
Will GOTCHAs Replace CAPTCHAs? - ca98am79
http://www.technologyreview.com/view/520306/will-gotchas-replace-captchas/
======
idupree
The paper:
[http://arxiv.org/pdf/1310.1137v1.pdf](http://arxiv.org/pdf/1310.1137v1.pdf)

Its thesis: "We introduce GOTCHAs (Generating panOptic Turing Tests to Tell
Computers and Humans Apart) as a way of preventing automated offline
dictionary attacks against user selected passwords."

It cites
[http://eprint.iacr.org/2006/276.pdf](http://eprint.iacr.org/2006/276.pdf)
which it is an improvement upon.

As far as I can tell from reading the papers, though it does not state this,
the purpose is to make offline dictionary attacks harder by helping the users
create/remember a higher amount of entropy than they do with a password.[1]
Given ten images to be matched up with phrases, there are 10! matchings,
providing at most log2(10!) = 21.8 bits of entropy (fewer bits if computers
can make even a really bad guess at which phrases go with which pictures).
That is about as much entropy as in four randomly-generated lowercase-letter-
or-digit characters (log2(36^4) = 20.7): a great improvement for bad
passwords, but modest for good passwords. The authors are hoping that its
easiness-to-remember per bit of entropy is significantly greater than that of
passwords (randomly generated and human chosen passwords).

[1] Once the attacker has gained all server data, there's no stopping brute-
forcing. Even with SRP ( [http://srp.stanford.edu/](http://srp.stanford.edu/)
) in which the server _never_ sees the plaintext password, if the attacker
gains a password's verifier that's stored on the server then they can offline-
brute-force it. In this case, a brute-forcer would brute-force {password +
which picture goes with which phrase}.

------
neotek
My bank made me choose three icons out of a list of 50 that I have to re-pick
every time I log on to internet banking. I have no fucking idea which icons I
picked, or why, or what significance the bank imagines that an icon of a frog
could possibly have for me. All I know is that I don't use that bank much any
more.

