Featured Research

from universities, journals, and other organizations

CAPTCHAs with chaos: Strong protection for weak passwords

Date:
April 21, 2011
Source:
Max-Planck-Gesellschaft
Summary:
The passwords of the future could become more secure and, at the same time, simpler to use. Researchers have been inspired by the physics of critical phenomena in their attempts to significantly improve password protection. The researchers split a password into two sections. With the first, easy-to-memorize section they encrypt a CAPTCHA -- an image that computer programs have difficulty in deciphering. The researchers also make it more difficult for computers, whose task it is to automatically crack passwords, to read the passwords without authorization. They use images of a simulated physical system, which they additionally make unrecognizable with a chaotic process.

Indecipherable for computers: The Captcha with the password is very grainy, as it is generated in a physical system close to a critical change of state (left). In a chaotic process, it is made completely unreadable. The process can be reversed with an easily remembered password, however.
Credit: Sergej Flach / MPI for the Physics of Complex Systems

The passwords of the future could become more secure and, at the same time, simpler to use.

Researchers at the Max Planck Institute for the Physics of Complex Systems in Dresden have been inspired by the physics of critical phenomena in their attempts to significantly improve password protection. The researchers split a password into two sections. With the first, easy-to-memorize section they encrypt a CAPTCHA ("completely automated public Turing test to tell computers and humans apart") -- an image that computer programs per se have difficulty in deciphering. The researchers also make it more difficult for computers, whose task it is to automatically crack passwords, to read the passwords without authorization. They use images of a simulated physical system, which they additionally make unrecognizable with a chaotic process. These p-CAPTCHAs enable the Dresden physicists to achieve a high level of password protection, even though the user need only remember a weak password.

Computers sometimes use brute force. Hacking programs use so-called brute-force attacks to try out all possible character combinations to guess passwords. CAPTCHAs are therefore intended as an additional safeguard the input of which originates from a human being and not from a machine. They pose a task for the user which is simple enough for any human, yet very difficult for a program. Users must enter a distorted text which is displayed on the screen, for example. CAPTCHAs are increasingly being bypassed, however. Personal data of members of the "SchόlerVZ" social network for school pupils have already been stolen in this way.

Researchers at the Max Planck Institute for the Physics of Complex Systems in Dresden have now developed a new type of password protection that is based on a combination of characters and a CAPTCHA. They also use mathematical methods from the physics of critical phenomena to protect the CAPTCHA from being accessed by computers. "We thus make the password protection both more effective and simpler," says Konstantin Kladko, who had the idea for this interdisciplinary approach during his time at the Dresden Max Planck Institute; he is currently a researcher at Axioma Research in Palo Alto/USA.

The Dresden-based researchers initially combine password and CAPTCHA in a completely novel way. The CAPTCHA is no longer generated anew each time in order to distinguish the human user from a computer on a case-by-case basis. Rather, the physicists use the codeword in the image, which can only be deciphered by humans as the real password, which provides access to a social network or an online bank account, for example. The researchers additionally encrypt this password using a combination of characters.

However, that's not all: the CAPTCHA is a snapshot of a dynamic, chaotic Hamiltonian system in two dimensions. For the sake of simplicity, his image can be imagined as a grey-scale pixel matrix, where every pixel represents an oscillator. The oscillators are coupled in a network. Every oscillator oscillates between two states and is affected by the neighbouring oscillators as it does so, thus resulting in the grey scales.

Chaotic development makes password unreadable

The physicists then leave the system to develop chaotically for a period of time. The grey-scale matrix changes the colour of its pixels. The result is an image that no longer contains a recognizable word. The researchers subsequently encrypt this image with the combination of characters and save the result. "We therefore talk of a password-protected CAPTCHA or p-CAPTCHA," says Sergej Flach, who teamed up with Tetyana Laptyeva to achieve the decisive research results at the Max Planck Institute for the Physics of Complex Systems. Since the chaotic evolution of the initial image is deterministic, i.e. reversible, the whole procedure can be reversed using the combination of characters, so that the user can again read the password hidden in the CAPTCHA.

