Remember Uncrackable Passwords With Your Fingers

kitsuta

<Clever Title Here>
Jan 10, 2011
367
0
0
Remember Uncrackable Passwords With Your Fingers

A new Guitar Hero-like password authentication system relies on muscle memory.

"Don't give out your password to anyone." This oft-repeated warning is necessary because, in most encryption systems, humans are the weakest link. As big a problem as this is in the consumer space, it's even worse for government, military, and other organizations with high stakes and determined attackers. "Rubber hose cryptanalysis," which involves bypassing security systems by coercing a working password from someone, has been a virtually unpreventable attack - until now. A team of neuroscientists and cryptographers have devised a new encryption system that relies purely on subconscious muscle memory, preventing users from actually remembering the passwords they can enter.

The training program, based on Serial Interception Sequence Learning, actually plays a lot like a keyboard-based, soundless Guitar Hero; users hit keys in accordance with falling circles, and there's even a score and 'streak' stat displayed. The SISL program gives the user a 30-character set of letters, which is repeated three times and then followed by 18 non-password and non-repeating keys.

The 30-character-long password is made up of pairs of letters chosen from the s, d, f, j, k, and l keys, a setup that can generate nearly 248 billion unique passwords. Each character appears the same number of times, and no character is repeated twice in a row - this is done to reduce users' abilities to consciously memorize the password over time. Additionally, the letters in the training program fall fast enough that, even if a user is trying to consciously memorize the password, there is not enough time for them to associate keystrokes with letters.

After training, users were tested on their knowledge with a shortened version of the same program, which gave users two incorrect passwords and one correct sequence. If they performed better on the correct password compared to the others, that constituted subconscious memorization. Not only did users still subconsciously remember the password after two weeks, but the difference in performance between those users and a group tested after one week was practically nonexistent, indicating that memory loss of the password slowed as time went on.

The paper published on the experiment [http://bojinov.org/professional/usenixsec2012-rubberhose.pdf] takes great pains to consider all the different ways an attacker may try to break this system, and offers varying solutions and answers. For example, the authentication program compares the user's performance at login to the user's performance during training, so attackers can't try to fool the system by purposefully performing poorly on what they think the incorrect sequences are. The researchers also suggest using more than one 30-character password, which they believe is possible based on separate study of memorization.

The system has some limitations; it doesn't work if the login process is observable by an attacker, or if the system can be accessed remotely, which would allow an attacker to coerce the password holder to complete authentication. This is still good news for organizations that take cryptography seriously, but the system is a bit impractical for consumer use - unless, of course, you want to spend 30-45 minutes learning your next password.

Source: Extreme Tech [http://bojinov.org/professional/usenixsec2012-rubberhose.pdf]

Permalink
 

Kargathia

New member
Jul 16, 2009
1,657
0
0
Seems like one of these things that work flawlessly until the first overworked and sleep deprived employee shows up at 7 in the morning. Without his coffee.
 

MASTACHIEFPWN

Will fight you and lose
Mar 27, 2010
2,279
0
0
DVS BSTrD said:
Yeah because why should have to use brain memory?
Because man isn't strong because of his brain that has allowed him to create the world in his image, make medicine to cure disease, divulge into science, plan ahead and stratigize in life threatening situations- HE DID IT WITH HIS BUNS AND THIGHS!

 

antipunt

New member
Jan 3, 2009
3,035
0
0
My friend and I were laughing during that one (The Amazing) Spiderman scene where Peter 'cracks' the code for Doctor Connor's lab (with the radioactive spiders). It was like this touch screen game kind of thing that appeared -amazingly- simple (if you were peeking from the side), which he was

TOP NOTCHED SECURITY INDEED
 

Scrythe

Premium Gasoline
Jun 23, 2009
2,367
0
0
That's actually how I remember phone numbers: by where my thumb is when I key it. I actually don't know most of the numbers on my contact list by the actual numbers themselves, but by muscle memory.
 

darkszero

New member
Apr 1, 2010
68
0
0
Blablahb said:
The real uncrackable passwords of course are derived from images that are personal, impossible to reason about for an outsider but easy to remember but long to describe. The password "myowncomputerhasabluebuttonasaresetbutton" is one small detail to remember for the passwordholder, but a total nightmare to crack through bruteforcing.
I fail to see how this solves the problem of the use actually giving the password to the attacker. You know, the problem this system is trying to fix.

