Unbreakable Crypto: Store a 30-character Password In Your Subconscious Mind

MrSeb writes "A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture — i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence."

"Reliably better"

[FireballX301]

How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

Re:"Reliably better"

He's not kidding. I just logged onto his /. account and posted this after reading the password he posted.

Re:"Reliably better"

[aaaaaaargh!]

I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

I highly doubt that the search space is large enough. You cannot memorize many song texts (no more than a few thousand, and I'm being optimistic here) and it is easy to predict from background information which songs you know and like. Given that, plus the fact that it is highly likely that you will start your passphrase at a word boundary, it looks awfully easy to break your 80+ character passphrase using a customized dictionary attack.

Passphrases from books might fare better, assuming that you have a few thousand books and choose the book and passage fairly randomly. (Then again, we all know the guy with the rubber gloves from movies, who inspects your books by letting them "fall open" and finds the right passage immediately...)

Re:"Reliably better"

[0100010001010011]

I like irreversible hashes generate passwords for me salted with wherever I am.

sha1('mypassword'+'slashdot.org')

Tada. Or if you're really paranoid.

sha512(md5(rot13('mypassword'+'slashdot.org');

Even sha512("") is just 0x cf83e1357eefb 8bdf1542850d66d8007d620e4050b5715dc8 3f4a921d36ce9ce4 7d0d13c5d85f 2b0ff8318d2877 eec2f63b931 bd47417a81a538327af927da3e

Good luck cracking that in your or my lifetime.

echo "Hello Worldslashdot.org" | sha512sum
78dce89143430dbbda805 9e7cc12a90c9d8f95090972579cb11bc23d119f7bea9f59646a40 b9da6dfd091d68d 9cac705e95091d778509af721402277b5d57ddf -

And if for some reason that wasn't enough. You could left shift everything by 64 to the left. So 97 would become 33 (!). Now you've just converted all of your a-o into '!' through '/'. And since most passwords require it start with a letter (for some arbitrary and unknown reason) prefx that with x.

My company has weird old unix password system that needs to be changed every month. Has to start with a letter. Has to have at least !$%or # in it. Has have numerous other requirements.

Take the month. Run it through a standard known crypto function that you wrote and tada, easily generated/memorized number, difficult to crack.

Filter error: That's an awful long string of letters there.

Re:"Reliably better"

[Yvanhoe]

The search space is incredibly small. You better add one or two unrelated words to that if you want to have a chance.

Re:"Reliably better"

[rjgii]

He must have changed it... I can not log in as "Anonymous Coward" anymore =(

Re:"Reliably better"

[errandum]

That is not true. It has been proven that passphrases can be weaker than passwords, simply because words usually follow each other in an ordered pattern.

You'll be safe from brute force attacks, but not any attack that adds intelligence to the mix. And if the person cracking your password knows it uses music lyrics you love, you'll be even more at risk since it only has to test for the songs you like.

What you just described is NOT safety.

Re:"Reliably better"

[RivenAleem]

But you don't get around the extraction by torture. You can tell someone your password is the first verse of God Save the Queen, but what you've got here is actually a form of biometric password, but instead of a finger print, it is instead using the unique process by which you learn a given task, a kind of 'brainprint'. You can still be coerced to enter the password, having been brought to the location. But would you be able to enter the password under duress?

Re:"Reliably better"

it's impossible to crack, ...

... until you start singing "Never gonna give you up. Never gonna let you down." every time you enter your password.

Re:"Reliably better"

[Joce640k]

There's numerous flaws in your plan, but that's beside the point.

The whole point of this system (which you missed) is that it's secure against rubber hose cryptanalysis (aka $5 wrench cryptanalysis).

Re:"Reliably better"

[hlavac]

Next up: Most popular song lyrics added to cracklib wordlist :)

Re:"Reliably better"

[jaymemaurice]

How can you predict which song is used if the person doesn't like it? Also, if the stored hash is small enough, you'd probably sooner brute-force a collision or threaten to kill the persons family.

Re:"Reliably better"

[hlavac]

Can you do SHA512 in your head? I can't, dammit!

Re:"Reliably better"

[djmurdoch]

But the brute forcer also has to try all sorts of stupid variations:

One ton O'Mara
Feel the beat from the tangerine
Scuse me while I kiss this guy
I can see Deirdre now Lorraine has gone

Re:"Reliably better"

[jaymemaurice]

Parents described flaws: Like only characters being 0-9 a-f? Such a crypto function can be known/modified without you knowing?

It's not really secure against the decrypt it or people you know die cryptanalysis, only the don't tell us and people protected by the encryption will live but not you situation.

Re:"Reliably better"

[jaymemaurice]

Deftones and many genres of music have lyrics which don't follow normal language ordering. How about the song scatman - not many actually like it but the lyrics easily burn into your head.

Re:"Reliably better"

[tbannist]

People don't tend to memorise songs they don't like. Generally speaking, most users would probably choose a lyric from one of the songs listed as their favourite songs on their Facebook (or equivalent) page. Additionally, if everyone were doing this and you had a collection of hashes you wanted to break, you could probably break a large percentage of them just by choosing the "best" lyrics from a list of the top 100 all-time songs.

Re:"Reliably better"

[tbannist]

Also, what happens if you're just really good at the game? I mean it's based on you being better at playing your password than other chords. If you're playing everything flawlessly are you permanently locked out?

Re:"Reliably better"

[SuricouRaven]

As the salt is known and fixed, it'd still be fairly efficient when bruting a large number of passwords at once as would be obtained from a stolen database. A trivial change would make life substantially harder for an attacker: change sha1(mypassword+'slashdot.org') to sha1(mypassword+username+'slashdot.org')

Re:"Reliably better"

[ThatsMyNick]

Nope, but you get can tell the "passphrase" and the hash algorithm you used.

Re:"Reliably better"

[silentcoder]

Sadly - songs you hate tend to stick in your memory far too well.
How many people can quote "call me maybe" or Justin Bieber's baby.

Now how many of them actually LIKE those songs ?

Re:"Reliably better"

[LordLimecat]

Shifting by 64 would result in uppercase letters like A turning into control characters and BELs.

Re:"Reliably better"

[ByOhTek]

Not just that, but for rubber-hose methods - have your victim go through the login a couple times, if you can access a remote login - record. Or even over the shoulder recording of a couple logins (well placed security cam) to get the desired sequence?

Seems like this has quite a few flaws.

As for the music lyrics, add quotes from movies/books and poems, and you have an even nicer space to go through. Especially if you can think of (to you) sensible and regular mutilations of the words.

Re:"Reliably better"

[jgtg32a]

I know your password,

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you ever knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:"Reliably better"

[jgtg32a]

Dammit, the AC I copied the lyrics from got it wrong, confidant not cosmonaut.

Re:"Reliably better"

[sirlark]

Yeah, the basic premise here is to store the key in muscle memory, which is a fantastic idea. It's difficult to forget (not impossible, but difficult) and near impossible to extract without the owner's knowledge and permission; An attacker might be able to induce finger tapping but capturing it and recording it will be extremely difficult. Also, it comes with an indirect from of biometric identification, because even if an attacker somehow manages to extract the correct key, the input mechanism can presumably pick out the pattern of entry far more precisely than an attacker could mimic without a hell of a lot of training. I'm still not sure about playing a game every time I want to log in to something, but as a access to an encrypted volume or a key ring at the beginning of my day... makes sense.

Re:"Reliably better"

[postbigbang]

While an interesting exercise, with outstanding payoff, I'd prefer to memorize the names of people that have been convicted of breaking into systems and abusing them, then sentenced to 30-50 years in a Gulag.

Think about it: forcing yourself to memorize a long stupid string because there are jerks out there that will break into your stuff, steal your identity, and give your credit card numbers for pennies per. There's something wrong here.

Re:"Reliably better"

[PopeRatzo]

Personaly I use a 30+ characters long easily typed sentence, and for extreme security needs (aka passphrase for sensitive backups) the whole paragraph wich comes at a hefty 180 chars...

Ain't nobody got time for dat.

Re:"Reliably better"

[camperdave]

mypassword+username is just as fixed as mypassword.

Re:"Reliably better"

[DarwinSurvivor]

That's a bad example. How hard could it possibly be to memorize a combined 10 words?

