Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

How to store a 30-digit password in your subconscious
Electronic Products ^ | 8/2/12 | JEFFREY BAUSCH

Posted on 08/05/2012 8:57:17 PM PDT by null and void

New technique takes password security to new depths

No matter the measures one takes to protect a password, whether it’s storing it to memory, thumb drive, or a carefully hidden piece of paper in a hardly-ever-used book, it is still possible to get a Jack Bauer-like character to force that person to reveal the password or its location.

That is, until now.

Researchers have discovered a technique in which a person can store information in the subconscious part of their brain in such a way that it is literally impossible to consciously disclose it — no matter how hard the person tries — yet automatically retrieve it when called upon to enter the password for access / entry.


A new technique will allow users to store 30-character passwords to the subconscious parts of their memory.

The new technique combines cryptography with neuroscience and quite frankly, it blows all current electronic and technological approaches out of the water in terms of its level of protection.

The how

This new security system, if you will, is based on a teaching technique called implicit learning. Hristo Bojinov, the lead author of the study, started out by designing a game in which players intercept falling objects by pressing a key. The objects appear in one of six positions, with each one corresponding to a different key.


Game created by Bojinov and colleagues allows users to store a password sequence to the subconscious part of their memory. (via: extremetech.com)

“The process of learning the password involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero,” the report states. “There are six buttons — S, D, F, J, K, L — and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes — and here’s the genius bit: Around 80 percent of those keystrokes are being used to subconsciously teach you a 30-character password.”

That’s right — what the players are unaware of is the fact that the different positions of the objects are not always random; that is, hidden in the game is a sequence of 30 successive positions that gets repeated all throughout the time they’re playing the game. Bojinov and the rest of his team found that the players actually made fewer and fewer errors when they encountered their assigned sequence on successive rounds, and that the sequence they had subconsciously learned stuck around when they were all tested again two weeks later.

Interesting, yes, but what ticks this story up to fascinating is that when the players were asked to verbally recite the sequence, they were unable to do so.

What it means

This opens the door to a whole new method of password security. Users would learn a particular sequence that is unique to them in an initial session, and later prove they know it by playing the same game. Once confirmed that the password sequence was successfully “downloaded”, the sequence can then be applied to the appropriate security system.

Yes, this new system allows us to use deeper levels of our subconscious than ever before, but it’s actually not much different from what we do every day: Take, for example, how we incorporate new words accurately into a sentence without being consciously aware of the grammatical correctness of it; calling upon a subconsciously learned 30-character sequence is not too different from that. This system simply presents a more direct method for accessing this part of the brain.

Trying to cheat the system

The obvious question now becomes – how safe is this system? If a password holder cannot verbalize the sequence, one way someone might try to discover another person’s password “sequence” would be to force said password holder to play a similar game and watch to see when they make fewer errors (that is, when their subconscious kicks in).

The problem with this is in the numbers: the sequence consists of 30 key presses in six different positions. So, the chances of piecing together the correct sequence is slim to, well, very slim.

A bit more specifically, the creators of the system estimate that testing 100 users non-stop for a full year would result in less than a 1 in 60,000 chance of successfully extracting a single sequence.

Like other security systems, Bojinov’s solution stands the risk of being hacked into the system used to authenticate users (as opposed to going the whole torture-the-user-until-he-tells-you-the-password route). For that reason, it is expected that this new system will likely only be used in high-risk scenarios when the code-holder needs to actually be present (e.g. nuclear and military facilities) and other security measures are in place to complement it.

Future outlook

When looking further down the road, the whole idea of trying to sell a security system that requires users to spend 30-45 minutes playing a game is probably something that’s not going to do all that well on today’s “I need it to work out of the box” market. So, for now at least, the team will spend their time trying to make this system more user- / time-friendly, but still just as effective.

It’s also worth pointing out that this new system already has a competitor in biometric security methods, which rely on recognizing a unique trait like finger prints or iris patterns for authentication. Experts believe, however, that Bojinov’s solution is much more effective.

“Authentication doesn’t require explicit effort on the part of the user,” says Ari Juels, director of RSA Laboratories in Cambridge, Massachusetts. “If the time required for training and authentication can be reduced, then some of the benefits of biometrics, namely effortlessness and minimal risk of loss, can be coupled with a feature that biometrics lack: the ability to replace a biometric that has been compromised.”

