Unbreakable Crypto: Store a 30-character Password In Your Subconscious Mind

MrSeb writes "A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture — i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence."

"Reliably better"

[FireballX301]

How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

Re:"Reliably better"

He's not kidding. I just logged onto his /. account and posted this after reading the password he posted.

Re:"Reliably better"

[0100010001010011]

I like irreversible hashes generate passwords for me salted with wherever I am.

sha1('mypassword'+'slashdot.org')

Tada. Or if you're really paranoid.

sha512(md5(rot13('mypassword'+'slashdot.org');

Even sha512("") is just 0x cf83e1357eefb 8bdf1542850d66d8007d620e4050b5715dc8 3f4a921d36ce9ce4 7d0d13c5d85f 2b0ff8318d2877 eec2f63b931 bd47417a81a538327af927da3e

Good luck cracking that in your or my lifetime.

echo "Hello Worldslashdot.org" | sha512sum
78dce89143430dbbda805 9e7cc12a90c9d8f95090972579cb11bc23d119f7bea9f59646a40 b9da6dfd091d68d 9cac705e95091d778509af721402277b5d57ddf -

And if for some reason that wasn't enough. You could left shift everything by 64 to the left. So 97 would become 33 (!). Now you've just converted all of your a-o into '!' through '/'. And since most passwords require it start with a letter (for some arbitrary and unknown reason) prefx that with x.

My company has weird old unix password system that needs to be changed every month. Has to start with a letter. Has to have at least !$%or # in it. Has have numerous other requirements.

Take the month. Run it through a standard known crypto function that you wrote and tada, easily generated/memorized number, difficult to crack.

Filter error: That's an awful long string of letters there.

Re:"Reliably better"

[rjgii]

He must have changed it... I can not log in as "Anonymous Coward" anymore =(

Re:"Reliably better"

[errandum]

That is not true. It has been proven that passphrases can be weaker than passwords, simply because words usually follow each other in an ordered pattern.

You'll be safe from brute force attacks, but not any attack that adds intelligence to the mix. And if the person cracking your password knows it uses music lyrics you love, you'll be even more at risk since it only has to test for the songs you like.

What you just described is NOT safety.

Re:"Reliably better"

[Joce640k]

There's numerous flaws in your plan, but that's beside the point.

The whole point of this system (which you missed) is that it's secure against rubber hose cryptanalysis (aka $5 wrench cryptanalysis).

Re:"Reliably better"

[hlavac]

Next up: Most popular song lyrics added to cracklib wordlist :)

Re:"Reliably better"

[hlavac]

Can you do SHA512 in your head? I can't, dammit!

Re:"Reliably better"

[djmurdoch]

But the brute forcer also has to try all sorts of stupid variations:

One ton O'Mara
Feel the beat from the tangerine
Scuse me while I kiss this guy
I can see Deirdre now Lorraine has gone

Re:"Reliably better"

[jaymemaurice]

Deftones and many genres of music have lyrics which don't follow normal language ordering. How about the song scatman - not many actually like it but the lyrics easily burn into your head.

Re:"Reliably better"

[tbannist]

Also, what happens if you're just really good at the game? I mean it's based on you being better at playing your password than other chords. If you're playing everything flawlessly are you permanently locked out?

Re:"Reliably better"

[silentcoder]

Sadly - songs you hate tend to stick in your memory far too well.
How many people can quote "call me maybe" or Justin Bieber's baby.

Now how many of them actually LIKE those songs ?

Re:"Reliably better"

[jgtg32a]

I know your password,

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you ever knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:"Reliably better"

[jgtg32a]

Dammit, the AC I copied the lyrics from got it wrong, confidant not cosmonaut.

Re:"Reliably better"

[sirlark]

Yeah, the basic premise here is to store the key in muscle memory, which is a fantastic idea. It's difficult to forget (not impossible, but difficult) and near impossible to extract without the owner's knowledge and permission; An attacker might be able to induce finger tapping but capturing it and recording it will be extremely difficult. Also, it comes with an indirect from of biometric identification, because even if an attacker somehow manages to extract the correct key, the input mechanism can presumably pick out the pattern of entry far more precisely than an attacker could mimic without a hell of a lot of training. I'm still not sure about playing a game every time I want to log in to something, but as a access to an encrypted volume or a key ring at the beginning of my day... makes sense.