Re:"Reliably better"

[silentcoder]

Apple Rodeo Clowdscape Brain Horrible Homunculus Arousing Sixty Icicle

Re:"Reliably better"

[jcadam]

I don't know. I rather don't like the theme to "The Fresh Prince of Bel-Air", but years of watching that show when I was a kid has permanently burned the lyrics into my brain. Many an 80s sitcom theme song is still rattling around in my brain as well. Also, I only had to hear the nails-on-a-chalkboard-awful "Just A Friend" by Biz Markie once and I will now be able to instantly recall the lyrics to the chorus until the day I die.

Re:"Reliably better"

[SuricouRaven]

It is, yes. But it means you can't construct a salt-specific table, or compare a single hashed salted-password with every password on the stolen database to find a match. If you use the username as part of the hash, then the attacker needs to run their brute force on every single user individually.

Re:"Reliably better"

[Jeremiah+Cornelius]

This subconscious method works well. Ask any lone, crazed gunman. Just don't mention "Catcher in the Rye".

Re:"Reliably better"

[Yvanhoe]

How large would be a library of all the songs lyrics out there ? I would guess a few GB top. That means that in the 10-80 range of length, you have a research space of 10^9 * 70. That is 36 bits of entropy, roughly the same as an alphanumeric (lower/upper case) password of 6 characters.

Re:"Reliably better"

[cstacy]

11A ...11A2B...1B2B3...Zero-Zero-Zero Destruct Zero

Re:"Reliably better"

[Siridar]

Correct horse battery staple.

Re:"Reliably better"

[AliasMarlowe]

While an interesting exercise, with outstanding payoff, I'd prefer to memorize the names of people that have been convicted of breaking into systems and abusing them, then sentenced to 30-50 years in a Gulag.

Think about it: forcing yourself to memorize a long stupid string because there are jerks out there that will break into your stuff, steal your identity, and give your credit card numbers for pennies per. There's something wrong here.

Exactly. There is value for most people in being able to divulge the password under duress. Merely denying that you know the password - even if true - won't get you far in court.

And anyway, I use passwords that I can remember, which are not words or composite words or leet-modified words or phrases, and they have rather more than 38 bits of entropy. A quick calculation indicates almost 62 bits of entropy for the password I use here, and I use several passwords of similar or greater complexity for other purposes.

Re:"Reliably better"

[camperdave]

Considering that the salt is just as unique as the username, I don't see that it gains you anything. After all, if you have the database, you already have the username. Looking back at your earlier post, I have to ask: Where did you get the idea that the salt was known? It is only known to the user. To the attacker, it just multiplies the search space, since you now have to "unhash" each password against each possible salt sequence.

Re:"Reliably better"

[girlintraining]

But the brute forcer also has to try all sorts of stupid variations:

An 8 character password using ASCII printable characters only has 5,595,818,096,650,401 possibilities. I'm guessing less than that number of songs have been written... even with variations in lyrics. Even with a thousand variations per song, and a trillion songs to seed the password cracker... you're still looking at a few minutes, perhaps an hour, to crack your password. Your keyspace is pathetically small.

Length does not increase entropy.

Re:"Reliably better"

[camperdave]

Somehow, I can't picture playing Guitar Hero to access my bank machine.

Re:"Reliably better"

[liquidweaver]

This is not a salt - that is an IV. They are not the same.
A salt exists outside the hash as well as plaintext.

Re:"Reliably better"

[bipbop]

That's nine, not ten!

It's not directly relevant, but you can memorize this fairly easily by breaking it into 3 sets of three, memorizing each set separately, then repeating them in sequence.

Re:"Reliably better"

[Fatch+Racall]

Screw that. Just use the easiest to remember password in history. upupdowndownleftrightleftrightbastart

Re:"Reliably better"

[Eponymous+Hero]

Merely denying that you know the password - even if true - won't get you far in court.

that was true before they invented subconscious muscle memory passwords. now it's plausible.

Re:"Reliably better"

[0100010001010011]

Do you really think someone is going to magically coordinate ALL of my online accounts at the same time. And it's not like any place will let you use the full SHA256. So what if I picked every other letter? Or the last 10 instead of the first 10?

Remember, slashdot and other sites (hopefully) have their own hashing mechanism. So now you're trying to reverse the md5 sum of every other letter of the first 20 characters of a Sha256 that have been shifted by (int)-34

They're picking the low hanging fruit, people that have password123!.

  I feel sufficiently safe that someone isn't going to start posting as me.

Re:"Reliably better"

[0100010001010011]

(Hint, sha only returns lowercase).

Re:"Reliably better"

[hacksoncode]

The rubber hose cryptanalysis won't be able to get you to *tell* them the password, but I see no reason why they couldn't get you to *reveal* it by playing the game.

Since it's subconscious, you won't even know that you're revealing it.

Re:"Reliably better"

[antdude]

o/~ (Yeah, Ah-Ah-Ah-Ah-Ah-Ark)
Oo-ooh-ooh, hoo yeah, yeah
Yeah, yeah Yeah-ah-ah Yeah-ah-ah Yeah-ah-ah Yeah-ah-ah Yeah, yeah, yeah

Seven a.m., waking up in the morning Gotta be fresh, gotta go downstairs Gotta have my bowl, gotta have cereal Seein' everything, the time is goin' Tickin' on and on, everybody's rushin' Gotta get down to the bus stop Gotta catch my bus, I see my friends (My friends)

Kickin' in the front seat Sittin' in the back seat
Gotta make my mind up Which seat can I take?

It's Friday, Friday Gotta get down on Friday Everybody's lookin' forward to the weekend, weekend Friday, Friday Gettin' down on Friday Everybody's lookin' forward to the weekend

Partyin', partyin' (Yeah) Partyin', partyin' (Yeah) Fun, fun, fun, fun Lookin' forward to the weekend

7:45, we're drivin' on the highway Cruisin' so fast, I want time to fly Fun, fun, think about fun You know what it is
I got this, you got this My friend is by my right, ay I got this, you got this Now you know it

Kickin' in the front seat Sittin' in the back seat Gotta make my mind up Which seat can I take?

It's Friday, Friday Gotta get down on Friday Everybody's lookin' forward to the weekend, weekend Friday, Friday Gettin' down on Friday Everybody's lookin' forward to the weekend

Partyin', partyin' (Yeah) Partyin', partyin' (Yeah) Fun, fun, fun, fun Lookin' forward to the weekend

Yesterday was Thursday, Thursday Today i-is Friday, Friday (Partyin') We-we-we so excited We so excited We gonna have a ball today

Tomorrow is Saturday And Sunday comes after ... wards I don't want this weekend to end

R-B, Rebecca Black So chillin' in the front seat (In the front seat) In the back seat (In the back seat) I'm drivin', cruisin' (Yeah, yeah) Fast lanes, switchin' lanes Wit' a car up on my side (Woo!) (C'mon) Passin' by is a school bus in front of me
Makes tick tock, tick tock, wanna scream Check my time, it's Friday, it's a weekend We gonna have fun, c'mon, c'mon, y'all

It's Friday, Friday Gotta get down on Friday Everybody's lookin' forward to the weekend, weekend Friday, Friday Gettin' down on Friday Everybody's lookin' forward to the weekend

Partyin', partyin' (Yeah) Partyin', partyin' (Yeah) Fun, fun, fun, fun Lookin' forward to the weekend

It's Friday, Friday Gotta get down on Friday Everybody's lookin' forward to the weekend, weekend Friday, Friday Gettin' down on Friday Everybody's lookin' forward to the weekend

Partyin', partyin' (Yeah) Partyin', partyin' (Yeah) Fun, fun, fun, fun Lookin' forward to the weekend o/~ :P

Re:"Reliably better"

[errandum]

Just the fact that lyrics are used immensely reduces the search space. The length is only perceived security, not real security...

Re:"Reliably better"

[mcgrew]

How about the Rolling Stones' "Angie"? Was there ever such a sappy, insipid tune with such stupid lyrics?

Re:"Reliably better"

[wierd_w]

That's why you use a mnemonic device.

For instance, to remember my prepositions in school, I was confronted with the following list:
(wrote memory was the method dujour at my gradeschool)

about, above, across, after, against, along, among, around, beyond, but, by ...

Thats a pretty long list of seemingly unrelated words. (the full list is even longer.)

To keep the list, I imagined it as a series of cryptic announcer panels in a cheesy comic book. Our hero first swings somewhere "About above" the perp, "across 'after'" (rather, a large neon sign which features the word), "against 'along'" (where he scales up some graffiti on a wall saying "cant we all just get along?") , "Among; Around" (where he disperses among a crowd to get around the security forces patrolling a media event), and then "Beyond, but by." where he sneaks backstage behind the perp-- beyond observation, but near his mark.

I can remember the narrative structure, and so can remember the list. It got really complicated for the full list of prepositions though, which has over 50 words in it.

A list of prepositions has structure that could be defeated, because all the words are prepositions, and it's alphabetized. However, the approach to storyboard the obscure and seemingly disjointed and unrelated words into a coherent mnemonic will (or at least should) work with any long list of random words if you are imaginative enough. It helps you move "nonsense" out of short term memory, where it cant possibly be preserved, and into long term memory.

Another technique is to remember cadence and pitch along with the written words, so its like reciting a poem or a song. Humans are wired for music, even if they cant sing or play an instrument. Musical progressions are powerful tools for remembering bits of data. The lyrics dont need to make sense. Take for instance, the false lyrics to hiakugojuichi, "TV says donuts are high in fat, kazoo. Found a hobo in my room. It's princess leiah, the yodel of life, now give my sweater back or I'll play the guitar." While certainly more cogent than say: "Apples blessed toroid gamma crochet gingerbread tickling robot coffee watermelon ex-wife lead emergence confound listless goofball union applesauce tuple bastard wood", and therefore easily attacked, the latter can also be recorded musically/ through cadence. Observe:

Mine eyes have seen the glory of the coming of the lord
{Apples blessed toroid gamma crochet gingerbread}

He has opened up the vineyards where the grapes of wrath are stored
{ tickling robot coffee watermelon ex-wife lead}

He has struck down all our en'mies and has put them to the sword, his truth goes marching on
{emergence confound listless goofball union applesauce, tuple bastard wood}

Eg, if you "sing" the incoherent words to that tune, you will find the cadence matches sufficiently that you can then use the familiar song to recall the obscure list. Lyrics do not have to make sense, nor does the music have to be original, for the memory improving effect to manifest itself.

Another, less contrived set of lyrics that seems incoherent are the actual lyrics to Lemon Demon's "Word disassociation"

Good luck as an attacker, trying to figure out that my passphrases are all cadence based mnemonic devices. Even with the plaintext in front of you, if I didnt point it out, you would never see it.

That "Glory haleluja" one was 21 words long. You can remember a list of almost indefinite length, if you properly cross-link it with other information in subtle and obscure ways like this. I used that musical score, because it is frequently lobbed at people from a young age, and gets a strong hold, and is fairly commonly known.

Still, its pretty clear how music can help you remember even secure passwords.

Re:"Reliably better"

[anotherzeb]

It may be plausible but I think that here in the UK it's still illegal - we can be given 2 years inside for not revealing a password when asked for it by the relevant authority. I can see this system putting some people away for a little while.

Re:"Reliably better"

[SuricouRaven]

If the database is compromised, there's a good chance the salt is too.

If the attacker is aiming to compromise a specific account, you are right. But if they grabbed a database, they'd be just aiming to break as many as they can. Generating the hash is the computationally expensive part, much more so than comparing it to a stored hash. So the obvious method is to iterate through possible passwords (Brute or dictionary), salt, hash... and then compare this hash against every stored hash in the hope at least one would match. If you used the username as part of they hash, they'd need to salt and hash every potential password for every user - making their attack many times slower.

Using a constant salt also makes it possible to correlate, to see when two users have the same password set, which can reveal information such as which users are using weak passwords or if more than one account is associated with one person.

Re:"Reliably better"

[AmiMoJo]

Would you actually want to be unable to produce your password in that situation? If they can torture you for the password anyway it seems like not revealing it will only lead to more pain and eventual death. Of course if you have others relying on your silence it could be an option, but basically once you are at that stage you are fucked either way.

Re:"Reliably better"

Your keyspace is pathetically small

What if you're a hipster? The attacker would never have even heard of the song whose lyrics you used, so how could he try its lyrics?

Re:"Reliably better"

[LordLimecat]

The RETURN from sha isnt "lowercase", its hexadecimal. Its uncased, and could be implemented as either uppercase or lowercase; trying to perform ascii operations on it will not get consistent results, because it isnt ascii.

I assumed parent was talking about doing a bitshift on the input, which could, again, have unpredictable results if the SHA function is expecting text, and you send it "A" shifted 64 ascii chars down, which is a control character.

Re:"Reliably better"

[TCM]

Bad algorithm.

Why limit yourself to 0-9a-f in the final output? What if you need to change a single password? That's why you pipe the binary(!) hash to base64 and add $iteration: more possible characters in the output and changeable passwords. Ideally, make iteration the date you "created" the password.

Better do

echo "$user:$domain:$masterpassword:$iteration" | openssl sha -sha512 -binary | base64"

Re:"Reliably better"

[TCM]

What makes you think the "salt" is known? It's the secret in this case.

I use this same approach with some refinements and I do it on a non-connected box because "mypassword" is the ultimate master key to the whole idea. It's not a salt.

Re:"Reliably better"

[errandum]

It obviously can, and there is nothing wrong with using mnemonics to remember a complicated (normal) password, but the lyrics to your favorite song (or any song you listen to) are not secure in any way or form.

Re:"Reliably better"

[Tom]

I'd like to see the proof. Not because I don't believe you, but because I've done research in this area and hadn't heard of it before. Can you post a link or citation, please?

Re:"Reliably better"

[KingOfTheDustBunnies]

There's a bathroom on the right....

Okay, I've just decided that all my future passwords will consist of lyrics from "Louie Louie". That'll be completely uncrackable!

Re:"Reliably better"

[camperdave]

But why would a user's salt be in the database? Just because Alice uses sha1('mypassword'+'slashdot.org') as a password, doesn't mean that Bob uses sha1('bobpassword'+'slashdot.org') for his. Bob may use sha1('slashdot.org'+'bobpassword') or md5sum('bobpassword'+'slashdot') . Bob might even be using just sha3('bobpassword). The thing is, ripping off Slashdot's password database won't get you anything. Even knowing how Alice works it, doesn't tell you how Bob works it.

Re:"Reliably better"

[kbolino]

An 8 character password using ASCII printable characters only has 5,595,818,096,650,401 possibilities

GP was talking about 80 character passwords (not 8), which even if we assume a low entropy of 2 bits per character still gives you 160 bits of entropy. If you throw odd spellings, capitalizations, number substitutions, and in-jokes into the mix, you can significantly increase that number, but 160 bits still puts you well above

Length does not increase entropy.

Yes it does.

Let X and Y be independent and identically distributed distributions. Let H>=1 be the entropy of each variable (iid = same entropy).
Let Z be the concatenation of X and Y. Then p(Z) = p(X) * p(Y). The entropy of Z is:

H(Z) = E[log(p(Z))] = E[log(p(X) * p(Y))] = E[log(p(X)) + log(p(Y))] = E[log(p(X))] + E[log(p(Y))] = H + H = 2H

Since 2H > H, increasing the length of the string increased its entropy.

This is true if you pick ASCII characters at random, provided that longer passwords aren't transformed into a lower entropy version, such as by truncating or breaking into chunks and XORing them.

You may be able to make the case that using whole phrases instead of particular subphrases has (slightly) lower entropy by being more likely to be chosen by an adversary, but I would still say that, as a general rule, you can't go wrong by making your password longer.

Re:"Reliably better"

[wierd_w]

Agreed. You should never use a "widely known" phrase as a password. You should only use the musical score and cadence progression from your favorite song instead. The association is unknown unless you blab it. The reason people frequently use a song reference straight up is because it is easy to remember. Creating a random and high entropy password that fits the progression of that easily remembered musical phrase has nearly the same recall capability as using the unsecure lyrical phrase.

The idea is to have the ease of generation, length, and recall capacity of the musical score-- coupled to the secure and cryptically high entropy passphrase. (There is no reason why this technique could not be used with a raw hexadecimal crypto key, for instance. Just say the numbers and letters as the new lyrics.)

I was merely pointing out this connection. You *can* make use of your favorite song in the creation of your verifiably strong passwords and crypto keys-- you just use "parody" lyrics that "jive" with the musical score. Your brain will readily store the association, and then you can easily remember the password.

