epl draft

The weak password problem:chaos, criticality, and encrypted p-CAPTCHAs

T.V. Laptyeva1, S. Flach1 (a) and K. Kladko2

1 Max-Planck-Institut fur Physik komplexer Systeme - Nothnitzer Straße 38, D-01187 Dresden, Germany2 Axioma Research - 555 Bryant Street, Palo Alto, CA 94303, USA

PACS 05.45.-a – Nonlinear dynamics and ChaosPACS 89.20.Ff – Computer science and technologyPACS 89.75.Fb – Structures and organization in complex systems

Abstract. - Vulnerabilities related to weak passwords are a pressing global economic and securityissue. We report a novel, simple, and effective approach to address the weak password problem.Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, andcomputational round-off errors we design an algorithm that strengthens security of passwords.The core idea of our simple method is to split a long and secure password into two components.The first component is memorized by the user. The second component is transformed into aCAPTCHA image and then protected using evolution of a two-dimensional dynamical systemclose to a phase transition, in such a way that standard brute-force attacks become ineffective.We expect our approach to have wide applications for authentication and encryption technologies.

Introduction. – Computer and information securityhas been subject to intensive research for over 50 years.This included investigation of cryptographic methods, aswell as generic security of computing devices, operatingsystems and networks. However, it is only relativelyrecently that the importance of the human factor hasbeen given proper attention. Passwords are the commonmethod for authentication and encryption used to securedigital life. Humans have limited capacity to rememberpasswords and tend to select passwords that are too sim-ple and predictable. Security breaches related to weakpasswords are widespread events. Consumers and enter-prises around the world are looking for ways to address theweak password problem [1, 2]. In this paper we proposea simple method to address the problem by combiningchaotic dynamics, phase transitions, and pattern recogni-tion advantages of the human brain. We do not design anew encryption scheme. Instead we use standard encryp-tion tschemes, and add a littel overhead on top in order tosubstantially enhance security. A major building block ofthe proposed algorithm is the dynamic behavior of com-plex extended non-linear systems, in particular, Hamilto-nian lattices close to a phase transition [3, 4]. These sys-tems display non-ergodicity, deterministic chaos [5], and

(a)E-mail: flach@pks.mpg.de

spontaneous formation of coherent space-time structures.Building upon dynamical chaos and computational round-off errors and utilizing superiority of the human brainover computers with respect to pattern recognition, ourmethod protects a secret token, which can be used, incombination with a regular password, to derive a secretkey for data encryption.

It was estimated in 2009 that 86% of US companiesuse password authentication and encryption [6]. A weakpassword used with a strong encryption or authentica-tion algorithm potentially makes a computer system vul-nerable to brute-force password search attacks. Studieshave shown that users will generally address the passwordcomplexity problem by using simple predictable pass-words [7, 8]. Schneier examined 34,000 MySpace onlinepasswords and concluded that 65% of them contained 8characters, with most frequently used passwords being“password1”, “abc123”, “myspace1”, and “password” [8].Other user strategies include using the same password forevery account, writing down passwords, storing passwordsin files, and reusing or recycling old passwords. Horowitzreported that 15-20% of the users on a regular basis wrotedown their password on a Post-it note attached to thecomputer monitor [8]. Another study found that 66% ofusers keep password paper records at work and 58% keeppasswords in files [8].

p-1

arX

iv:1

103.

6219

v2 [

cs.C

R]

1 J

ul 2

011

T.V. Laptyeva et al.

Vulnerabilities related to weak passwords have signifi-cant economic effect globally. Results of a recent study[8,9] revealed that identity fraud affects nearly 5% of con-sumers, or nearly 10 million people in the USA per year.The total annual cost of identity fraud in the United Stateswas more than $55 billion in 2006 [9]. Vulnerabilities re-lated to weak passwords have significant economic effectglobally.

Cryptographic science utilizes discrete reversible func-tions that operate on bit strings and take a secret keyas a parameter. As an example, Advanced EncryptionStandard (AES) [10] specifies an encryption function ap-proved for use by the US government. AES encrypts datain input/output blocks of 128 bits. The secret key lengthssupported by AES are 128, 192, and 256 bits. These longkey lengths were selected to make brute-force attacks in-feasible.

Over the years, a number of more sophisticated crypt-analysis attacks were described for various cryptographicalgorithms. Such attacks are usually very technical andalgorithm-specific and rely on finding statistical correla-tions in the cryptographic function to extract informationon the cryptographic key. However, an ideal cryptographicfunction depends on its inputs in a completely random waywith no correlations present. Therefore, a brute searchattack remains the essential attack used in real world tocompromise cryptographic algorithms.

For a completely random secret key used with the AESalgorithm, a brute-force attack is presently infeasible andwill probably remain so in the future. The situationchanges dramatically, when the key is limited to a smallersubspace of keys. A common situation is that the key iseither a password, memorized by a human, or is derivedfrom a password using a function known to the attacker.A brute search over a small subspace can then be doneefficiently.

A typical brute-force search attack requires that the at-tacker is in possession of the encrypted text (Ciphertext)C, and that the true key belongs to a subspace of keys S.The attacker can mount a Ciphertext-Only Attack by iter-ating through the space S and attempting to decrypt C ineach case into a Candidate Plain Text. Now the attackerneeds to determine whether it is the True Plain Text.This Recognition Problem is, therefore, a necessary part ofCiphertext-Only Attack, and amounts to designing an ef-ficient algorithm denoted as the Recognition Oracle (RO).Implementations of ROs make use of the block-encryptionstructure, standard file formats, and correlations in TruePlain Text.

Proposed scheme. – We assume that a confidentialdata file (D) is encrypted by a symmetric encryption algo-rithm, such as AES. We also assume that the encryptionand decryption are done by the same person, therefore wedo not address vulnerabilities due to messenger capture at-tacks when transmitting passwords. The encryption keyEK is a combination of a reasonable-strength password

component, which we denote as Short Password SP andan additional Strong Key SK: EK=SP+SK. The differ-ence between the proposed method and existing crypto-graphic technologies is that the user is not asked to mem-orize SK. Instead, the graphical representation of SK isembedded into a two-dimensional Image of Strong Keyof a momentary initial state (IS) of a nonlinear Hamil-tonian two-dimensional lattice system. This embeddingis similar to embeddings used in Completely AutomatedPublic Turing test to tell Computers and Humans Apart(CAPTCHAs) [11–13], therefore, we also coin it passwordCAPTCHA or p-CAPTCHA. A time evolution of the two-dimensional lattice is then performed. The chaotic evolu-tion transforms the p-CAPTCHA into a chaotic final lat-tice state (FS). Since our Hamiltonian system is close toa phase transition, this chaotic state will contain regular-ities at various space scales, such as a domain structures.Therefore the level of spatial correlations is the same bothfor IS and FS. If one encodes lattice site positions andvelocities using floating point numbers, these regularitieswill be manifested in the first half of the digits (the more-significant bits) of such an encoding. The second half ofthe digits (the less-significant bits) will have a pseudo-random nature due to the dynamical chaos in the system.

atD a D cr pt one y i

Fai dle

n ry eE c pt d

a aD t

ENCRYPTION

Initial Strong Key

Integration Forward

Masked ISK

Short Password

DECRYPTION

Short Password

Masked ISK

Integration Backward

Restored ISK

ATTACK

Incorrect Image

Integration Backward

No ISK

ISK Restoring Failed

Fig. 1: Schematic flow of the encryption, decryption and attackprocesses.

We split the state information of FS for each lattice siteinto two files. File F1 contains all more-significant bits,and file F2 contains all less-significant bits. We encrypt F2using the password SP, memorized by the user and obtainthe encrypted file EF2. The scheme finally also encryptsthe data D using the encryption key EK and generates theencrypted data file ED. We glue all three files together intoone resulting file EF=ED+F1+EF2.

To restore the data, EF is split into its three componentsED, F1 and EF2. The user is then asked to enter SP inorder to decrypt EF2 and to obtain F2. Files F1 and F2yield the correct final state FS. It is evolved back in time tothe initial state IS. Its image is shown as a p-CAPTCHA.The user is asked to read the characters and to type themin. The obtained strong key SK is combined with the

p-2

The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs

already provided SP into the encryption key EK. Finallythe encrypted data ED are decrypted into the original dataset D (see Fig.1).

