GOTCHA Challenge (Un)Solved
Password-based authentication is common due to its high usability and simplicity to implement; however, it raises many security problems. This implies a continuous effort in designing new password-based authentication techniques. J. Blocki, M. Blum and A. Datta introduced GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart), an innovative method to perform password-based authentication: a challenge-response mechanism that gives humans a great advantage over machines. The authors of GOTCHA proposed a public challenge to test its strength. We disclosed all 5 passwords of the first round, because of a leakage in the released code. In this paper, we present our attack: an improved brute-force that revealed each of the 7-digit password in less than 0.5 h and the 8-digit password in approximately 1.5 h on a personal laptop.
KeywordsGOTCHA challenge Password-based authentication Hash functions Offline attacks Dictionary attacks
The author would like to thank Alex Gatej for informing about the GOTCHA challenge.
- 1.Blocki, J. Blum, M., Datta A.: GOTCHA password hackers!. In: AISec’13 Proceedings of the 2013 ACM workshop on Artificial Intelligence and Security, pp. 25–35 (2013)Google Scholar
- 2.GOTCHA Challenge. http://www.cs.cmu.edu/jblocki/GOTCHA-Challenge.html. Accessed Jan 2015
- 3.New York Times—If Your Password Is 123456, Just Make It HackMe. http://www.nytimes.com/2010/01/21/technology/21password.html?_r=0. Accessed Jan 2015
- 5.CAPTCHA: Telling Humans and Computers Apart Automatically. http://www.captcha.net/. Accessed Jan 2015
- 6.RSA Laboratories—The RSA Factoring Challenge. http://www.emc.com/emc-plus/rsa-labs/historical/the-rsa-factoring-challenge.htm. Accessed Jan 2015
- 7.Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)Google Scholar
- 8.GIMP—The GNU Image Manipulation Program. http://www.gimp.org/. Accessed Jan 2015