A text graphics character CAPTCHA for password authentication

We propose a new construct, the Text-Graphics Character (TGC) CAPTCHA, for preventing dictionary attacks against password authenticated systems allowing remote access via dumb terminals. Password authentication is commonly used for computer access control. But password authenticated systems are prone to dictionary attacks, in which attackers repeatedly attempt to gain access using the entries in a list of frequently-used passwords. CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) are currently being used to prevent automated "bots" from registering for email accounts. They have also been suggested as a means for preventing dictionary attacks. However, current CAPTCHAs are unsuitable for text-based remote access. Our TGC CAPTCHA fills this gap. In this paper, we define the TGC CAPTCHA, prove that it is a (secure) CAPTCHA, demonstrate its utility in a prototype based on the SSH (Secure Shell) protocol suite and provide empirical evidence that the test is easy for humans and hard for machines. We believe that the system will not only help improve the security of servers allowing remote terminal access, but also encourage a healthy spirit of competition in the fields of pattern recognition, computer graphics and psychology.