Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Forget Captcha, Try Inkblots
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/22/2013 | 10:10:19 AM
re: Forget Captcha, Try Inkblots
Great question, Terry, apologies if I didn't make that clearer. The short answer is (pulling from the related study):


To generate a challenge the computer first generates 10 inkblot images. The user then provides labels for each image (e.g., evil clown, big frog). During authentication the challenge is to match each inkblot image with the corresponding label.



Under the system proposed by the researchers, anyone who provides a username and password correctly, the first time, will only see one Gotcha, and then have to match that image with one of 10 responses which the user himself has already written. If he fails to match the response correctly, then the challenge/response system starts escalating. For example, maybe he'd see more Gotchas, be required to enter a "secret" word or experience timeouts that tell him to try again later.

The goal here isn't to block any one attack, per se, but to slow down attackers and arrest automated attacks. Making "breaking and entering" a manual effort could dissuade anyone who's harvested a site's credentials en masse -- for example by stealing its entire user database -- from bothering with a large-scale attack. Likewise, anyone who wanted to run automated scripts that buy tickets en masse (from Ticketmaster) to resell for a higher price would find blocks against that automation.

The researchers' study also makes some great points about how else their approach -- making illicit account access a manual endeavor -- might be applied. For example, they note that having a challenge-response system based on movie ratings (perhaps a few pairs of "which one is better than the other for you?") might also provide a relatively easy (for users) but tough (for attackers to easily/quickly bypass) way to further verify users' identities.

Just as with encrypting passwords, creating a system that creates a delay of a few seconds for any operation or account access will typically be tolerated by an individual end user, but anathema to an attacker, who wants to operate at scale.
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/18/2013 | 5:26:21 PM
re: Forget Captcha, Try Inkblots
I must be missing something on Gotcha. If they present a list of possible answers (say 10 for example), doesn't anyone have a 1 in 10 chance of guessing right? And of course in 10 tries max you'd be in. Obviously it must be more sophisticated than the way it was described above.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/18/2013 | 3:09:41 PM
re: Forget Captcha, Try Inkblots
Anything that could possibly be an improvement on Captcha would be welcome.
rogledi
50%
50%
rogledi,
User Rank: Apprentice
10/18/2013 | 2:13:00 PM
re: Forget Captcha, Try Inkblots
Let's remove the concept of captcha

http://keypic.com is a good way to do it!
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/18/2013 | 1:51:22 PM
re: Forget Captcha, Try Inkblots
Sounds like a plot to build a deeper psychological profile of website visitors and then market to them better. That's my conspiracy theory for today, at any rate.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/17/2013 | 8:09:11 PM
re: Forget Captcha, Try Inkblots
No, of course everyone sees that. That's why inkblots promise superior security.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/17/2013 | 7:34:52 PM
re: Forget Captcha, Try Inkblots
I'm seeing a dinosaur making love to a Volkswagen. Is that wrong?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2013 | 6:54:46 PM
re: Forget Captcha, Try Inkblots
Anything that doesn't make me remember my permutation of alpha-numerics is an improvement, IMO. I think I have enough brain cells to recognize a pass phrase that I use for an ink blot. But then, again, it would depend on how similar are the options Gotcha spews out. It may indeed be just another gotcha for password management
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
10/17/2013 | 5:08:36 PM
re: Forget Captcha, Try Inkblots
The Captcha is much hated. The name Gotcha doesn't exactly sound appealing -- but the idea is intriguing.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0235
PUBLISHED: 2022-01-16
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-0238
PUBLISHED: 2022-01-16
phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-44537
PUBLISHED: 2022-01-15
ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.
CVE-2021-33828
PUBLISHED: 2022-01-15
The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection.
CVE-2021-33827
PUBLISHED: 2022-01-15
The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings.