POSH: a generalized captcha with security applications

Authors:
Waseem Daher;Ran Canetti
Affiliations:
Massachusetts Institute of Technology, Cambridge, MA, USA;IBM T.J. Watson Research Center, Hawthorne, NY, USA
Venue:
Proceedings of the 1st ACM workshop on Workshop on AISec
Year:
2008

Citing 9
Cited 2

Securing passwords against dictionary attacks

Proceedings of the 9th ACM conference on Computer and communications security
Telling humans and computers apart automatically

Communications of the ACM - Information cities
Déjà Vu: a user study using images for authentication

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Graphical dictionaries and the memorable space of graphical passwords

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On user choice in graphical password schemes

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The design and analysis of graphical passwords

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Emperor's New Security Indicators

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Obfuscating point functions with multibit output

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Mitigating dictionary attacks on password-protected local storage

CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology

Towards a secure human-and-computer mutual authentication protocol

AISC '12 Proceedings of the Tenth Australasian Information Security Conference - Volume 125
GOTCHA password hackers!

Proceedings of the 2013 ACM workshop on Artificial intelligence and security

Quantified Score

Hi-index	0.00

Visualization

Abstract

A puzzle only solvable by humans, or POSH, is a prompt or question with three important properties: it can be generated by a computer, it can be answered consistently by a human, and a human answer cannot be efficiently predicted by a computer. In fact, unlike a CAPTCHA, a POSH does not necessarily have to be verifiable by a computer at all. One application of POSHes is a scheme proposed by Canetti et al.~that limits off-line dictionary attacks against password-protected local storage, without the use of any secure hardware or secret storage. We explore the area of POSHes, implement several candidate POSHes and have users solve them, to evaluate their effectiveness. Given these data, we then implement the above scheme as an extension to the Mozilla Firefox web browser, where it is used to protect user certificates and saved passwords. In the course of doing so, we also define certain aspects of the threat model for our implementation (and the scheme) more precisely.