Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unbreakable Crypto: Store a 30-character Password In Your Subconscious Mind

Posted by samzenpus on from the locked-away dept.

MrSeb writes "A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture — i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence."

27 of 287 comments (clear)

  1. "Reliably better" by FireballX301 · · Score: 4, Interesting

    How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

    I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

    1. Re:"Reliably better" by Anonymous Coward · · Score: 5, Funny

      He's not kidding. I just logged onto his /. account and posted this after reading the password he posted.

    2. Re:"Reliably better" by rjgii · · Score: 5, Funny

      He must have changed it... I can not log in as "Anonymous Coward" anymore =(

    3. Re:"Reliably better" by errandum · · Score: 5, Interesting

      That is not true. It has been proven that passphrases can be weaker than passwords, simply because words usually follow each other in an ordered pattern.

      You'll be safe from brute force attacks, but not any attack that adds intelligence to the mix. And if the person cracking your password knows it uses music lyrics you love, you'll be even more at risk since it only has to test for the songs you like.

      What you just described is NOT safety.

    4. Re:"Reliably better" by Joce640k · · Score: 4, Insightful

      There's numerous flaws in your plan, but that's beside the point.

      The whole point of this system (which you missed) is that it's secure against rubber hose cryptanalysis (aka $5 wrench cryptanalysis).

      --
      No sig today...
    5. Re:"Reliably better" by hlavac · · Score: 3, Funny

      Next up: Most popular song lyrics added to cracklib wordlist :)

    6. Re:"Reliably better" by djmurdoch · · Score: 5, Interesting

      But the brute forcer also has to try all sorts of stupid variations:

      One ton O'Mara
      Feel the beat from the tangerine
      Scuse me while I kiss this guy
      I can see Deirdre now Lorraine has gone

    7. Re:"Reliably better" by tbannist · · Score: 4, Insightful

      Also, what happens if you're just really good at the game? I mean it's based on you being better at playing your password than other chords. If you're playing everything flawlessly are you permanently locked out?

      --
      Fanatically anti-fanatical
    8. Re:"Reliably better" by silentcoder · · Score: 4, Insightful

      Sadly - songs you hate tend to stick in your memory far too well.
      How many people can quote "call me maybe" or Justin Bieber's baby.

      Now how many of them actually LIKE those songs ?

      --
      Unicode killed the ASCII-art *
    9. Re:"Reliably better" by jgtg32a · · Score: 3, Funny

      I know your password,

      Thank you for being a friend
      Traveled down the road and back again
      Your heart is true, you're a pal and a cosmonaut.

      And if you threw a party
      Invited everyone you ever knew
      You would see the biggest gift would be from me
      And the card attached would say, thank you for being a friend.

    10. Re:"Reliably better" by DarwinSurvivor · · Score: 4, Funny

      That's a bad example. How hard could it possibly be to memorize a combined 10 words?

    11. Re:"Reliably better" by cstacy · · Score: 4, Funny

      11A ...11A2B...1B2B3...Zero-Zero-Zero Destruct Zero

    12. Re:"Reliably better" by girlintraining · · Score: 3, Informative

      But the brute forcer also has to try all sorts of stupid variations:

      An 8 character password using ASCII printable characters only has 5,595,818,096,650,401 possibilities. I'm guessing less than that number of songs have been written... even with variations in lyrics. Even with a thousand variations per song, and a trillion songs to seed the password cracker... you're still looking at a few minutes, perhaps an hour, to crack your password. Your keyspace is pathetically small.

      Length does not increase entropy.

      --
      #fuckbeta #iamslashdot #dicemustdie
  2. repetitive phrases slightly modified by alphatel · · Score: 5, Funny

    This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there’s a short pause. This entire process is repeated six more times, for a total of 3,780 items.

    Replace 'character' with 'note' and it's clear subjects were tortured with Philip Glass for 80 hours and won't soon forget.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  3. So to recover your password ... by Anonymous Coward · · Score: 5, Insightful

    State Security forces you to play this game?

    1. Re:So to recover your password ... by Dr_Barnowl · · Score: 5, Interesting

      The game only works if the machine knows what your password is, so that you can succeed at playing that sequence better.

