ * # ! ) etc. I understand the restrictions, somewhat, but my passwords tend to be 10-15 characters long with numbers but no special characters. Sometimes a capital letter or 2.
Instead of creating new schemes, just let me use this-
"ijustgotanewpuppyandinamedhimbippyandhesverycute"
Brute force that for my Amazon account. It's a whole lot better than "borked" for that 6 character password scheme I mentioned above.
Reply to This
o
*
The key to understanding this system (Score:1)
by mr.newt (244023) writes: on Sunday April 03, @02:17PM (#35700986)
...is that the whole password cannot be decrypted in an automated way, because even though a computer program would quickly guess the short password (SP), the fact that the strong key (SK) is stored as a CAPTCHA prevents the computer program from obtaining it, even with the correct SP.
The point is not (as some seem to believe) to help the user memorize a longer password by storing part of it for him. This approach actually wouldn't introduce any added security, as you still have a single point of failure (the memorized short password).
Reply to This
o
o
+
+
Re: (Score:1)
by mr.newt (244023) writes:
That's how it works, but not the key. The important thing is that the SK can't be understood by a computer program because it's a CAPTCHA, and therefore can't be brute forced.
#
*
hunter2 tag (Score:3, Funny)
by fractalVisionz (989785) writes: on Sunday April 03, @02:53PM (#35701244) Homepage
From http://www.bash.org/?244321 [bash.org]:
hey, if you type in your pw, it will show as stars
********* see!
hunter2
doesnt look like stars to me
*******
thats what I see
oh, really?
Absolutely
you can go hunter2 my hunter2-ing hunter2
haha, does that look funny to you?
lol, yes. See, when YOU type hunter2, it shows to us as *******
thats neat, I didnt know IRC did that
yep, no matter how many times you type hunter2, it will show to us as *******
awesome!
wait, how do you know my pw?
er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
oh, ok.
Reply to This
o
*
›
How is this new? (Score:1)
by loosescrews (1916996) writes: on Sunday April 03, @03:51PM (#35701758)
Sorry, but I don't understand how this could possibly be any better than combining existing password and CAPTCHA systems, which I am fairly certain has been done before. If the CAPTCHA and password didn't have a link between them it would likely be more secure. Their system only provides some benefit until someone leaks the algorithm for generating the CAPTCHA.
Is there something that I am missing?
-
Wall Street Journal:
Great Timing: Scientists Fine Tune Two-Part Method for Password Protection [Blip]
(Posted on Gizmodo at Sun, Apr 03, 2011 at 07:00PM)
Scientists at Max-Planck-Institute for Physics of Complex Systems recently published a paper describing a two-part method to improve password security. More » (visit source article)
-
Passwort + Captcha soll Brute Force verhindern
Datenschutz Zwei Forscher haben einen neuen Vorschlag unterbreitet, wie Logins für verschiedene Web-Angebote oder auch andere Anwendungen mit Passwort-Schutz effektiv gegen Brute-Force-Attacken geschützt werden können.
Google-Anzeige
Intelligente sichere CPUs
Besser geschützte Firmendaten durch
ein Upgrade auf Intel® Core™ vPro™!
www.Intel.com/de/itcenter
Viele Angreifer verschaffen sich aktuell Zugang, in dem sie die Passwörter entschlüsseln, indem sie einen Rechner die möglichen Variationen durchprobieren lassen. Oft erleichtern die Anwender die Attacke, indem sie unsichere Passwörter verwenden. Aber auch bessere Kombinationen aus Buchstaben, Zahlen und Sonderzeichen lassen sich im Zweifelsfall unter Rückgriff auf einen Cloud-Cluster mit vertretbarem Zeitaufwand knacken.
Die Forscher vom Dresdner Max-Planck-Institut für Physik komplexer Systeme und dem kalifornischen Axioma Research schlugen deshalb in einem gemeinsamen Papier (PDF) vor, den Zugang durch eine Zweiteilung des Passwortes vor solchen Attacken zu schützen. Die Methode teilt die Passphrase dabei in zwei Teile auf.
Passwort-Captcha-Kombination
Captcha mit falschem und richtigem Passwort
Beim ersten Teil handelt es sich um eine herkömmliche Passphrase. Mit dieser wird dann allerdings erst einmal ein Captcha generiert. Dieses gibt nur bei einem korrekt eingegeben ersten Passwort ein zweites frei, dass jeweils zufällig generiert wird. Kann dieses korrekt eingegeben werden, erfolgt die Freigabe des Zugangs.