Let us now assume that all three files ED, F1 and EF2are available to the attacker.

To mount a brute-force attack the attacker will scanthrough the password space of SP. For each passwordthe attacker will first try to decrypt EF2. Note that all(wrong) candidates for a decrypted F2 file will have thestructure of a series of integers, therefore the attacker cannot distinguish wrong from right by checking their struc-ture. The attacker can now use such a candidate for F2,obtain a candidate for the final state FS, integrate back-wards, and generate a candidate for the initial state IS.The corresponding image will a random set of domainsunless the correct SP was chosen initially. Since the dy-namical system evolves at a fixed temperature close toa phase transition, correlations of random domain wallimages and the p-CAPTCHA image are similar. The at-tacker is left with the option to run an image recognitionprogram over the candidate image. This takes 1-10 sec-onds (see discussion below) per recognition. Therefore,computer-based Recognition Oracles will not be efficient(see Fig.1).

Implementation. – In order to implement the strat-egy described above, we consider a two-dimensional squarelattice of N×N coupled double-well oscillators depicted inFig.2, which is described by the Hamiltonian

H =

N∑i,j=1

(1

2p2ij −

1

2u2ij +

1

4u4ij +

1

4+ Fij

),

Fij =∑k=±1

1

4

[(ui+k,j − uij)2 + (ui,j+k − uij)2

]. (1)

The lattice indices i, j correspond to the two directionsfor the square lattice. The equations of motion readuij = ∂H/∂pij , pij = −∂H/∂uij and are invariant un-der time reversal. We use N = 69 and perform timeevolution of the system using the symplectic Verlet al-gorithm [14]. The time step for the numeric integrationis h = 0.01, and double precision is used. The system (1)served as a simple model for structural phase transitionse.g. in ferroelectric materials as BaTiO3 and also SrTiO3

[15]. The phase transition is of the second order [16] at acertain critical value of the energy density which can beset roughly equal to the average temperature T . At hightemperatures the oscillators traverse the potential barriereasily, therefore, the average polarization order parame-

ter M = 1N2

∣∣∣∑ij sign(uij)∣∣∣ is zero for large N . For low

temperatures the energy of each oscillator is not sufficientto overcome the potential barrier, and the interaction be-tween oscillators enforces an ordered phase with M 6= 0.The temperature dependence of M is shown in Fig. 3. Thephase transition point is Tc ≈ 1.

The evolution of system (1) in the vicinity of the transi-tion point is characterized by a spatial correlation length

Fig. 2: The two-dimensional square lattice of coupled double-well oscillators described by Eq.(1). The springs indicate thenearest neighbour interactions. The double-well onsite po-tential for each oscillator includes two equilibrium positionsuij = ±1.

which diverges exactly at the phase transition point. Closeto the phase transition large clusters of the low tempera-ture phase emerge and disappear spontaneously. To ini-tialize the system, we assign random values to the mo-menta pij such that the kinetic energies p2ij/2 are dis-

tributed according to a Boltzmann distribution βe−βp2/2

with a temperature T ≡ β−1 = 0.9 (red circle in Fig.3)and coordinates uij = 1. We then integrate the equa-tions of motion up to a time of the order of 200 time units(t.u.) at which all temporal correlations decay. The imageof the thermalized local order parameter density distribu-tion (the signs of the oscillator coordinates) is shown inFig. 4.

After that we imprint the SK (here the word “CHAOS”)into the system and obtain the ISK or p-CAPTCHA(see Fig. 5 and left top image “ISK/RESTORED ISK”in Fig.6). The imprinting is done by using standardmasks for deformed yet clearly visible keyboard charac-ters. These masks are placed on the lattice, and the signsof all oscillator displacements inside such a mask area areset to ’+’, while keeping the absolute values of the dis-placements. The temperature is not affected by this oper-ation.

In order to protect SK, we integrate the equations of mo-tion further to some time τ (bottom-left image “MASKEDISK” in Fig.6). Since the equations of motion are timereversible, we can invert the integration, and expect to re-gain the original state ISK after back integration over thesame time τ . This is particularly true for the Verlet dis-cretization, which is also completely time reversible. How-ever, the underlying dynamical system is non-integrableand, therefore, chaotic [17]. Small perturbations will growexponentially fast as eλt where λ is the largest Lyapunovexponent [17]. We also note that the numerical integrationalgorithm, while being perfectly invertible in time, gen-erates round-off errors (for double precision, at the 15thdigit after the point). These small errors will accumu-

p-3

T.V. Laptyeva et al.

0.1 1.0 10.0

M

0

1.0

0.5

T

Fig. 3: Dependence of the order parameter M on the temper-ature T for Eq.(1). The red circle at the bottom indicates theoperational point of the algorithm.

late exponentially fast in time. Therefore, there exists themaximum loopback time τ∗ which still allows return toISK. For larger loopback times the image ISK is lost inthe high dimensional phase space of the system after theloopback evolution is performed. We find that τ∗ ≈ 400t.u.

Our strategy is then to choose τ to be close to τ∗. Withτ = 350 t.u. we can still integrate backwards and regainthe image ISK. The restored image is practically identicalto the original p-CAPTCHA we started with in Fig.5.

Slightest errors in the velocities and positions of theoscillators will be amplified when integrating back, andinhibit return to ISK. Indeed, we show this by slightly de-tuning the coordinate of an oscillator in the final statefar from the original image location (right bottom im-age “MASKED ISK WITH DETUNED SITE” in Fig.6):u20,20 → u20,20 + 0.00001. Backward integration of thecorrupted state leads to a loss of the ISK (right top image“NO ISK/RESTORING FAILED” in Fig.6).

Benchmarking. – Let us discuss estimates for thesecurity of the proposed algorithm. The knowledge ofthe password SP allows the legitimate user to decrypt thepseudo-random component and regain the correct state,which is then integrated in the reverse time direction, lead-ing to IS. The strong key SK together with the short pass-word SP is now used in a combination as a secure secrettoken to decrypt protected data.

Standard graphic cards - also called graphic processingunit (GPU) - are used by hackers to speed up brute forceattacks. This is possible since GPUs contain few hundredsof graphic processors (GP), as compared to one (some-times two) central processing units (CPU) which are at theheart of each computer. The difference is that GPs usu-ally have only restricted memory as compared to CPUs,yet this will be not of importance here. According to Hon-eyball [19] a login password with five characters is brute

10 20 30 40 50 60

+

10

20

30

40

50

60

Fig. 4: The thermalized state of Eq.(1) with parameters T =0.9, N = 69 in the color coding of coordinates after forwardintegration up to τ = 200 t.u.

force cracked within one second (GPU) compared to 24seconds (CPU). Six character passwords need 4 seconds(GPU) or 90 minutes (CPU). Seven characters yield 18minutes (GPU) versus 4 days (CPU). Finally, nine char-acters lead to 48 days (GPU) versus 43 years (CPU). Thespeedup factor in using GPUs is therefore of the order3 · 102 in most cases, corresponding to the number of GPson the GPU.

We assume that we have about 80 different choicesfor one character in a given password. Short passwordswith length L will therefore span a space of 80L units.Our scheme requires CAPTCHA recognition. Automaticrecognition programs need 1-10 seconds per image [?].Therefore, choosing the same length of a password as be-fore, a user will gain additional protection with the pre-sented method as the additional time needed for the bruteforce attack amounts to 80L/1000 seconds (note the thefactor 1000 is already assuming that all image recognitionprograms can be parallelized on the GPU). With this said,it is clear that our method gives additional security withthe same password length as used so far. However, we caneven reduce the SP length, still keeping a high level of se-curity. For instance, a SP with L = 6 amounts to a bruteforce attack with time 3000 years. Even a SP with lengthL = 5 needs 38 days for a brute force attack to be success-ful. To conclude these estimates, our scheme allows theuser to memorize a five character password but have theprotection of a standard nine character password, withassuming that GPUs can be effectively used to performimage recognition.