Bojinov plans to present his work on 8 August at the USENIX Security Symposium in Bellevue, Washington. ■


TOPICS: Business/Economy; Culture/Society
KEYWORDS: password; passwords
Tell me how you play a piano...
1 posted on 08/05/2012 8:57:23 PM PDT by null and void
[ Post Reply | Private Reply | View Replies]

To: null and void
Tell me how you play a piano...

Every good boy does fine.

2 posted on 08/05/2012 9:01:54 PM PDT by Ezekiel (The Obama-nation began with the Inauguration of Desolation.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

‘Fascinating’


3 posted on 08/05/2012 9:04:18 PM PDT by MHGinTN (Being deceived can be cured.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void
I don't need any fancy tricks. My password is "password".

Oops. I shouldn't have told you that, huh?

4 posted on 08/05/2012 9:07:21 PM PDT by ClearCase_guy (Roger Taney? Not a bad Chief Justice. John Roberts? A really awful Chief Justice.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ClearCase_guy

Mine is “supercalifragilisticexpialidocious”, but “password” was my first choice.

Oh yeah, it’s in spellcheck too. Gotta love FR.


5 posted on 08/05/2012 9:12:53 PM PDT by Kickass Conservative (The only good Commie is an Impeached Commie.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: null and void

Don’t bother. Use this, and be sure to go into the database settings and have it use Secure Desktop when you enter the master password. There is also a portable version.

http://keepass.info/download.html


6 posted on 08/05/2012 9:21:35 PM PDT by expat1000
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

If I catch a virus will the subconscious reveal the password to it?


7 posted on 08/05/2012 9:25:18 PM PDT by Jyotishi (Seeking the truth, a fact at a time.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

As long as you have eight characters and one is a capital, you should be fine.

Mine is: MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento


8 posted on 08/05/2012 9:28:04 PM PDT by mnehring
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jyotishi
If I catch a virus will the subconscious reveal the password to it?

No, but it will reveal it to Leo DiCaprio and the rest of his Inception crew.

9 posted on 08/05/2012 9:29:53 PM PDT by newheart (At what point does policy become treason?)
[ Post Reply | Private Reply | To 7 | View Replies]

To: expat1000
"http://keepass.info/download.html"

Thanks, good info. People better take their passwords SERIOUSLY now, or you'll pay the consequences.

10 posted on 08/05/2012 9:38:12 PM PDT by ElPatriota (The SILENCE of the Catholic Church in protecting our culture from perversion is ** DEAFENING **)
[ Post Reply | Private Reply | To 6 | View Replies]

To: null and void

Kewel


11 posted on 08/05/2012 9:54:19 PM PDT by Vendome (Don't take life so seriously, you won't live through it anyway)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void
Tell me how you play a piano...
With your fingers. {;^)
12 posted on 08/05/2012 9:56:03 PM PDT by philman_36 (Pride breakfasted with plenty, dined with poverty, and supped with infamy. Benjamin Franklin)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Nailbiter

bflr


13 posted on 08/05/2012 9:56:52 PM PDT by Nailbiter
[ Post Reply | Private Reply | To 1 | View Replies]

To: mnehring

*groan*


14 posted on 08/05/2012 10:12:25 PM PDT by null and void (Day 1293 of our ObamaVacation from reality - Heroes aren't made Frank, they're cornered...)
[ Post Reply | Private Reply | To 8 | View Replies]

To: null and void

http://www.xkcd.com/936/


15 posted on 08/05/2012 10:21:51 PM PDT by GraceG
[ Post Reply | Private Reply | To 1 | View Replies]

To: ElPatriota
"http://keepass.info/download.html"

Thanks, good info. People better take their passwords SERIOUSLY now, or you'll pay the consequences.

You're welcome.

One default setting that should be changed besides Enter Master key on Secure Desktop (in Options, not database settings which I said in the first post), is the delay/transformation rounds on the Security tab of the Database settings. Setting that to a second or two should defeat any kind of brute force attack. Then you can safely store a copy of the database online somewhere.

Then there is obvious stuff like close after x seconds of inactivity, etc.