Re:"Reliably better"

[DarwinSurvivor]

That's a bad example. How hard could it possibly be to memorize a combined 10 words?

Re:"Reliably better"

[silentcoder]

Apple Rodeo Clowdscape Brain Horrible Homunculus Arousing Sixty Icicle

Re:"Reliably better"

[Jeremiah+Cornelius]

This subconscious method works well. Ask any lone, crazed gunman. Just don't mention "Catcher in the Rye".

Re:"Reliably better"

[cstacy]

11A ...11A2B...1B2B3...Zero-Zero-Zero Destruct Zero

Re:"Reliably better"

[Siridar]

Correct horse battery staple.

Re:"Reliably better"

[girlintraining]

But the brute forcer also has to try all sorts of stupid variations:

An 8 character password using ASCII printable characters only has 5,595,818,096,650,401 possibilities. I'm guessing less than that number of songs have been written... even with variations in lyrics. Even with a thousand variations per song, and a trillion songs to seed the password cracker... you're still looking at a few minutes, perhaps an hour, to crack your password. Your keyspace is pathetically small.

Length does not increase entropy.

Re:"Reliably better"

[camperdave]

Somehow, I can't picture playing Guitar Hero to access my bank machine.

Re:"Reliably better"

[hacksoncode]

The rubber hose cryptanalysis won't be able to get you to *tell* them the password, but I see no reason why they couldn't get you to *reveal* it by playing the game.

Since it's subconscious, you won't even know that you're revealing it.

Re:"Reliably better"

[anotherzeb]

It may be plausible but I think that here in the UK it's still illegal - we can be given 2 years inside for not revealing a password when asked for it by the relevant authority. I can see this system putting some people away for a little while.

Re:"Reliably better"

Your keyspace is pathetically small

What if you're a hipster? The attacker would never have even heard of the song whose lyrics you used, so how could he try its lyrics?

Re:"Reliably better"

[kbolino]

An 8 character password using ASCII printable characters only has 5,595,818,096,650,401 possibilities

GP was talking about 80 character passwords (not 8), which even if we assume a low entropy of 2 bits per character still gives you 160 bits of entropy. If you throw odd spellings, capitalizations, number substitutions, and in-jokes into the mix, you can significantly increase that number, but 160 bits still puts you well above

Length does not increase entropy.

Yes it does.

Let X and Y be independent and identically distributed distributions. Let H>=1 be the entropy of each variable (iid = same entropy).
Let Z be the concatenation of X and Y. Then p(Z) = p(X) * p(Y). The entropy of Z is:

H(Z) = E[log(p(Z))] = E[log(p(X) * p(Y))] = E[log(p(X)) + log(p(Y))] = E[log(p(X))] + E[log(p(Y))] = H + H = 2H

Since 2H > H, increasing the length of the string increased its entropy.

This is true if you pick ASCII characters at random, provided that longer passwords aren't transformed into a lower entropy version, such as by truncating or breaking into chunks and XORing them.

You may be able to make the case that using whole phrases instead of particular subphrases has (slightly) lower entropy by being more likely to be chosen by an adversary, but I would still say that, as a general rule, you can't go wrong by making your password longer.

repetitive phrases slightly modified

[alphatel]

This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there’s a short pause. This entire process is repeated six more times, for a total of 3,780 items.

Replace 'character' with 'note' and it's clear subjects were tortured with Philip Glass for 80 hours and won't soon forget.

So to recover your password ...

State Security forces you to play this game?

Re:So to recover your password ...

[Dr_Barnowl]

The game only works if the machine knows what your password is, so that you can succeed at playing that sequence better.

Which reveals the flaw in the scheme ; currently, the computer you are logging into doesn't need to know your password - it stores a hash instead. With this scheme, the machine needs a way to recover your password as plaintext, so that it can test you on it. Which means that if you can sieze the system itself, you can get into it, you just need to extract the password and train someone else to know it.

Re:So to recover your password ...

[Rich0]

I think this is one of the biggest weaknesses with any password-based system. We're too dependent on uncontrolled terminals, and nobody has figured out to do SSL directly to the human brain.

We like to blanket ourselves in feel-good measures like PCI/etc, but the fact is that nobody really knows if that box you're punching a PIN/etc into has been tampered with.

Re:So to recover your password ...

[dohzer]

I'm fairly sure that by the time anyone can SSL directly into your brain, they'll also have some sort of high-res MRI scanner to simply read your brain's contents.

How ingenious

[Chrisq]

The "cross-disciplinary team of US neuroscientists" came up with the most original excuse ever for why they were spending all their grant money on games consoles and all their time playing games.

Re:How ingenious

I can't stand idiots like you, who always act as if games were an "excuse" or "waste of time", when they are the MOTHER of all education, art, sports and entertainment.
There is no better way to explore something new, than games. That's what they are there for.
It's things like school as we know it, that is a waste of time and deeply utterly wrong.

Re:How ingenious

[metacell]

How on Earth did the parent get modded "Informative"? Funny, yes, informative, no.

Re:How ingenious

[loimprevisto]

Mods occasionally rate a funny post as something else to boost that person's karma rating, since Funny doesn't give a karma boost.

...or at least that's how it used to work, something might have been tweaked in the moderation system since that was true.

How is that resistant to rubber-hose cryptography?

Log in or else!

Does the server need to know the password?

[kasperd]

It sounds like the way this works, the server will need to know what the password is in order to produce the combined sequence. Doesn't that make it weaker than ordinary passwords? And if you repeatedly get the same random sequence, over time you'll learn that as well. OTOH if you get different random sequences, then it would be possible to extract the original sequence. Did I miss something here?

Re:Does the server need to know the password?

[realityimpaired]

Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
In some apps, this may be a valid way to do things.

Not really... if I want to crack your password, all I have to do is send a few requests to the authentication server, and look at the challenges it responds with. Find the sequence of 30 characters that's repeated in all of them, and there's your password.

Standard password security practices.

[mwvdlee]

Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game

I'm assuming I'll still be automatically logged out after 5 minutes of inactivity, cannot recover but will have to change my password when forgotten and passwords will expire every month?

Also; the research suggests users will have to perform better on the injected "password" sequences than random sequences... how will they deal with top players that get a perfect score every time for the entire sequence?

All NES players have a subconscious password:

[cvd6262]

up-up-down-down-left-right-left-right-B-A-start

38 bits of entropy

Only 38 bits of entropy because there's only 6 choices for each of the 30 characters. Yeah a Tesla GPU can chew through that in a day. I'd post the relevant XKCD comic but I'm pretty sure everyone here knows what it is already.

Another variant

[art6217]

The system requires that you copy-write a short random message by hand, but at no point do you actually remember the subtleties of your individual writing style, like the ballpoint pressure or distribution of the shape of "o"s, meaning it can't be presented as a plain sequence of letters and it can't be obtained via coercion or torture i.e. rubber-hose cryptanalysis. The system, devised by Anonymous Coward, relies on implicit learning, a process by which you absorb new information, but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) does NOT involve anything, as your writing style is likely already precisely and intricately shaped for years.

Without a human specialist, a dedicated OCR software would need to be developed, though...

No coercion?

[TranceThrust]

How does the scheme prevent ``play this game or I'll kill your family''?

Good direction, impractical solution

[ItsIllak]

Passwords are clearly a very bad idea - they just don't work for any number of logical, social and practical reasons. So it's great to see real thought going into alternatives. Although I think the overhead of 45 mins learning and other issues with this are a problem, I think the general premise must have something in it that would work well.

The fact we can recognise that we know something, even if we can't repeat it - e.g. you know if someone sings the wrong lyrics to a song even if you can't remember them yourself - MUST have some solution to this problem embedded in it somewhere...

Problem

[Arancaytar]

Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences.

This requires the password to be stored in clear in the system. I think the brain is more trustworthy than that...

Two weeks?

[aglider]

We need to recall the password after 1 year or even 2.
Please, go on with the tests!

Re:Forty Five Minutes?

[Corbets]

Who has 45 min to learn a new password? I can't see a company willing to
pay someone for 0.75hr just to learn a password.

-AI

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people) from losing their second most valuable asset (information).

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

Or they just might figure that people who lack the capacity to memorize a reasonably complex password may not, after all, be all that valuable of an asset.

Re:Forty Five Minutes?