Outlook. – To conclude, we present an approach thatrelates the fields of dynamical chaos, criticality, and pat-tern recognition to cryptography. This approach allows usto use the evolution of a chaotic Hamiltonian system neara phase transition to embed and protect a secret tokenthat can subsequently be used for cryptographic purposes,such as encryption of confidential data. Our method can

p-4

The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs

10 20 30 40 50 60

+

10

20

30

40

50

60

Fig. 5: Initial ISK (p-CAPTCHA) of Eq.(1) with parametersT = 0.9, N = 69 in color coding of coordinates. Note that therestored image (after forward integration to τ = 350 t.u. andbackward integration to the origin) yields practically the sameimage.

be readily and straightforwardly implemented on a widevariety of existing computer systems and devices and, toour view, provides a significant step forward in protectionof confidential data as compared to the currently availablemethods of password-based encryption. We hope that ourfindings can open a promising topic for future research.Potential future directions include searching for optimalHamiltonian and non-Hamiltonian systems to be used as afoundation for our method, optimizing the performance ofthe method so that it can be executed on devices with lowcomputational power, as well as designing better imageembedding and evolution algorithms to provide strongerprotections against computer-based image recognition.

∗ ∗ ∗

We thank P. Fulde and R. Khomeriki for useful discus-sions and a careful reading of the manuscript.

REFERENCES

[1] Sikorski R. and Peters R., Science, 278 (1997) 2144.[2] Stross R., The New York Times, Sept.5 (2010) .[3] Cataliotti F. S., Burger S., Fort C., Maddaloni

P., Minardi F., Trombettoni A., Smerzi A. and In-guscio M., Science, 293 (2001) 843.

[4] Donner T., Ritter S., Bourdel T., Oettl A., KoehlM. and Esslinger T., Science, 315 (2007) 1556.

[5] Stark J. and Hardy K., Science, 301 (2003) 1192.[6] Zhang J., Luo X., Akkaladevi S. and Ziegelmayer

J., Eur. J. Inf. Syst., 18 (2009) 165.[7] Adams A. and Sasse M. A., Comm. ACM, 42 (1999) 41.[8] Hoonakker P., Bornoe N. and Carayon P., in Proc.

of the Human Factors and Ergonomics Society, 53rd An-nual Meeting 2009, p. 459.

[9] Monahan M. T., Identity Fraud Survey Report: Iden-tity Fraud Is Dropping, Continued Vigilance Necessary(Pleasanton, CA: Javelin Strategy and Research) 2007.

KSI DEKSAM

KSI DEKSAM

KSI ON

Fig. 6: The evolution of the image p-CAPTCHA into a chaoticstate and its reobtaining by integrating backwards (two leftimages). A slight detuning of one oscillator coordinate u20,20 →u20,20+0.00001 (shown by the arrow in the bottom right image)of the chaotic state, followed by a backward integration, missesthe image completely, leading to another random image of achaotic state.

[10] Advanced Encryption Standard, FIPS, 197 (2001)(available at http://csrc.nist.gov/publications/fips/).

[11] von Ahn L., Blum M. and Langford J., in Advancesin Cryptology, “EUROCRYPT-2003”, Vol. 2656 2003,p. 646.

[12] von Ahn L., Maurer B., McMillen C., Abraham D.and Blum M., Science, 321 (2008) 1465.

[13] Canetti R., Halevi S. and Steiner M., Cryp-tology ePrint Archive, 276 (2006) (available athttp://eprint.iacr.org).

[14] Verlet L., Phys. Rev., 159 (1967) 98.[15] Schneider T. and Stoll S., Phys. Rev. Lett., 31 (1973)

1254.[16] Stanley H. E., Introduction to Phase Transitions and

Critical Phenomena (Clarendon Press, Oxford) 1971.[17] Lichtenberg A. J. and Liebermann M. A., Regular

and Stochastic Motion (Springer, Berlin) 1982.[18] Honeyball J., in PCPRO, 1st June 2011 (available

at http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics- card-could-crack-your-password-in-under-a-second/).

[19] Bin B. Zhu et al., in CCS10,4th-8th October 2010(available athttp://homepages.cs.ncl.ac.uk/jeff.yan/ccs10.pdf).

p-5