a secure CAPTCHA-free login design +

I just found out a pretty neat trick from Google Account login page

google celver fuck

Which immediately inspired me an idea: CAPTCHA-free login

The idea is simple:

CAPTCHAs sould be longer

CAPTCHAs should not be random characters, but a sentense of instructions

the instruction is like:

  • switch your 3rd and 8th character in your password
  • add an extra 3 after your 2nd character in your password
  • append the result of 23+17 at the end of your password
  • wrap your password with [] bracket
  • separate every single character of your password with a dot
  • move the last character in your password to the beginning

Bots have a slow time correctly recognizing CAPTCHAs, needless to say doing NLP well and carry out the correct actions.

You can cleverly design the CAPTCHA image distortion to trap the OCR AI program to make predictable mistakes, a honey pot that collect evidence and patterns and actively ban bad clients.

In a secret underground forum, you can compile these instructions into a code, like i3a9 means insert a 3 after te 9th character, outsiders can not enter even with the correct password.

This method also protect the user's password from eavesdropping and mass-target MITM attacks.

This entry was posted on Sunday, January 15th, 2012 at 11:07 and is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can also waste a few coins for this post on my 42qu. You can skip to the end and leave a response. Pinging is currently not allowed.

4 Responses to “a secure CAPTCHA-free login design”

  1. killkeeper | January 16th, 2012 at 16:03 +

    (1) 处理你这些instruction不需要NLP, 识别关键字就可以了; 毕竟规则是有限的. 以前有个类似的会用自然语言提问的CAPTCHA一样被busted了, 也就是简单的规则关键字识别和匹配, 没有什么复杂的算法. 甚至这个比OCR还要快.

    (2) CAPTCHA的应用场合并不仅局限于要求密码的登录认证, 还有很多的比如为了限制刷票等等, 这种情况下对应的可操作的密文是什么呢?

    (3) 关于使用jargon来obfuscate你的instructions本身是个悖论吧. 用户在登录前, 没办法了解到这些黑话, 也就猜不出规则. 但是如果我的目标明确, 就是为了对特定的这个网站发起攻击, 我只需要花点时间搞个人类帐号, 然后建立一套黑话词典就行了. 毕竟如果我对这个论坛的任何资源都不感兴趣, 为啥还会花时间来破密码呢.

  2. killkeeper | January 16th, 2012 at 16:07 +

    而且从实现角度来说, 服务器一般都不会存用户的明文密码. 存的都是hash值. 你这个整个一套规则等于就是salt. 规则越多, 每条规则的变量越多, 组合出来的salt的可能性就越多, 莫非服务器要把所有的这些对应的加了salt的hash全部预存下来, 然后匹配用户输入的密文对应的hash?

    存明文密码又等于多了一层安全隐患吧?

  3. est | January 17th, 2012 at 10:01 +

    @killkeeper

    不需要存储明文密码的。密码字符没有替换和移除操作,只有交换和增加。而这些可逆变形步骤可以从CAPTCHA生成前得到。

    虽然可以被说成不需要NLP,但是我可以让指令更加复杂,比如要求在密码第三个字符后增加一个5位数的验证码,这种情况下,图形识别的强度跟传统CAPTCHA一样了。

    这个idea的使用场景并不是代替所有CAPTCHA,而主要是防止密码爆破,和中间人记录。正确密码是什么都不知道,你OCR正确率再高也没用。

    也就是相当于在字典爆破里添加了一些随机因素

  4. _ | January 18th, 2012 at 13:37 +

    比较有意思的想法

    1.的确可以不存储明文密码, 因为服务器可以逆instruction得到输入密码再salt/hash, 但防止不了中间人记录, 因为可以记录到instructions, 并且可逆.

    2.instruction生成达不到完全随机, 问题集合太有限. 识别难度远低于图像识别.

    3.要防止爆破, 只需要限制尝试次数和时间即可.

    4.如果像回复中的"加上5位数的验证码...跟传统CAPTCHA"一样, 那么就不是captcha-free, 而是yet another captcha

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
MARKDOWN is also enabled.