Weak passwords get robust protection
subsequently encrypt this image with the combination of characters and save the result. “We therefore talk of a password-protected Captcha or p-Captcha,” says Sergej Flach, who teamed up with Tetyana Laptyeva to achieve the decisive research results at the Max Planck Institute for the Physics of Complex Systems. Since the chaotic evolution of the initial image is deterministic, that is, reversible, the whole procedure can be reversed using the combination of characters, so that the user can again read the password hidden in the Captcha.
“The character combination we use to encrypt the password in the Captcha can be very easy to remember,” explains Konstantin Kladko. “We thus take account of the fact that most people only want to, or can only, remember simple passwords.” The fact that the passwords are correspondingly weak is now no longer important, because the real protection comes from the encrypted password in the Captcha.
On the one hand, the password hidden in the Captcha is too long for computers to be able to guess it using a brute-force attack in a reasonable length of time. On the other, the physicists use a critical system to generate the password image. This system is close to a phase transition: with a phase transition, the system changes from one physical state to another, from the paramagnetic to the ferromagnetic state, for example. Close to the transition, regions repeatedly form which temporarily have already completed the transition. “The resulting image is always very grainy. Therefore, a computer cannot distinguish it from the original it is searching for,” explains Flach.
“Although the study has just been submitted to a specialist journal and is only available online in an archive, it has already provoked a large number of responses in the community — and not only in Hacker News,” says Flach. “I was very impressed by the depth of some comments in certain forums - in Slashdot, for example.” The specialists are obviously impressed by the ingenuity of the approach, which means passwords could be very difficult to crack in the future. Moreover, the method is easy and quick to implement in conventional computer systems. “An expansion to several p-Captcha levels is obvious,” says Flach. This, however, requires increased computing power to reverse the chaotic development in a reasonable time: “We therefore want to investigate various Hamiltonian and non-Hamiltonian systems in the future to see whether they provide faster and even more effective protection.”
— Read more in T. V. Laptyeva, S. Flach, and K. Kladko, “The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs,” arXiv:1103.6219v1 [cs.CR] (31 March 2011)