[Overzeetop]

Who would allow a truly secure system to have static passwords - most require a change once a month. Now it costs 9 hours a year, or 0.5% of your entire payroll costs just to learn the passwords. Since the sequence must be played back using a large string of random sequences in which the password sequence is embedded, I presume that would probably take at least 2 minutes to be of both necessary and sufficient length. Let's presume that you only have to log in twice a day (when you arrive, and when you come back after lunch) to this truly secure system...that's 4 minutes a day or another 1000 minutes ~ 16 hours ~ a year. Now we're up to 1.25% of employee costs. If you have a 100,000 person company with US average wages (and they'll probably be higher than average if they're logging into a secure system), that's $75,000,000 a year.

Now, tell me again how much the executive board splitting an extra $75,000,000 in bonuses is going to react when you tell them that they need this highly secure password system, compared to the one they have that had resulted in few or no breaches in the past decade.

Completely broken.

[bakuun]

A few readers have commented that the system will need to know your unhashed password. This is clearly bad, but there are even worse flaws.

A 30-character password sounds awfully strong (60^30 combinations if upper/lower-case chars and numbers are used). However, from the article: "Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences". This means that the number of characters is irrelevant, really. What matters is the number of "30-letter sequences", and since you need to play them all, they will need to be limited. How many? 10 would probably too many to play, but will still only be the equivalent of a single-digit password. This system will be trivial to crack with brute-force guesses.

Even worse, repeated "login attempts" will reveal which sequence is the correct one - simply check which sequence repeats between tries.

Re:Why can't this be rubber-hosed out of someone?

[kanweg]

the hose isn't necessary. Just the rubber would do, I guess.

Bert

Only one song stays in my mind day after day...

and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

(welcome to MY hell, and you're welcome!)

Re:Only one song stays in my mind day after day...

[CrimsonAvenger]

and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

There are eight "nah" as the previous poster said, but none of them are between the "hey, hey, hey" and "good-bye".

Pretty sure it's "nah-nah-nah-nah, nah-nah-nah-nah, hey, hey, hey, good-bye"....

Re:Login prompt

[azalin]

No boss, I'm not playing Guitar Hero/Portal/Diablo, I'm trying to log into the network...

Re:How is that resistant to rubber-hose cryptograp

[fatphil]

Hence "rubber hose", I guess.

ONE password?! Fail

[Geoffrey.landis]

How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

You're missing the point. They're missing the point. It's easy to make one password secure against guessing it in a million years of trying.

But I don't need to remember one password. I need to remember thirty passwords (for my most important stuff, plus another fifty for sites I visit once or twice), all different, and a large subset of which have to be changed every 60 days. If it takes "a 45 minute learning session" for "the 30-letter password to be firmly implanted in your subconscious brain" this is purely out of the question.

And if the answer is "well, just use the the one password because it's unguessable and you can use it for everything"-- yeah, what could possibly go wrong?

Fail.

Re:Forty Five Minutes?

[BVis]

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people)

HAHAHAHAHAHAHAHAHAHAHA... oh wait, you were serious, let me laugh even harder...

To the vast majority of companies out there, you are not an asset, you are a liability on a balance sheet. Nobody can ever work hard enough to justify their salary, no matter how pathetic or insulting that salary is. You are less valuable than the office furniture.

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

In my experience, no 'senior executive' is technical enough to understand that phrase. Their eyes glaze over when you try to explain the need for passwords at all, let alone more secure ones. Then when you tell them that they need to jump through even the slightest hoop regarding security, the first thing they tell you is to make an exception for them, because they don't want to be any further inconvenienced. (Most of them resent the idea that they have to put in a password at all , let alone a reasonably secure one. Their convenience is far far FAR more important than data security, because they understand the former much more than the latter.) The second thing they tell you is do it or you're fired. I have first-hand knowledge of this attitude from multiple Fortune 500 companies as well as public sector entities. I've worked at places where the CEO's password (for EVERYTHING they access, from email to file shares) is the name of the company. And set to never expire. And known to everyone in IT, lest there be a problem with it.

Security at most big companies is a bad joke. You can yell and scream and beg and cajole and do anything you can think of to explain why what you're doing is grossly inadequate, but all it will get you is fired.

Re:How is that resistant to rubber-hose cryptograp

[Bill,+Shooter+of+Bul]

Well, then your account is safe, but you get to expereince "or else". The problem with any rubber hose proof system, is getting the people with rubber hoses to agree that there efforts won't work.

Yet another Obligatory XKCD

[ryzvonusef]

http://xkcd.com/851/

Is there a topic for which there *isn't* a XKCD comic?