16 posted on 08/05/2012 10:26:54 PM PDT by expat1000
[ Post Reply | Private Reply | To 10 | View Replies]

To: null and void
>"it is literally impossible to consciously disclose it "

And literally easy as a simple shot to subconsciously spill the beans.

17 posted on 08/05/2012 10:32:59 PM PDT by rawcatslyentist ("Behold, I am against you, O arrogant one," Jeremiah 50:31)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

Bump memory/password


18 posted on 08/05/2012 10:39:58 PM PDT by Taffini ( Mr. Pippen and Mr. Waffles do not approve and neither do I)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ClearCase_guy
My password is


























I forgot.
19 posted on 08/05/2012 11:42:29 PM PDT by UnbelievingScumOnTheOtherSide (REPEAL WASHINGTON! -- Islam Delenda Est! -- I Want Constantinople Back. -- Rumble thee forth.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: null and void
No matter the measures one takes to protect a password, whether it’s storing it to memory, thumb drive, or a carefully hidden piece of paper in a hardly-ever-used book, it is still possible to get a Jack Bauer-like character to force that person to reveal the password or its location.

In "the business" they actually have a name for this technique. Appropriately enough it's called the "rubber hose" technique.

20 posted on 08/06/2012 12:14:52 AM PDT by The Duke
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

bflr


21 posted on 08/06/2012 1:32:03 AM PDT by Captain Beyond (The Hammer of the gods! (Just a cool line from a Led Zep song))
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

This is an interesting story, but -— you go first!

I’d be curious to read anecdotes from people who’ve tried this technique, but am not about to waste 45 minutes of my time and then realize I can’t remember the first two characters of the password...


22 posted on 08/06/2012 4:48:07 AM PDT by DJ Frisat ((optional, printed after my name on post))
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

Will it work if after you set the password, you start suffering from Alzheimers


23 posted on 08/06/2012 5:46:07 AM PDT by chainsaw ("Two ways to conquer and enslave a nation. One is by the sword. The other is by debt.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

Bookmarked, I will never remember the URL.


24 posted on 08/06/2012 5:50:37 AM PDT by bmwcyle (Corollary - Electing the same person over and over and expecting a different outcome is insanity)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mnehring

are you sure?

aren’t Pluto and Goofy transposed?


25 posted on 08/06/2012 6:00:36 AM PDT by bert ((K.E. N.P. N.C. +12 ..... Present failure and impending death yield irrational action))
[ Post Reply | Private Reply | To 8 | View Replies]

To: expat1000

Looked at this but the mobile version doesn’t allow changes to the database and it did not seem to sync particularly well...has it been upgraded?


26 posted on 08/06/2012 6:24:44 AM PDT by bt_dooftlook (Democrats - the party of Amnesty, Abortion, and Adolescence)
[ Post Reply | Private Reply | To 16 | View Replies]

To: philman_36; null and void

Some people play the piano by ear...left or right...


27 posted on 08/06/2012 6:40:11 AM PDT by goat granny
[ Post Reply | Private Reply | To 12 | View Replies]

To: bt_dooftlook

I’ve used it without issues at all. Did you download ver 1.x or 2.x? I’m guessing 1.x

This is the right version (below). I don’t know why they keep 1.x available for download - well, it’s because 2.x is not backwards compatible but 2.x has been out for several years.

http://sourceforge.net/projects/keepass/files/KeePass%202.x/2.19/KeePass-2.19.zip/download


28 posted on 08/06/2012 7:09:13 AM PDT by expat1000
[ Post Reply | Private Reply | To 26 | View Replies]

To: expat1000
keypass is also available for Linux users:

For those with Yum package management, just enter:
sudo yum install keepassx

I've used it for quiet some time. It rocks.
29 posted on 08/06/2012 8:59:27 AM PDT by zeugma (Those of us who work for a living are outnumbered by those who vote for a living.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: zeugma

yup, let keepass do the work, runs on any device. passphases spaces and special characters a must!


30 posted on 08/07/2012 7:10:47 AM PDT by C0y0Te
[ Post Reply | Private Reply | To 29 | View Replies]

To: zeugma

yup, let keepass do the work, runs on any device. passphases spaces and special characters a must!


31 posted on 08/07/2012 7:11:01 AM PDT by C0y0Te
[ Post Reply | Private Reply | To 29 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson