Rorschach Test Inkblots as the Next Hack-Proof Passwords

Does this look like an evil clown? Via the study.

Passwords are the worst. They’re long, complicated, impossible to memorize, and you need different cumbersome combinations for dozens of accounts. And even with all that, hackers are increasingly adept at cracking them. Password crackers use automation to break codes—generating thousands of combinations of numbers and letters and throwing them at a digital lock until one opens it. Ironically enough, even CAPTCHAs—which are specifically designed to distinguish between a human and a bot—can be cracked by an automated system.

So, one logical solution to thwarting password hackers is to develop a puzzle that only humans can solve—that way, only humans can cheat. A team of researchers at Carnegie Mellon believe inkblot images could be the answer. 

This is what they propose, according to a study published this month on arXiv and unearthed today by MIT’s Technology Review. Patterns are randomly generated and the user assigns a phrase that describes them, based on the their imagination—like the Rorschach tests psychologists use to try to peek into someone’s psyche. 

For the image to the right, researchers gave the example, “Aunt Martha wants to squeeze your cheeks.”

Then when users come back to access the site, they have to re-associate their phrases with the patterns. The researchers call it Generating panOptic Turing Tests to Tell Computers and Humans Apart, or “GOTCHA.”

Inkblots are a popular with password gurus for a couple reasons. One, visual images are generally easier for people to remember than numbers. Two, recognizing patterns and associating them with intuited phrases is something machines aren’t able to do—not yet, at least. The human mind, on the other hand, “can easily imagine semantically meaningful objects in each image,” the study states.  

Thus, hackers would need to be able to think like a human to crack the code, and would be forced to use actual humans to wage an attack. At the least, it would make password cracking much more cumbersome and expensive, researchers suggest.

The downside to Rorschach-style puzzles is that there’s no guaranteeing you’re going to interpreted a pattern the same way twice. The same inkblot can conjure up one image on a good day and an entirely different one when you’re feeling cranky—and the website you need to access in a hurry won’t believe you’re not a robot.

Researchers tested this potential problem by employing 70 people from Amazon’s Mechanical Turk. The subjects assigned phrases to inkblot images and then later tried to match them back up. Only 17 percent got them all right, and 69 percent were able to remember at least half. So clearly, that part needs some work.

Even if it’s not realistic to replace CAPTCHAs with GOTCHAs, inkblots could be useful for helping us remember passwords—a visual cue to conjure up that wacky combination you came up with to secure your identity.

Microsoft floated this idea in 2007, based on prior research, in order to encourage stronger and safer passwords—a problem even more pressing today. But Microsoft’s approach was too complicated. The company proposed a system where a user writes the first and last letter of a picture they associate with the inkblot, then again with the next image, until you have a 20-character, strong-as-steel password. When you log back in, you see the same images to trigger the associations and match the corresponding letters.

That sounds like way too much effort for your the average short-attention-span web user. And sure enough, when researchers reviewed the inkblot method found that it’s a great idea in theory, but humans are too lazy to bother. The researchers wrote dejectedly, “Perhaps the only conclusion is that the combination of convenience-seeking users and passwords is doomed to failure.” 

That might be true. But if the trick is finding a password system that’s convenient but still secure enough to foil automated password cracking, then some kind of exclusively human recall sounds like the right approach—and for now, matching feelings and images with random patterns is one of the only games we can still beat our mechanical brethren at.