The association has no externally observable connection to your mnemonic device, and is unique to the individual who created it as long as they don't blab it. This forces the attacker to resort to brute force. If your password is sufficiently long, and high enough entropy, the universe will end before he successfully guesses it.

I do agree though. The naked lyrics to a song are by no means secure. It would be easily attacked with a dictionary attack, and some meatspace intel about the target's interests. Its about as dumb as using a name, a birthdate, or other "personal" data chunk as a password. A clever data mining period followed by a dictionary attack, and you're pwned.

Re:"Reliably better"

[errandum]

the wikipedia article kind of sums it up:

http://en.wikipedia.org/wiki/Passphrase#Security

If you use passphrases of music lyrics or any sentence that makes sense, then you are particularly vulnerable. Not saying passphrases can't be safe (long ones, with enough words, can - especially randomized words), but the method he described (music lyrics) is extremely weak.

Re:"Reliably better"

[errandum]

Your last sentence sums up my whole point :P. I was attacking the op's method, not passphrases. If your algorithm is secret and good enough, then they are extremely safe.

Re:"Reliably better"

[sarkeizen]

Please. just. die. Just go, get a hammer and hit yourself repeatedly until you stop moving.

Firstly you confuse the point of analyzing cryptography - it's not that X *can* be weaker than *y* - that could be true for just about any two systems. Rather it's a question of the amount of entropy the system delivers. Yes sentences will follow a Markov chain where each word narrows the potential pool of the next word however there is a rather large number of words that can initialize the system *STILL* makes it better than 8 character passwords. However that's ONLY if the person uses a sentence. If it's just a string of five nouns then you're SOL.

Secondly you seem to misunderstand that targeted attacks might narrow the amount of entropy - it also narrows the number of people who can even attempt the attack.

Re:"Reliably better"

[errandum]

Since you mention entropy, the entropy for the english language is around 1.1 bits per character (average), which is extremely low. Passphrase attacks, especially ones that use common english sentences (like song lyrics) are extremely weak by today's standards. Passphrases can be secure if they are long and/or random enough, but if you're gonna have to memorize a random sequence of words, why not memorize a damn password?

Re:"Reliably better"

[f3rret]

It may be plausible but I think that here in the UK it's still illegal - we can be given 2 years inside for not revealing a password when asked for it by the relevant authority. I can see this system putting some people away for a little while.

Is this legal? I mean here in Denmark we have "The right to remain silent", you should have that in the UK as well.

Re:"Reliably better"

[Skal+Tura]

Am i really the only one thinking there is something wrong about that? oO;

And here i thought you were innocent until proven quilty AND you do not need to testify against yourself - That is including giving your passwords, ie. granting access to potentially incriminating evidence or at the very least giving up your privacy.

What's next, sentenced for not confessing to something you may have or may not have done?
Why not skip court all together.

Re:"Reliably better"

[Xenna]

Absolutely, that's the classic 'game in the middle' attack!

How could they have missed that?

Re:"Reliably better"

[sumnerp]

OK, I'll play that stupid game for you, just stop hitting my partner/child/pet with your $5 cryptanalysis wrench/rubber hose/baseball bat.

Re:"Reliably better"

[riT-k0MA]

The tenth is all nine combined.

Re:"Reliably better"

[kbolino]

Proofreading FTW.

GP was talking about 80 character passwords (not 8), which even if we assume a low entropy of 2 bits per character still gives you 160 bits of entropy. If you throw odd spellings, capitalizations, number substitutions, and in-jokes into the mix, you can significantly increase that number, but 160 bits still puts you well above

... what any attacker with finite resources could brute-force in any conceivable amount of time.

Let X and Y be independent and identically distributed distributions.

Should be "random variables".

repetitive phrases slightly modified

[alphatel]

This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there’s a short pause. This entire process is repeated six more times, for a total of 3,780 items.

Replace 'character' with 'note' and it's clear subjects were tortured with Philip Glass for 80 hours and won't soon forget.

Re:repetitive phrases slightly modified

[Black+Parrot]

Replace 'character' with 'note' and it's clear subjects were tortured with Philip Glass for 80 hours and won't soon forget.

I notice the study didn't report on how many subjects jumped out the window afterward.

So to recover your password ...

State Security forces you to play this game?

Re:So to recover your password ...

[Dr_Barnowl]

The game only works if the machine knows what your password is, so that you can succeed at playing that sequence better.

Which reveals the flaw in the scheme ; currently, the computer you are logging into doesn't need to know your password - it stores a hash instead. With this scheme, the machine needs a way to recover your password as plaintext, so that it can test you on it. Which means that if you can sieze the system itself, you can get into it, you just need to extract the password and train someone else to know it.

Re:So to recover your password ...

[Grantbridge]

If you've seized the system already, then the passwords might as well be in plaintext. With this system users can't choose their own password, so knowing their password at once website won't help you break into their accounts on other websites, since they cannot be the same (except by chance.)

Re:So to recover your password ...

[Rich0]

I think this is one of the biggest weaknesses with any password-based system. We're too dependent on uncontrolled terminals, and nobody has figured out to do SSL directly to the human brain.

We like to blanket ourselves in feel-good measures like PCI/etc, but the fact is that nobody really knows if that box you're punching a PIN/etc into has been tampered with.

Re:So to recover your password ...

[dohzer]

I'm fairly sure that by the time anyone can SSL directly into your brain, they'll also have some sort of high-res MRI scanner to simply read your brain's contents.

Re:So to recover your password ...

[martas]

I could rig the game to let the user play random strings

Seems like that would take a pretty long time for 30 characters. Plus it might not work the way you describe -- it's not necessarily true that the user would be better at playing any substring.

Re:So to recover your password ...

[Gravis+Zero]

Homey don't play that game.

Re:So to recover your password ...

[Junta]

Shared secrets are not insecure. Applied incorrectly they are insecure.

When a given pairing is unique (i.e. the credential authenticates exactly one endpoint to exactly one other endpoint), then a breach of the level of acquiring the password data is likely going to yield nothing more than you already have: free reign over the system holding the data. In this case, the authenticator selected the characters randomly.

Shared secrets generally allow something that's impossible with one-way hashes: Being inherently impervious to MITM. The key would be that the secret must be set in a secure manner, but this is a straightforward and intuitive thing in general. For example, on some pieces of networking equipment, you must set initial SNMPv3 password using serial port before you can ever manage it. Intuitively, this makes sense to more people as they consider it 'initial setup' and over the network configuration is reasonably explained as chicken and egg. SNMPv3 uses the password as a shared secret, meaning a third party can't impersonate it, even though the admin took no effort to understand and implement something like a PKI.

In this situation, I presume the envisioned scenario is that the training would occur under a special circumstance (e.g. your super secret organization has you play this game in a secure office to train it where they control everything).

Re:So to recover your password ...

[tucks]

The only winning move is not to play.

Re:So to recover your password ...

[elucido]

State Security forces you to play this game?

Exactly. This game is just a way to trick people into getting themselves tortured.
It's really a dumb idea and whoever invented the concept doesn't really know shit.

Unbreakable crypto already exists. Unbreakable individuals never can exist. You can however have a group of very difficult to break people and this is fairly strong as long as the codes expire. It's not likely you'll capture and be able to torture all of them and without doing that you cannot reconstruct the password. If it's 5 people and you only can find 3 to torture, then you'll never get the password even if you break 3 out of 5.

Re:So to recover your password ...

[elucido]

I think this is one of the biggest weaknesses with any password-based system. We're too dependent on uncontrolled terminals, and nobody has figured out to do SSL directly to the human brain.

We like to blanket ourselves in feel-good measures like PCI/etc, but the fact is that nobody really knows if that box you're punching a PIN/etc into has been tampered with.

Even if it's not tampered with it still leaks emissions. The idea of a password when your key strokes make sounds which are unique, the person who thought of this was just a nerd who didn't know what he was thinking up.

This idea would never work in practice. It only works on paper because the real world isn't anything like academia. You cannot rely on passwords to secure secrets. If it's that important it should probably be biometrics and then the person wouldn't have to memorize it either as only their fingerprint would work anyway.

But then you'll say someone could capture them and make them enter the password or a bullet to their head? Well that could happen with this game system. They either beat the game or take a bullet to the head.

Re:So to recover your password ...

[rastoboy29]

Well, the CGI form or whatever of the application itself still gets your password in plain text when you log in.

It's hard to win this battle.

Re:So to recover your password ...

[yakovlev]

Well, you could calculate the encryption with pen and paper, and only enter the encrypted values. That would be safe on an untrusted terminal, but would not be immune to a hidden camera.

It also would not be immune to the user selecting "large" primes like 3 and 5, but that's their own fault. :)

Re:So to recover your password ...

[Tom]

If I can seize your system, I can usually install a key logger just as well. Storing hashes protects against a compromised database or OS, not against physical access.

How ingenious

[Chrisq]

The "cross-disciplinary team of US neuroscientists" came up with the most original excuse ever for why they were spending all their grant money on games consoles and all their time playing games.

Re:How ingenious

I can't stand idiots like you, who always act as if games were an "excuse" or "waste of time", when they are the MOTHER of all education, art, sports and entertainment.
There is no better way to explore something new, than games. That's what they are there for.
It's things like school as we know it, that is a waste of time and deeply utterly wrong.

Re:How ingenious

[metacell]

How on Earth did the parent get modded "Informative"? Funny, yes, informative, no.

Re:How ingenious

whoosh....

Re:How ingenious

[loimprevisto]

Mods occasionally rate a funny post as something else to boost that person's karma rating, since Funny doesn't give a karma boost.

...or at least that's how it used to work, something might have been tweaked in the moderation system since that was true.

Re:How ingenious

[Viol8]

"There is no better way to explore something new, than games. That's what they are there for."

Yeah ... right. I'm suuure the developers of Call of Duty were thinking about its educational aspect first and foremost.

"It's things like school as we know it, that is a waste of time and deeply utterly wrong."

In other words you're one of the thick kids who couldn't handle being educated so you pretend games are a valid substitute. Good luck trying to convince a future employer that your 733t score on Mass Effect 3 means you be given a job ahead of someone who bothered to work and got first class degree in a relevant subject.

Moron.

How is that resistant to rubber-hose cryptography?

Log in or else!

Does the server need to know the password?

[kasperd]

It sounds like the way this works, the server will need to know what the password is in order to produce the combined sequence. Doesn't that make it weaker than ordinary passwords? And if you repeatedly get the same random sequence, over time you'll learn that as well. OTOH if you get different random sequences, then it would be possible to extract the original sequence. Did I miss something here?

Re:Does the server need to know the password?

[queazocotal]

Sort of - there are caveats.

There are a few ways to do this.
Pretending that it's for the moment typing a letter in response to some other letter.
If the correct response to a stimulus 'A' is 'a' - then the server can take a response to a randomly chosen phrase -
AQRGS, and then get response fqrgs, and hand both of these over to an authentication server, which determines the match.

Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
In some apps, this may be a valid way to do things.

If you can get a reliable enough response from the user in a binary manner that you can determine the exact key, then you can simply hash this as any other password.
Having one server know all the passwords is a weakness, but it's a very known weakness.

Re:Does the server need to know the password?

Exactly so.

Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences.

This means attackers will play it twice recorded on video, then know your password. I think they're considering this a non-issue, since "knowing" is only half the battle -- but it can then be defeated by training offline on the known password, or possibly by deliberately muffing the random (non-password) sequences.

Re:Does the server need to know the password?

[realityimpaired]

Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
In some apps, this may be a valid way to do things.

Not really... if I want to crack your password, all I have to do is send a few requests to the authentication server, and look at the challenges it responds with. Find the sequence of 30 characters that's repeated in all of them, and there's your password.

Re:Does the server need to know the password?

[Tom]

Depends. "password strength" is usually used to judge the complexity of the password, not attacks on the server. So strictly speaking, storing plaintext passwords does not make the passwords any weaker (nor stronger), but it does weaken the system as a whole.

unbreakable my shiny ass

what prevents the rubber hose cryptanalysts from making you play guitar hero in front of their eyes? nothing.

Re:unbreakable my shiny ass

[jpate]

what if they already broke your hands to find out which computer system the sooper sekret information is kept on?

Why can't this be rubber-hosed out of someone?

If the user authenticates by performing some action, they can be coerced into performing that action.

Re:Why can't this be rubber-hosed out of someone?

[Black+Parrot]

If the user authenticates by performing some action, they can be coerced into performing that action.

Do you think having your piano teacher stand beside you slapping a rubber hose in her palm while you play makes it less likely for you to miss a note?

Re:Why can't this be rubber-hosed out of someone?

[kanweg]

the hose isn't necessary. Just the rubber would do, I guess.

Bert

Standard password security practices.

[mwvdlee]

Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game

I'm assuming I'll still be automatically logged out after 5 minutes of inactivity, cannot recover but will have to change my password when forgotten and passwords will expire every month?

Also; the research suggests users will have to perform better on the injected "password" sequences than random sequences... how will they deal with top players that get a perfect score every time for the entire sequence?

Re:Standard password security practices.

[arth1]

Nevermind that: They seriously expect people to sit through 45 minutes of training to learn a password?

And how long to log in?

But the biggest problem I see apart from the plain text storage of passwords is that people don't just authenticate to one place, but dozens or more. This could only work it was a global SSO system, where you log in once. But that implies that if the system is compromised anywhere it's compromised everywhere.

Colour me unimpressed. It's good that people study these things, but we need a system where scientists can report their study as a failure and still be thanked for their job. As it is, everything is marketed as a success, because that's what those who fund research want to see. Those are the idiots - they should reward the scientists for telling the truth, not for making a spin.

Easy to remember

[Centurix]

Up, left, left, left, down, up, down, up, right. Got it.

All NES players have a subconscious password:

[cvd6262]

up-up-down-down-left-right-left-right-B-A-start

Re:All NES players have a subconscious password:

[Black+Parrot]

up-up-down-down-left-right-left-right-B-A-start

care to elaborate?

Apparently some kind of masturbation joke.

Re:All NES players have a subconscious password:

[Anubis+IV]

It's the Konami code. Everyone here was supposed to learn it by their third year of nerddom, but it seems you may have forgotten your lessons.

For me, Contra on NES was the game that inscribed that in my memory forever (30 lives instead of 3? yes, please, for that game), and it still comes up fairly frequently. Just last month it came up during a meeting when my supervisor brought it up and then wrote it on the whiteboard in response to another topic.

Re:All NES players have a subconscious password:

[Black+Parrot]

Wow, what a couple of fucking idiots. I'm not even going to bother to elaborate on this. Unless you made your slashdot account when you were a baby, then you might as well hand over your geek card with that low UID.

This code has a Wikipedia article for fuck sakes. It is entered on the NES (that's another name for Nintendo Entertainment System, which is a game console. You should be able to Google for those) controller at the title screen of a game. The code gave you the potential to beat the game without being fucking hardcore. The Wikipedia article for the code is named after the company that made the game.

You have a funny way of not bothering to elaborate on this...

38 bits of entropy

Only 38 bits of entropy because there's only 6 choices for each of the 30 characters. Yeah a Tesla GPU can chew through that in a day. I'd post the relevant XKCD comic but I'm pretty sure everyone here knows what it is already.

Another variant

[art6217]

The system requires that you copy-write a short random message by hand, but at no point do you actually remember the subtleties of your individual writing style, like the ballpoint pressure or distribution of the shape of "o"s, meaning it can't be presented as a plain sequence of letters and it can't be obtained via coercion or torture i.e. rubber-hose cryptanalysis. The system, devised by Anonymous Coward, relies on implicit learning, a process by which you absorb new information, but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) does NOT involve anything, as your writing style is likely already precisely and intricately shaped for years.

Without a human specialist, a dedicated OCR software would need to be developed, though...

Re:Another variant

[art6217]

Yes, it's an obvious problem, just like with playing the game the same.

I do not claim, that a system like that would be good in general. I just wondered, if it could be simplified by resuing what's already learned.

No coercion?

[TranceThrust]

How does the scheme prevent ``play this game or I'll kill your family''?

Forty Five Minutes?

[AlienIntelligence]

Who has 45 min to learn a new password? I can't see a company willing to
pay someone for 0.75hr just to learn a password.

-AI

Re:Forty Five Minutes?

[geekmux]

Who has 45 min to learn a new password? I can't see a company willing to pay someone for 0.75hr just to learn a password.

-AI

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people) from losing their second most valuable asset (information).

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

Re:Forty Five Minutes?

[Corbets]

Who has 45 min to learn a new password? I can't see a company willing to
pay someone for 0.75hr just to learn a password.

-AI

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people) from losing their second most valuable asset (information).

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

Or they just might figure that people who lack the capacity to memorize a reasonably complex password may not, after all, be all that valuable of an asset.

Re:Forty Five Minutes?

[Overzeetop]

Who would allow a truly secure system to have static passwords - most require a change once a month. Now it costs 9 hours a year, or 0.5% of your entire payroll costs just to learn the passwords. Since the sequence must be played back using a large string of random sequences in which the password sequence is embedded, I presume that would probably take at least 2 minutes to be of both necessary and sufficient length. Let's presume that you only have to log in twice a day (when you arrive, and when you come back after lunch) to this truly secure system...that's 4 minutes a day or another 1000 minutes ~ 16 hours ~ a year. Now we're up to 1.25% of employee costs. If you have a 100,000 person company with US average wages (and they'll probably be higher than average if they're logging into a secure system), that's $75,000,000 a year.

Now, tell me again how much the executive board splitting an extra $75,000,000 in bonuses is going to react when you tell them that they need this highly secure password system, compared to the one they have that had resulted in few or no breaches in the past decade.

Re:Forty Five Minutes?

[Oligonicella]

Passwords are like religion: some people see the need for them in every aspect of life and would prefer they be ever more complex, forcing the user to memorize and supplicate to them.

Passwords are way overrated. This would neither increase nor reduce security issues, merely exchange sets. On the other hand, Guitar Hero might become extremely popular.

Re:Forty Five Minutes?

[BVis]

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people)

HAHAHAHAHAHAHAHAHAHAHA... oh wait, you were serious, let me laugh even harder...

To the vast majority of companies out there, you are not an asset, you are a liability on a balance sheet. Nobody can ever work hard enough to justify their salary, no matter how pathetic or insulting that salary is. You are less valuable than the office furniture.

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

In my experience, no 'senior executive' is technical enough to understand that phrase. Their eyes glaze over when you try to explain the need for passwords at all, let alone more secure ones. Then when you tell them that they need to jump through even the slightest hoop regarding security, the first thing they tell you is to make an exception for them, because they don't want to be any further inconvenienced. (Most of them resent the idea that they have to put in a password at all , let alone a reasonably secure one. Their convenience is far far FAR more important than data security, because they understand the former much more than the latter.) The second thing they tell you is do it or you're fired. I have first-hand knowledge of this attitude from multiple Fortune 500 companies as well as public sector entities. I've worked at places where the CEO's password (for EVERYTHING they access, from email to file shares) is the name of the company. And set to never expire. And known to everyone in IT, lest there be a problem with it.

Security at most big companies is a bad joke. You can yell and scream and beg and cajole and do anything you can think of to explain why what you're doing is grossly inadequate, but all it will get you is fired.

Uh, maybe I'm missing something but

[trifish]

it can't be obtained via coercion or torture â" i.e. rubber-hose cryptanalysis

Correct me if I'm wrong, but I fail to see how that could be true. How could you NOT be forced to play the authentication "game" by torture or coercion? wtf?

Re:Uh, maybe I'm missing something but

[jamesh]

it can't be obtained via coercion or torture â" i.e. rubber-hose cryptanalysis

Correct me if I'm wrong, but I fail to see how that could be true. How could you NOT be forced to play the authentication "game" by torture or coercion? wtf?

How are you going to type your password... if you have no fingers?

Re:Uh, maybe I'm missing something but

[Grantbridge]

They can do, but they still wouldn't know the password itself to be able to log in again without you. Possibly there would be a mechanism to enter a distress code which would then summon the police and lock your account to a honeybox instead? But then you could have that with other password mechanisms.

Re:Uh, maybe I'm missing something but

[fuzzyfuzzyfungus]

Very slowly. With your tongue. On the super-grimy keyboard from the public kiosk in the lobby.

So why don't you just make things easier for everybody and log in before Mr. Nibbles gets hungry? *display bolt cutters*

Good direction, impractical solution

[ItsIllak]

Passwords are clearly a very bad idea - they just don't work for any number of logical, social and practical reasons. So it's great to see real thought going into alternatives. Although I think the overhead of 45 mins learning and other issues with this are a problem, I think the general premise must have something in it that would work well.

The fact we can recognise that we know something, even if we can't repeat it - e.g. you know if someone sings the wrong lyrics to a song even if you can't remember them yourself - MUST have some solution to this problem embedded in it somewhere...

Re:Good direction, impractical solution

[Hatta]

My passwords work just fine. What's wrong with yours?

Congrats

You just refound how people learn masses of information when they need to.

Problem

[Arancaytar]

Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences.

This requires the password to be stored in clear in the system. I think the brain is more trustworthy than that...

Re:Problem

Worse than that. The password is repeatedly sent back to the user (though interspersed with random sequences).
Hence, I'm actually wondering whether this is the first authentication system that can be broken without understanding anything.
I.e. an attacker could simply try to break into someone's (let's call him Joe) account as follows:
The attacker pretends to be Joe. He gets the Joe's password to play and a few random notes. Since
Joe's password (or subsequences of it) appears more frequently than other stuff the attacker will eventually
learn to play the password better than random stuff. Hence eventually I'd expect that the attacker knows
Joe's password too without even realizing it until he manages to break into Joe's account.

Re:Problem

[girlintraining]

This requires the password to be stored in clear in the system. I think the brain is more trustworthy than that...

I suppose now is a bad time to point out that when people are recalling a password, their vocal cords show faint electrical activity due to subvocalization. In other words, you're speaking your password as you enter it, although without special equipment, it's presently not possible to detect this covertly.

Your brain is not trustworthy. It's not even fully understood.

Re:How is that resistant to rubber-hose cryptograp

[shentino]

Presumably the stress of duress would ruin your performance.

Re:Typing without knowing

[jamesh]

I've been doing something similar to this for the past 4 years.

I have a password that I can hardly spell (without looking at the keyboard), but I know how to type it fast.

Ditto. My typo's frequently consist of typing completely the wrong word.

Two weeks?

[aglider]

We need to recall the password after 1 year or even 2.
Please, go on with the tests!

Similar to PinPlus

[GroovinWithMrBloe]

I've looked at these guys before, http://www.pinplus.net/content/pin-nutshell Basically you remember a pattern and then to log in you are presented with a large grid of letters/numbers which you then have to type in the letters/numbers corresponding to your pattern. So you never reveal your pattern at any point, keyloggers/screenscrapers never have access to your pattern. Even if someone did get a screengrab, there are multiple instances of each letter/number in the grid, so you can't tell which position in the grid the user was referring to.

Re:Similar to PinPlus

[ThatsMyNick]

It doesnt provide the same entropy as the regular password though. You can only move to 7 adjacent squares, and it very likely that you will travel in a straight direction. As long people understand password length, and pattern length are not the same, make it quite random, it should be good.

Re:Similar to PinPlus

[GroovinWithMrBloe]

It's a bit more than 7 squares. See a demo here (the java applet): http://pluspin.com/demo/newsoftheworld - and obviously you can configure it to enforce a minimum pattern complexity if so required.

And once you forget the password

They ask you for your cat's name...

Re:And once you forget the password

[azalin]

They ask you for your cat's name...

Schroedinger stole my cat you insensitive clot!

Cannot protect

[hilather]

How are you supposed to protect a password that you don't even know? It seems to me if someone knew how the system worked, they could trick an unsuspecting user into divulging their password without the users knowledge. This is obfuscation, nothing more.

Biometrics?

[k(wi)r(kipedia)]

Wouldn't biometrics already be a better solution if you want an authentication routine that strong? I mean to bypass multiple input biometrics (fingerprint + some other bodily feature) you'd have to kidnap the user. And if you already have the user under your control, you can probably force any strong password out of him.

Re:Biometrics?

[Geoffrey.landis]

Some biometrics are hard to duplicate, some are easy to trick, and some have a tendency to change over time enough that they are truly worthless as indicators...

It's the first one that is the sticking point. How do you *know* that a biometric is hard to trick with, say, a photograph? What about next year, when the photography gets better?