      Which reveals the flaw in the scheme ; currently, the computer you are logging into doesn't need to know your password - it stores a hash instead. With this scheme, the machine needs a way to recover your password as plaintext, so that it can test you on it. Which means that if you can sieze the system itself, you can get into it, you just need to extract the password and train someone else to know it.

    2. Re:So to recover your password ... by dohzer · · Score: 3, Interesting

      I'm fairly sure that by the time anyone can SSL directly into your brain, they'll also have some sort of high-res MRI scanner to simply read your brain's contents.

  4. How ingenious by Chrisq · · Score: 5, Funny

    The "cross-disciplinary team of US neuroscientists" came up with the most original excuse ever for why they were spending all their grant money on games consoles and all their time playing games.

  5. How is that resistant to rubber-hose cryptography? by Anonymous Coward · · Score: 5, Insightful

    Log in or else!

  6. Does the server need to know the password? by kasperd · · Score: 4, Insightful

    It sounds like the way this works, the server will need to know what the password is in order to produce the combined sequence. Doesn't that make it weaker than ordinary passwords? And if you repeatedly get the same random sequence, over time you'll learn that as well. OTOH if you get different random sequences, then it would be possible to extract the original sequence. Did I miss something here?

    --

    Do you care about the security of your wireless mouse?
    1. Re:Does the server need to know the password? by realityimpaired · · Score: 3, Insightful

      Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
      In some apps, this may be a valid way to do things.

      Not really... if I want to crack your password, all I have to do is send a few requests to the authentication server, and look at the challenges it responds with. Find the sequence of 30 characters that's repeated in all of them, and there's your password.

  7. Standard password security practices. by mwvdlee · · Score: 4, Insightful

    Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game

    I'm assuming I'll still be automatically logged out after 5 minutes of inactivity, cannot recover but will have to change my password when forgotten and passwords will expire every month?

    Also; the research suggests users will have to perform better on the injected "password" sequences than random sequences... how will they deal with top players that get a perfect score every time for the entire sequence?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  8. Completely broken. by bakuun · · Score: 3, Insightful

    A few readers have commented that the system will need to know your unhashed password. This is clearly bad, but there are even worse flaws.

    A 30-character password sounds awfully strong (60^30 combinations if upper/lower-case chars and numbers are used). However, from the article: "Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences". This means that the number of characters is irrelevant, really. What matters is the number of "30-letter sequences", and since you need to play them all, they will need to be limited. How many? 10 would probably too many to play, but will still only be the equivalent of a single-digit password. This system will be trivial to crack with brute-force guesses.

    Even worse, repeated "login attempts" will reveal which sequence is the correct one - simply check which sequence repeats between tries.

  9. Only one song stays in my mind day after day... by Anonymous Coward · · Score: 5, Funny

    and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

    (welcome to MY hell, and you're welcome!)

    1. Re:Only one song stays in my mind day after day... by CrimsonAvenger · · Score: 4, Informative

      and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

      There are eight "nah" as the previous poster said, but none of them are between the "hey, hey, hey" and "good-bye".

      Pretty sure it's "nah-nah-nah-nah, nah-nah-nah-nah, hey, hey, hey, good-bye"....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
  10. ONE password?! Fail by Geoffrey.landis · · Score: 4, Insightful

    How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

    You're missing the point. They're missing the point. It's easy to make one password secure against guessing it in a million years of trying.

    But I don't need to remember one password. I need to remember thirty passwords (for my most important stuff, plus another fifty for sites I visit once or twice), all different, and a large subset of which have to be changed every 60 days. If it takes "a 45 minute learning session" for "the 30-letter password to be firmly implanted in your subconscious brain" this is purely out of the question.

    And if the answer is "well, just use the the one password because it's unguessable and you can use it for everything"-- yeah, what could possibly go wrong?

    Fail.

    --
    http://www.geoffreylandis.com
  11. Yet another Obligatory XKCD by ryzvonusef · · Score: 4, Funny

    http://xkcd.com/851/

    Is there a topic for which there *isn't* a XKCD comic?

    --
    I am an ACCA student. Got a query on Accountancy/Finance? Maybe I can help!