Ein Brute-Force-Angriff wäre hier schwer zu realisieren, weil faktisch jede beliebige Zeichenfolge ein Captcha-Bild generiert. Ob dieses allerdings tatsächlich ein lesbares zweites Passwort oder nur chaotisch angeordnete Pixel anzeigt, müsste der Angreifer jeweils manuell überprüfen, da es nur bedingt zuverlässige Algorithmen gibt, mit denen dies automatisiert überprüft werden kann.
Christian Kahle
-
Doppeltes Captcha soll Brute Force verhindern
Geschrieben von Niels Weidlich um April 4th, 2011
Brute-Force-verhindern
Zwei Forscher vom Dresdner Max-Planck-Institut für Physik und komplexe Systeme haben ein neues Konzept (PDF) entwickelt, wie man Brute Force Attacken verhindert werden könnten. Dabei wird ein Passwort zweigeteilt und doppelt abgefragt. Das zweite Captcha wird aus einem geteilten, zufälligen generierten Passwort generiert. Da der Captcha quasi doppelt generiert wird, soll es fast unmöglich sein es zu knacken.
Ob dieses allerdings tatsächlich ein lesbares zweites Passwort oder nur chaotisch angeordnete Pixel anzeigt, müsste der Angreifer jeweils manuell überprüfen, da es nur bedingt zuverlässige Algorithmen gibt, mit denen dies automatisiert überprüft werden kann.
-
« Proposals for the future of certificates – The H Security: News and Features
BBC News – Clean up begins after massive website attack »
Apr
04
The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs
* Security 101
by Adam Pliszka
-
Hacker Newsnew | comments | ask | jobs | submit login
The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs (arxiv.org)
1 point by adulau 3 days ago | discuss
-
Net boffins plot password alternatives
* Alert
* Print
* Post comment
* Retweet
* Facebook
CAPTCHAS, split slogans and authenticated tokens
By John Leyden • Get more from this author
Posted in ID, 4th April 2011 15:59 GMT
Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.
Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are sensible enough to store passwords as hashes. But if these hashes are exposed via a website vulnerability, then the use of rainbow tables readily exposed passwords based on dictionary words. That's bad enough on its own but gets even worse if a user utilities the same password for social networking as he or she does on more sensitive profiles, such as webmail or e-banking accounts.
Security researchers have long known that consumers can't be trusted to maintain multiple secure password sign-ons. The recent HBGary hack, which partly took advantage of shared passwords, underlined that weak password security is also a problem in business.
A new paper by computer scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany proposes to fix the weak password problem, in a way that frustrates brute-force dictionary-based attacks but gets around the reluctance of people to choose secure but hard-to-remember passwords. The novel approach involves splitting the password into two parts, one remembered by a human and the second held by the site itself, as explained in a abstract for the paper (extract below).
The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.
It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.
Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.
In a position paper, Pico: no more passwords (20-page PDF/433 KB), Frank Stajano of Cambridge University proposes a clean-slate design to "get rid of passwords everywhere, not just online". Instead of using passwords, logins should be secured using a token, a controversial idea in the wake of the highly-publicised RSA SecurID hack last month.
Stajano acknowledges as much, stating that he's mainly interested in getting a debate going. "Maybe your gut reaction to Pico will be 'it'll never work', but I believe we have a duty to come up with something more usable than passwords," he wrote on the Cambridge University's Light Blue Touchpaper blog. If nothing else, the paper neatly summarises why users are perfectly entitled to be fed up with passwords.
From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.
The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week. ®
-
Obsahuje:
* všechny e-ziny od 9/1999
* celou databázi NEWS
* soutěže 2000-2010
* další články a BONUSY
Security - News
http://crypto-world.info
Crypto - News | Security - News
04 / 2011
Vybrali pro vás: TR - Tomáš Rosa, JP - Jaroslav Pinkava, PV - Pavel Vondruška, VK - Vlastimil Klíma
Aktuální měsíc | Archiv | Vyhledávání | RSS export
Vědci zkoumají nové přístupy k přihlašování, mají eliminovat slabiny přihlašování heslem
05.04.2011
Samotné přihlášení bude rozděleno do dvou částí, v první uživatel použije zapamatovatelnou část hesla klasickou cestou, v druhé (tu si pamatuje stránka do které se uživatel přihlašuje) bude fungovat jakási „zašifrovaná“ dynamická CAPTCHA. Viz komentář Net boffins plot password alternatives.
Jinou cestou jdou autoři dokumentu Pico: no more passwords, chtějí využít HW token.
Zdroj: http://lanl.arxiv.org/abs/1103.6219
Autor: JP
-
-