A new technique will allow users to store 30-character passwords to the subconscious parts of their memory.
Posted on 08/05/2012 8:57:17 PM PDT by null and void
New technique takes password security to new depths
No matter the measures one takes to protect a password, whether it’s storing it to memory, thumb drive, or a carefully hidden piece of paper in a hardly-ever-used book, it is still possible to get a Jack Bauer-like character to force that person to reveal the password or its location.
That is, until now.
Researchers have discovered a technique in which a person can store information in the subconscious part of their brain in such a way that it is literally impossible to consciously disclose it — no matter how hard the person tries — yet automatically retrieve it when called upon to enter the password for access / entry.
A new technique will allow users to store 30-character passwords to the subconscious parts of their memory.
The new technique combines cryptography with neuroscience and quite frankly, it blows all current electronic and technological approaches out of the water in terms of its level of protection.
The how
This new security system, if you will, is based on a teaching technique called implicit learning. Hristo Bojinov, the lead author of the study, started out by designing a game in which players intercept falling objects by pressing a key. The objects appear in one of six positions, with each one corresponding to a different key.
Game created by Bojinov and colleagues allows users to store a password sequence to the subconscious part of their memory. (via: extremetech.com)
“The process of learning the password involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero,” the report states. “There are six buttons — S, D, F, J, K, L — and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes — and here’s the genius bit: Around 80 percent of those keystrokes are being used to subconsciously teach you a 30-character password.”
That’s right — what the players are unaware of is the fact that the different positions of the objects are not always random; that is, hidden in the game is a sequence of 30 successive positions that gets repeated all throughout the time they’re playing the game. Bojinov and the rest of his team found that the players actually made fewer and fewer errors when they encountered their assigned sequence on successive rounds, and that the sequence they had subconsciously learned stuck around when they were all tested again two weeks later.
Interesting, yes, but what ticks this story up to fascinating is that when the players were asked to verbally recite the sequence, they were unable to do so.
What it means
This opens the door to a whole new method of password security. Users would learn a particular sequence that is unique to them in an initial session, and later prove they know it by playing the same game. Once confirmed that the password sequence was successfully “downloaded”, the sequence can then be applied to the appropriate security system.
Yes, this new system allows us to use deeper levels of our subconscious than ever before, but it’s actually not much different from what we do every day: Take, for example, how we incorporate new words accurately into a sentence without being consciously aware of the grammatical correctness of it; calling upon a subconsciously learned 30-character sequence is not too different from that. This system simply presents a more direct method for accessing this part of the brain.
Trying to cheat the system
The obvious question now becomes – how safe is this system? If a password holder cannot verbalize the sequence, one way someone might try to discover another person’s password “sequence” would be to force said password holder to play a similar game and watch to see when they make fewer errors (that is, when their subconscious kicks in).
The problem with this is in the numbers: the sequence consists of 30 key presses in six different positions. So, the chances of piecing together the correct sequence is slim to, well, very slim.
A bit more specifically, the creators of the system estimate that testing 100 users non-stop for a full year would result in less than a 1 in 60,000 chance of successfully extracting a single sequence.
Like other security systems, Bojinov’s solution stands the risk of being hacked into the system used to authenticate users (as opposed to going the whole torture-the-user-until-he-tells-you-the-password route). For that reason, it is expected that this new system will likely only be used in high-risk scenarios when the code-holder needs to actually be present (e.g. nuclear and military facilities) and other security measures are in place to complement it.
Future outlook
When looking further down the road, the whole idea of trying to sell a security system that requires users to spend 30-45 minutes playing a game is probably something that’s not going to do all that well on today’s “I need it to work out of the box” market. So, for now at least, the team will spend their time trying to make this system more user- / time-friendly, but still just as effective.
It’s also worth pointing out that this new system already has a competitor in biometric security methods, which rely on recognizing a unique trait like finger prints or iris patterns for authentication. Experts believe, however, that Bojinov’s solution is much more effective.
“Authentication doesn’t require explicit effort on the part of the user,” says Ari Juels, director of RSA Laboratories in Cambridge, Massachusetts. “If the time required for training and authentication can be reduced, then some of the benefits of biometrics, namely effortlessness and minimal risk of loss, can be coupled with a feature that biometrics lack: the ability to replace a biometric that has been compromised.”
Bojinov plans to present his work on 8 August at the USENIX Security Symposium in Bellevue, Washington. ■
bflr
This is an interesting story, but -— you go first!
I’d be curious to read anecdotes from people who’ve tried this technique, but am not about to waste 45 minutes of my time and then realize I can’t remember the first two characters of the password...
Will it work if after you set the password, you start suffering from Alzheimers
Bookmarked, I will never remember the URL.
are you sure?
aren’t Pluto and Goofy transposed?
Looked at this but the mobile version doesn’t allow changes to the database and it did not seem to sync particularly well...has it been upgraded?
Some people play the piano by ear...left or right...
I’ve used it without issues at all. Did you download ver 1.x or 2.x? I’m guessing 1.x
This is the right version (below). I don’t know why they keep 1.x available for download - well, it’s because 2.x is not backwards compatible but 2.x has been out for several years.
http://sourceforge.net/projects/keepass/files/KeePass%202.x/2.19/KeePass-2.19.zip/download
yup, let keepass do the work, runs on any device. passphases spaces and special characters a must!
yup, let keepass do the work, runs on any device. passphases spaces and special characters a must!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.