Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unbreakable Crypto: Store a 30-character Password In Your Subconscious Mind

Posted by samzenpus on from the locked-away dept.

MrSeb writes "A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture — i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence."

6 of 287 comments (clear)

  1. "Reliably better" by FireballX301 · · Score: 4, Interesting

    How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

    I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

    1. Re:"Reliably better" by errandum · · Score: 5, Interesting

      That is not true. It has been proven that passphrases can be weaker than passwords, simply because words usually follow each other in an ordered pattern.

      You'll be safe from brute force attacks, but not any attack that adds intelligence to the mix. And if the person cracking your password knows it uses music lyrics you love, you'll be even more at risk since it only has to test for the songs you like.

      What you just described is NOT safety.

    2. Re:"Reliably better" by djmurdoch · · Score: 5, Interesting

      But the brute forcer also has to try all sorts of stupid variations:

      One ton O'Mara
      Feel the beat from the tangerine
      Scuse me while I kiss this guy
      I can see Deirdre now Lorraine has gone

  2. Forty Five Minutes? by AlienIntelligence · · Score: 1, Interesting

    Who has 45 min to learn a new password? I can't see a company willing to
    pay someone for 0.75hr just to learn a password.

    -AI

    --
    For me, it is far better to grasp the Universe as it really is than to persist in delusion
  3. Re:So to recover your password ... by Dr_Barnowl · · Score: 5, Interesting

    The game only works if the machine knows what your password is, so that you can succeed at playing that sequence better.

    Which reveals the flaw in the scheme ; currently, the computer you are logging into doesn't need to know your password - it stores a hash instead. With this scheme, the machine needs a way to recover your password as plaintext, so that it can test you on it. Which means that if you can sieze the system itself, you can get into it, you just need to extract the password and train someone else to know it.

  4. Re:So to recover your password ... by dohzer · · Score: 3, Interesting

    I'm fairly sure that by the time anyone can SSL directly into your brain, they'll also have some sort of high-res MRI scanner to simply read your brain's contents.