Unbreakable Crypto: Store a 30-character Password In Your Subconscious Mind 287
MrSeb writes "A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture — i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence."
So to recover your password ... (Score:5, Insightful)
State Security forces you to play this game?
How is that resistant to rubber-hose cryptography? (Score:5, Insightful)
Log in or else!
Does the server need to know the password? (Score:5, Insightful)
Standard password security practices. (Score:5, Insightful)
Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game
I'm assuming I'll still be automatically logged out after 5 minutes of inactivity, cannot recover but will have to change my password when forgotten and passwords will expire every month?
Also; the research suggests users will have to perform better on the injected "password" sequences than random sequences... how will they deal with top players that get a perfect score every time for the entire sequence?
38 bits of entropy (Score:2, Insightful)
Re:How ingenious (Score:2, Insightful)
I can't stand idiots like you, who always act as if games were an "excuse" or "waste of time", when they are the MOTHER of all education, art, sports and entertainment.
There is no better way to explore something new, than games. That's what they are there for.
It's things like school as we know it, that is a waste of time and deeply utterly wrong.
Re:Does the server need to know the password? (Score:4, Insightful)
Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
In some apps, this may be a valid way to do things.
Not really... if I want to crack your password, all I have to do is send a few requests to the authentication server, and look at the challenges it responds with. Find the sequence of 30 characters that's repeated in all of them, and there's your password.
Re:"Reliably better" (Score:5, Insightful)
There's numerous flaws in your plan, but that's beside the point.
The whole point of this system (which you missed) is that it's secure against rubber hose cryptanalysis (aka $5 wrench cryptanalysis).
Completely broken. (Score:4, Insightful)
A 30-character password sounds awfully strong (60^30 combinations if upper/lower-case chars and numbers are used). However, from the article: "Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences". This means that the number of characters is irrelevant, really. What matters is the number of "30-letter sequences", and since you need to play them all, they will need to be limited. How many? 10 would probably too many to play, but will still only be the equivalent of a single-digit password. This system will be trivial to crack with brute-force guesses.
Even worse, repeated "login attempts" will reveal which sequence is the correct one - simply check which sequence repeats between tries.
Re:"Reliably better" (Score:5, Insightful)
Also, what happens if you're just really good at the game? I mean it's based on you being better at playing your password than other chords. If you're playing everything flawlessly are you permanently locked out?
Re:"Reliably better" (Score:5, Insightful)
Sadly - songs you hate tend to stick in your memory far too well.
How many people can quote "call me maybe" or Justin Bieber's baby.
Now how many of them actually LIKE those songs ?
ONE password?! Fail (Score:5, Insightful)
How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?
You're missing the point. They're missing the point. It's easy to make one password secure against guessing it in a million years of trying.
But I don't need to remember one password. I need to remember thirty passwords (for my most important stuff, plus another fifty for sites I visit once or twice), all different, and a large subset of which have to be changed every 60 days. If it takes "a 45 minute learning session" for "the 30-letter password to be firmly implanted in your subconscious brain" this is purely out of the question.
And if the answer is "well, just use the the one password because it's unguessable and you can use it for everything"-- yeah, what could possibly go wrong?
Fail.