"The character combination we use to encrypt the password in the CAPTCHA can be very easy to remember," explains Konstantin Kladko. "We thus take account of the fact that most people only want to, or can only, remember simple passwords." The fact that the passwords are correspondingly weak is now no longer important, because the real protection comes from the encrypted password in the CAPTCHA.

On the one hand, the password hidden in the CAPTCHA is too long for computers to be able to guess it using a brute-force attack in a reasonable length of time. On the other, the physicists use a critical system to generate the password image. This system is close to a phase transition: with a phase transition, the system changes from one physical state to another, from the paramagnetic to the ferromagnetic state, for example. Close to the transition, regions repeatedly form which temporarily have already completed the transition. "The resulting image is always very grainy. Therefore, a computer cannot distinguish it from the original it is searching for," explains Sergej Flach.

"Although the study has just been submitted to a specialist journal and is only available online in an archive, it has already provoked a large number of responses in the community -- and not only in Hacker News," says Sergej Flach. "I was very impressed by the depth of some comments in certain forums -- in Slashdot, for example." The specialists are obviously impressed by the ingenuity of the approach, which means passwords could be very difficult to crack in the future. Moreover, the method is easy and quick to implement in conventional computer systems. "An expansion to several p-CAPTCHA levels is obvious," says Sergej Flach. Hoiwever, this requires increased computing power to reverse the chaotic development in a reasonable time: "We therefore want to investigate various Hamiltonian and non-Hamiltonian systems in the future to see whether they provide faster and even more effective protection."


Story Source:

The above story is based on materials provided by Max-Planck-Gesellschaft. Note: Materials may be edited for content and length.


Journal Reference:

  1. Tetyana V. Laptyeva, Sergej Flach, Konstantin Kladko. The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs. arXiv.org, 2011; [link]

Cite This Page:

Max-Planck-Gesellschaft. "CAPTCHAs with chaos: Strong protection for weak passwords." ScienceDaily. ScienceDaily, 21 April 2011. <www.sciencedaily.com/releases/2011/04/110420111331.htm>.
Max-Planck-Gesellschaft. (2011, April 21). CAPTCHAs with chaos: Strong protection for weak passwords. ScienceDaily. Retrieved July 22, 2014 from www.sciencedaily.com/releases/2011/04/110420111331.htm
Max-Planck-Gesellschaft. "CAPTCHAs with chaos: Strong protection for weak passwords." ScienceDaily. www.sciencedaily.com/releases/2011/04/110420111331.htm (accessed July 22, 2014).

Share This




More Computers & Math News

Tuesday, July 22, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Uruguayan Creates Chess Game for Multiple Opponents

Uruguayan Creates Chess Game for Multiple Opponents

AFP (July 19, 2014) — It no longer takes two to play chess – or at least according to a new version of the game invented by Uruguayan Gabriel Baldi, where up to four opponents can play. Duration: 00:31 Video provided by AFP
Powered by NewsLook.com
Clock Ticks Down on Internet Speed Debate

Clock Ticks Down on Internet Speed Debate

Reuters - US Online Video (July 18, 2014) — The FCC received more than 800,000 comments on whether and how internet speeds should be regulated, even crashing its system. Lily Jamali reports. Video provided by Reuters
Powered by NewsLook.com
Google Won't Call Games With In-App Add-Ons Free, Apple Will

Google Won't Call Games With In-App Add-Ons Free, Apple Will

Newsy (July 18, 2014) — The European Commission asked Google and Apple not to label apps "free" if they include in-app purchases. Google has complied; Apple has resisted. Video provided by Newsy
Powered by NewsLook.com
Will 'Kindle Unlimited' Get Amazon In More Legal Trouble?

Will 'Kindle Unlimited' Get Amazon In More Legal Trouble?

Newsy (July 18, 2014) — Amazon launched "Kindle Unlimited," and for $9.99/month, subscribers can read and listen to books. However, will this cause any legal issues? Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
 
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:  

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:  

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile iPhone Android Web
Follow Facebook Twitter Google+
Subscribe RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins