Researchers make weak passwords strong with CAPTCHAs plus an algorithm

21.04.2011

The team chose chaotic lattices to encrypt the CAPTCHAs as a way to get around brute-force attacks against the encrypted CAPTCHAs. Generally brute force would be effective because the password used to protect the CAPTCHA is weak, just the kind of thing brute-force attacks are designed to defeat.

But in this case, every password the brute force attack tries will generate a CAPTCHA that results in an image that the brute-forcing computer will interpret as decrypted. A human is required to determine for sure whether the image actually depicts something that might be a password.

Since every attempt will require human interpretation, the brute-force attack essentially becomes manual and therefore ineffective, Kladko says.

This is possible because the algorithm chosen takes seemingly random data -- the encrypted CAPTCHA -- and creates something structured out of it. Computer analysis of CAPTCHA images is such that it detects this structure, but still can't actually read it. So the brute-force application calls on a human to decide whether it has succeeded, Kladko says.

While the researchers used a particular algorithm called a non-linear Hamiltonian two-dimensional lattice system, there is a whole class of similar tools that Kladko describes as order-from-disorder algorithms.

Zur Startseite