These Rorschach Ink Tests Could Replace the Good Old CAPTCHA

The CAPTCHA is a wonderful thing, but it's not without its failings. And as hackers get better and better at cracking them, a team of CMU engineers are proposing an alternative: Inkblot tests.

It's called a GOTCHA (of course), and it stands for Generating panOptic Turing Tests to Tell Computers and Humans Apart. The test was developed by three CMU researchers named Jeremiah Blocki, Manuel Blum, and Anupam Datta, who wanted to capitalize on our natural predilection to visual pattern recognition. Their test is a variant of a HOSP, or a Human-Only Solvable Puzzle, which defend against offline dictionary attacks by requiring human interaction with each password. In other words, these puzzles defend against attacks where hackers will try millions of different passwords in an attempt to access your account.

Here's how GOTCHA would work: When a user signs up for a service—a new email account, let's say—they'll be shown a series if inkblot tests and asked to describe them in a few words. Then, when they come back a few days later to sign in, they're presented with the same inkblot tests plus their original answers. They simply have to match up the answers with the correct images. That way, it's tougher for a computer to replicate not only the uniquely human ability to see visual patterns, but also to replicate that ability in the same way twice.

According to the team's October 7 paper—creatively titled GOTCHA Password Hackers!—the CMU team tested their design using a small sample of 70 through Amazon's Mechanical Turk. And while some participants didn't match their answers up correctly, there was good evidence that most users could trust their memories, and it's likely that the test could be tailored to be more consistent. More here.