Mitigating Dictionary Attacks with Text-Graphics Character CAPTCHAs

Abstract

We propose a new construct, the Text-Graphics Character (TGC) CAPTCHA, for preventing dictionary attacks against password authentication systems allowing remote access via dumb terminals. Password authentication is commonly used for computer access control. But password authentication systems are prone to dictionary attacks, in which attackers repeatedly attempt to gain access using the entries in a list of frequently-used passwords. CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) are currently being used to prevent automated bots from registering for email accounts. They have also been suggested as a means for preventing dictionary attacks. However, current CAPTCHAs are unsuitable for text-based remote access. TGC CAPTCHAs fill this gap. In this paper, we define two TGC CAPTCHAs and incorporate one of them in a prototype based on the SSH (Secure Shell) protocol suite. We also prove that, if a TGC CAPTCHA is easy for humans and hard for machines, then the resulting CAPTCHA is secure. We provide empirical evidence that our TGC CAPTCHAs are indeed easy for humans and hard for machines through a series of experiments. We believe that a system exploiting a TGC CAPTCHA will not only help improve the security of servers allowing remote terminal access, but also encourage a healthy spirit of competition in the fields of pattern recognition, computer graphics, and psychology.