The more “secure” my passwords are, the more likely I am to forget them completely. Remembering a series of letters, numbers and symbols can be a formidable task, even with the help of virtual password managers. Now, however, researchers have a new way to eliminate password-forgetfulness: simply store the code in your subconscious.
A team of U.S. neuroscientists and cryptographers has created a system in which using a password doesn’t require you to actually “know” it. Since the code lurks in your subconscious, passwords can’t be written down or forced out by coercion—perhaps providing a whole new means of security.
The system is based on implicit learning, or the process by which new information is absorbed without any awareness of what has been learned. Like tying your shoes or riding a bike, patterns are memorized and performed repeatedly with little attention to the process that is carried out.
Designed by Hristo Bojinov and Dan Boneh of Stanford University, the password system involves the use of a game that somewhat resembles Guitar Hero. Users must hit keys responding to one of six buttons (pictured below). During an average 45-minute training session, users are fed thousands of keystroke sequences—but one of these sequences isn’t quite as random as the others. The process subconsciously teaches users a unique 30-character password.
ExtremeTech explains:
Before running, the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. This equates to around 38 bits of entropy, which is thousands/millions of times more secure than your average, memorable password. This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there’s a short pause. This entire process is repeated six more times, for a total of 3,780 items.
By then, the 30-character password has successfully been implanted. When it comes time to authenticate, users simply play a round of the game, relying on the fact that they will perform their sequence more accurately than other random sequences provided during the test.
The method does have a few obvious drawbacks. Developing the password is a time-consuming process requiring a lengthy training session and even the ordinarily easy task of entering a password requires that users play the system’s game for a few minutes at a time. Since most people use different passwords for different sites, creating new codes could become an all-day affair.
Nevertheless, the process could be useful in high-risk situations that require the password-holder to be present, such as when gaining access to a military facility. Passwords created by the system also have the ability to be replaced, unlike biometric methods.
The results of the study will be presented in August at the USENIX Security Symposium in Bellevue, Washington. Read the full paper here (PDF).
[via New Scientist, ExtremeTech]
Image: Marc Falardeau/Flickr