Completely broken.

[bakuun]

A few readers have commented that the system will need to know your unhashed password. This is clearly bad, but there are even worse flaws.

A 30-character password sounds awfully strong (60^30 combinations if upper/lower-case chars and numbers are used). However, from the article: "Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences". This means that the number of characters is irrelevant, really. What matters is the number of "30-letter sequences", and since you need to play them all, they will need to be limited. How many? 10 would probably too many to play, but will still only be the equivalent of a single-digit password. This system will be trivial to crack with brute-force guesses.

Even worse, repeated "login attempts" will reveal which sequence is the correct one - simply check which sequence repeats between tries.

Re:Completely broken.

[cryptizard]

If you read the paper you will see that your credentials consist of a "password" sequence and two other static random ones. You are presented with these three sequences, in a shuffled order, each time so they will all repeat. I know we don't have a habit of reading the articles around here, but how could you think an article in a top-tier security conference would be that trivially broken? Additionally, they start with 3 challenge sequences but say that it could be expanded to 4 shorter password sequences and 8 random ones giving you 12 choose 4 = 495 possible passwords. It is also worth noting that this clearly has local authentication in mind where you would not allow more than 3 or 4 failed login attempts. As far as the hashed or unhashed goes, we can't be turning down good research because it is not completely perfect, lest we never accomplish anything.

Re:Completely broken.

[bakuun]

Ok, so there is a one-in-three chance of guessing the correct sequence, yes? Even if the whole operation would be quadrupled, as you said (choose the correct sequence, then again another three times), you will still have a 1-in-81 chance of guessing (3^4). This is by no means enough.

You mention allowing no more than three of four attempts, but this won't really work well either. You can't reliably do it by IP - it is easy for malicious users to jump between IPs (using e.g. botnets or different proxy servers), and if you do it by user account (e.g. ignoring IP, allowing only x number of attempts for the username before locking it down) you will have created the best possible scenario for denial-of-service attacks. Anybody would be able to lock anybody else's account trivially.

I agree that research is a good thing and that sequence-based login is kind of interesting, but the flaws really need to be covered as well. That is critical in any scientific field. As it is now, this method is completely unusable.

Re:Completely broken.

[cryptizard]

I said it is for local authentication, IPs have nothing to do with it. Every company has an AD policy to lock your account after a few failed logins, this is no different. It is not a matter of choosing the correct 1 out of 3, four times in a row. It is choosing the correct four out of 12 sequences, which is indeed 1/495. Think of it like taking the original scheme, with three different sequences, and breaking each of those sequences into four smaller subsquences. Now, you shuffle those subsequences and present them to the user. Since I have trained on my password, I will also perform better on any subsequence from my password sequence (if we are talking guitar hero, if I know the song I will also know any smaller riff from the song). However, since there are more possible permutations now that I have broken the sequences into smaller pieces, it is much less likely that an attacker can guess the correct one. The article makes no guesses on how many times you can break up your password while still maintaining soundness (i.e. will be able to perform better on the right sequences). I imagine it can't go too short, but the point is you can increase your password length linearly while exponentially increasing the number of possible permutations which is good.

Does my subconscious know the login URL?

[sco08y]

How does your subconscious know which password to use? How many 30-bit passwords can be "implanted"?

Incidentally, the fact that the password is known is really not an issue, if you consider it simply another factor of security. I wouldn't want to play a damned game every time to log in anyway, but if I only occasionally used an account and this was used to verify the system I was on, that would be fine. Call it the Rumsfeld system: you log in with something you know, and something you don't know you know.

Login prompt

[Lord+Lode]

So yeah, how'd you type this in a login prompt?

Re:Login prompt

[azalin]

No boss, I'm not playing Guitar Hero/Portal/Diablo, I'm trying to log into the network...

Only one song stays in my mind day after day...

and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

(welcome to MY hell, and you're welcome!)

Re:Only one song stays in my mind day after day...

[SpooForBrains]

8, you're welcome

Re:Only one song stays in my mind day after day...

[SpooForBrains]

That is, 8 "nahs", two repetitions of "nah nah nah nah".

Re:Only one song stays in my mind day after day...

[CrimsonAvenger]

and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

There are eight "nah" as the previous poster said, but none of them are between the "hey, hey, hey" and "good-bye".

Pretty sure it's "nah-nah-nah-nah, nah-nah-nah-nah, hey, hey, hey, good-bye"....

Re:Only one song stays in my mind day after day...

That's fa la la la la etcetera.

A couple of issues

[KritonK]

Does this method scale to learning more than one password, or does one have to use the same password everywhere? What about changing one's password?

Regarding coercion, it is often more effective to threaten someone's family than to threaten that someone. This method does not seem to offer protection against this kind of coercion.

Re:A couple of issues

[Fnord666]

Regarding coercion, it is often more effective to threaten someone's family than to threaten that someone. This method does not seem to offer protection against this kind of coercion.

Or in some cases they threaten to lock you in a room with your ex wife and your teenage kids if you don't tell them what they want to know.

Re-enter the music game

[kuhnto]

I know music games are are now passe, but come on Activision, your going to have to try harder that this to get our money again.

Re:How is that resistant to rubber-hose cryptograp

[fatphil]

Hence "rubber hose", I guess.

Not a 30-character Password

The summary is very misleading. According to TFA and the original paper, it's just a 30-item sequence of the letters S, D, F, J, K and L.

Also, you can't compare it directly to a password, it's a very different scheme. The 30-item sequence gives you an entropy of only about 37.8 bits according to the paper, which frankly is not very strong at all. Although I admit that I didn't read the whole paper (yet), I can see a some problems with this approach. First, it takes a long time to enter a "password" that has a strength of just about 38 bits. Second, this scheme only works for authentication on a system that knows your secret. You have to store the secret in plain text, which is very bad. More importantly, you therefore cannot use this scheme to derive encryption keys - which is the real problem nowadays. We don't need new methods for authentication, we already have public key authentication which is very secure when done correctly. What we need is a way to derive strong symmetric encryption keys which can then for example be used to encrypt the private key for the public key authentication. Third, I don't see at all how this approach should be resistant to rubber-hose cryptanalysis. You can still force someone to log in. Furthermore, it's silly to assume once rubber-hose cryptanalysis is used, the attacker is not already in possession of your hardware anyway. And since this scheme cannot be used e.g. to derive keys for disk encryption, why would they even need you to log in anyway if they already have your data? Doesn't make much sense to me.

I don't think this approach is of use in practice, but it is interesting research nonetheless.

Re:Had a dream about this

[azalin]

okay, I know people hate the dream explanations, esp. from men. But I had a dream where I was interviewing with a company [like a hipster startup like facebook sorta] and they used something like a midi sequencer and a keyboard to enter in the password in order to roll to production servers. All they guy needed to do was remember how to play the song... the whole song. He kept headphones and since he was a Senior, sat in the front center of the room like a dj. When the password was correct, the install scripts would start running and lights would blink and stuff, it was a big event (I guess this fantasy company doesn't roll everyday? it was a dream okay)

so, in conclusion, cant a song be a password?

Of course it could, but it would be a PITA to input and rather easy to guess by bystanders from a small sample. It would also be rather easy to set up a dictionary type attack.

Beatmania IIDX

[sydneyfong]

Seriously, does nobody play Beatmania/IIDX here?

If I'm not mistaken, the only way the system checks whether you know the password is to ask you to play a pseudo-random "game", which they presume a person trained with the passphrase will play better. ...

And I guess the authors haven't ever got pwned by an expert IIDX player.......

(Just search Youtube for videos. If you think 45 minutes is enough for you to play better than them, you're terribly mistaken...)

Re:Beatmania IIDX

[Roujo]

Actually, the system tries to see if you perform better on the password sequence than the other, random ones, which would mean that you're the user that has been trained with that password. The worst case with IIDX players is just that if they are so pro that they perfect every note, they'll perform equally on every sequence and as such will be locked out of the system. While this is a flaw in the system, it's a false negative, not a false positive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

ONE password?! Fail

[Geoffrey.landis]

How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

You're missing the point. They're missing the point. It's easy to make one password secure against guessing it in a million years of trying.

