Using a Password One Doesn't Consciously Remember

ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it. It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000. Not ready for practical use yet, but very interesting concept that can develop further."

Re:Their own metrics are so awful.

[pavon]

For reference an eight character password consisting of random upper-case, lower-case and numbers has about 200,000,000,000,000 combinations. A twelve character pronouncable password is about the same, and is what I use for all of my "important" passwords with about a 20% chance of typos. If one were to pick a random english word out of /usr/share/dict/words, that password would be twice as secure as this method, and we know easy a dictionary attach is.

Serious uses in oppressive regimes

[AmiMoJo]

In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill.

Using this technique, it would be possible to prove that you could not remember the password.

Re:Mnemonics

[Skeezix]

I wrote a paper on using mnemonics which you might find interesting