But I don't need to remember one password. I need to remember thirty passwords (for my most important stuff, plus another fifty for sites I visit once or twice), all different, and a large subset of which have to be changed every 60 days. If it takes "a 45 minute learning session" for "the 30-letter password to be firmly implanted in your subconscious brain" this is purely out of the question.

And if the answer is "well, just use the the one password because it's unguessable and you can use it for everything"-- yeah, what could possibly go wrong?

Fail.

How does that stop someone from torturing me...

[gshegosh]

...to make me play that "game" to log in?

Re:How does that stop someone from torturing me...

[Roujo]

It doesn't stop it, but presumably the torture will alter your ability to play the game, which the system will be able to detect.

Re:How does that stop someone from torturing me...

[gshegosh]

So, if I go to a gym and "torture" myself, I won't be able to log in either?

Re:How does that stop someone from torturing me...

[Roujo]

Exactly, which is why I think this authentication system isn't supposed to replace the good old login screen - not for everyone, anyway. It will probably only be used by enthusiasts and high-sec employees for whom getting tortured for their password is an actual threat.

Doesn't stop the beatings

[honestmonkey]

This does NOT stop people from beating you with a rubber hose. Instead of "Give me your password!" it would be "Play this game til you get it right!" So what? Face it, there is no good way to have a perfect system that only you can get into when you want but no one else can. If you can get in, then someone else can force you to open it, regardless of how. This has the advantage of making it harder for even you to do it if you don't keep up practicing. Sounds like a silly solution to me.

Re:How is that resistant to rubber-hose cryptograp

[Bill,+Shooter+of+Bul]

Well, then your account is safe, but you get to expereince "or else". The problem with any rubber hose proof system, is getting the people with rubber hoses to agree that there efforts won't work.

Konami did this over 20 years ago

[bigrockpeltr]

Up, Up, Down, Down, Left, Right, Left, Right, B, A. Or even in Mike Tyson's Punch Out. I played this week (the original NES version) and still remembered all of the sequences for the different opponents. maybe i was secretly opening old files. It sure did bring back memories.

Mass effect [Re:No coercion?]

[Geoffrey.landis]

How does the scheme prevent ``play this game or I'll kill your family''?

Well, it's tough to get an algorithm to implement ``play this game or I'll kill your family'' on five million stolen hashes in order to add a few hundred thousand accounts to their zombie network that sends "make your tool enormous" spam.

Nobody bothers cracking passwords one at a time-- it's all about mass production these days.

Password Reminder Hint

[Luveno]

Main chorus of "Through the Fire and the Flames"

Yet another Obligatory XKCD

[ryzvonusef]

http://xkcd.com/851/

Is there a topic for which there *isn't* a XKCD comic?

Re:Yet another Obligatory XKCD

[Jappus]

Just like there does not seem a topic for which you can't find a quote from The Simpsons?

Behold the might of the law of large numbers and the infinite monkey theorem! Given enough input, you can find almost anything in everything and match almost everything to something else.

Re:Yet another Obligatory XKCD

[alex67500]

There's bound to be a corollary to Rule 34 about xkcd... ;-)

Re:Added bonus

[ryzvonusef]

You are right!

That's why we break out the "Sitar" Hero! :p

IOW: Troll fail

Your own personal mnemonic

[Paracelcus]

Your own personal mnemonic the first 3 letters of your favorite color, the first 3 letters of your first pets name, the address number of your first address, you get the idea, and punctuate them with ?, &, @, %, $, (, ), ! in a pre defined order.

Works for me.

what will i remember

[someones]

after some page had a leak and i need to learn a new password... will i still remember the old and the new password? will i only remember the old password? will i only remember the new password? ...

Re:Added bonus

[Chrisq]

You are right!

That's why we break out the "Sitar" Hero! :p

IOW: Troll fail

The Sitar is Hindu, idiot - derived from the Vina, instrument of Saraswati.

Using it makes you more likely to be tortured

[elucido]

Just because you can't remember the password it doesn't mean they wont torture you anyway.

If you're worried about being tortured you should buy a gun and be prepared to use it either to shoot your enemy or yourself in the head.

As far as whether or not some password will protect anything, any information which has to be protected like that shouldn't be in the possession of one person. It should be in the possession of a group of people.

It's better to accept human weakness

[elucido]

That is not true. It has been proven that passphrases can be weaker than passwords, simply because words usually follow each other in an ordered pattern.

You'll be safe from brute force attacks, but not any attack that adds intelligence to the mix. And if the person cracking your password knows it uses music lyrics you love, you'll be even more at risk since it only has to test for the songs you like.

What you just described is NOT safety.

It's better to accept human weakness and not rely on individuals to protect important secrets and instead rely on groups of individuals to protect pieces of secrets. The nuclear codes should never be given to one person, but pieces of it should be given to a group of people so that all of them would have to be tortured in sequence in order to get the code.

Re:It's better to accept human weakness

[errandum]

That's obvious, but I was complaining about the way he gets his passwords, claiming that the fact that he ends up with 80+ characters is real security. It just isn't, the search space for phrases is smaller than all the arrangements of letters, symbols, etc, you can get with 10 characters,

Was a dumb idea to begin with

[elucido]

There are many flaws in the scheme. If it's in the subconscious mind that doens't mean the enemy wont figure a way to get it out. If it's in the machine the enemy could get it out of that. It doesn't stop or provide a decrease in the incentive of the enemy to torture people, in fact it enhances the torture incentive by tricking people into thinking they can withstand torture and it encourages a reliance on centralized responsibility when in this case it should be decentralized.

What I'm saying is, if there is a password it's better never to let any one person know 100% of it. Let different people know different parts of it and spread them out around the world. Nuclear codes should not be some password that one guy has. It should be a password half a dozen have.

Amazing

[kumanopuusan]

the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters.

I just want to know how they're generating 30 character sequences with no repetitions and only 6 characters.

Re:Amazing

[cryptizard]

It should say no repeating bigrams. Specifically, they make a complete graph consisting of those letters and randomly sample from the set of all Euler walks on that graph.

Worthless stunt

[gweihir]

First, 2 weeks are completely meaningless. Second, anybody able to put you under duress can just as easily have you play this game.

Another worthless publicity stunt by "security researchers" that do not get it.

Re:Worthless stunt

[cryptizard]

Yes, we should stick with the model we have now which is certainly working fine. No problems here. Why should we every try anything new when it is so hard and we are likely to get it wrong according to some geeks on slashdot? Better to just keep making new hash functions and yelling at people for reusing passwords...

Re:Added bonus

[ryzvonusef]

Um, first of all, that was a pun, so here is your free *whoosh*

Secondly, the Sitar is an *Indian* instrument, not limited to Hindus only, it's popular with classical musicians all over the subcontinent, Muslim included. (yes, there does exist such a thing as a Muslim Musician)

Not the original, but it spawned a great remix...

[moogla]

http://djlobsterdust.com/index.php/mashups/maybe-we-found-love-carly-ray-jepsen-vs-rihanna/

Pop music still has its uses.

Oh dear...

[Tom]

Oh dear, where do I even start?

It's not crypto, it's not unbreakable, and the rest is debatable.

It is certainly an interesting experiment. Utterly impractical in this form, but maybe the start of something. But the /. summary is bollocks.

What if I'm in a hurry?

[aklinux]

Do I have to play a game until I hit a [particular] score?

Really awful

[whois]

A computer could break this after 2 viewings, so just having people with a camera near you while you're logging in is a security risk.

Additionally, if given unlimited attempts, a human would naturally get better at the 30 character sequence after a few playthroughs since it would be repeated. Their concience mind might even recognize it as familar even if you didn't.

NOT a rubber hose protector..

[cheros]

You're 100% right. What's worse, it does ZERO to protect against the coercion part (rubber hose crypto) - if you can do it subconsciously you will still be able to do it under stress and duress. If you create an access control device that is stress sensitive you end up with the problem that it has to be able to distinguish between you being late for work or having an argument with your wife versus having a gun in your ribs - it's a lot of hype for a new toy, but it's IMHO not at all a solution for all the problems they list.

And I can memorise a long password easily: it's called a pass phrase..

Re:NOT a rubber hose protector..

[Tom]

To be fair, it DOES offer protection against one specific scenarios: If they want to beat the pass out of you, they have to have access to both you and the system at the same time so they can make you play the game. It doesn't work to beat you up in the garage and then send in a lookalike.

But as soon as the target system has a remote login, you're fucked.