Social engineering attacks isn't collecting data on the person and trying to deduce the password from that. It's coercing the person to believe he can and should tell you the password.

Or just plain ol' phishing...
 

Zerbye

New member
Aug 1, 2008
202
0
0
Funny. I've been playing piano pieces on my keyboard for passwords for over a decade.
 

TMM

New member
Feb 6, 2011
8
0
0
"unless, of course, you want to spend 30-45 minutes learning your next password."

Well, I don't know about the author, but that sounds like a steal. My current passwords are all generated nonsense of 15 characters just to stay ahead of the computer curve, and I'm losing. Learning a new password now takes me a day or more, and then at least 2 weeks of frequent mistyping.

30-45 minutes for a secure way of identifying myself? I'll TAKE IT!
 

Rabid Toilet

New member
Mar 23, 2008
613
0
0
TMM said:
"unless, of course, you want to spend 30-45 minutes learning your next password."

Well, I don't know about the author, but that sounds like a steal. My current passwords are all generated nonsense of 15 characters just to stay ahead of the computer curve, and I'm losing. Learning a new password now takes me a day or more, and then at least 2 weeks of frequent mistyping.

30-45 minutes for a secure way of identifying myself? I'll TAKE IT!
For your viewing pleasure:

 

JET1971

New member
Apr 7, 2011
836
0
0
30-45 minutes if you had any music experiance or pleyed Gh. for those that are tonedef and never had any music experiance this would be a nightmare.

I prefer cat on KB method, randomly type keys on the keyboard then use the first 7 that are there. for email and anything credit card put a cat on the KB and let it wander(as in put it back on the KB every 5 seconds until it scratches you) then use that.

actauly I dont use a cat, I put my hands as flat as i can on my KB and one on my numpad after. even is KB and odd is numpad. 8 characters or more.

Ok joking done even if good advice aside from the cat part.

rules of thumb, "dont use the same password twice". any that is personal use completely random alpha numeric. any that you could care less if they get hacked.. use whatever you want just not one from the first group.

Thats pretty basic password security and why a company is overcomplicating things when "DO NOT USE THE SAME PASSWORD" is said by every security company worth anything is being ignored hopes to actualy fix thing... yeah they are crazy 20+ years telling people the first rule and most dont get it...

captcha: safety first
 

Something Amyss

Aswyng and Amyss
Dec 3, 2008
24,759
0
0
Scrythe said:
That's actually how I remember phone numbers: by where my thumb is when I key it. I actually don't know most of the numbers on my contact list by the actual numbers themselves, but by muscle memory.
Likewise, I've long forgotten many of my friend's numbers but can dial them with ease.
 

kitsuta

<Clever Title Here>
Jan 10, 2011
367
0
0
JET1971 said:
30-45 minutes if you had any music experiance or pleyed Gh. for those that are tonedef and never had any music experiance this would be a nightmare.
There is no music involved - the researchers compared the program to Guitar Hero because of the way the circles fall down in slots corresponding to keys.
 

SpAc3man

New member
Jul 26, 2009
1,197
0
0
Sounds like a fun thing to do for people who can be bothered with the effort. Otherwise its a bit over the top.
 

mdqp

New member
Oct 21, 2011
190
0
0
Actually, you can still force people to execute the password, you just need a similar input device, and force them to enter the password, while recording the right order. Hell, you might even make the re-execution automatic, no need to get a human to learn it, a machine can probably do it better. Of course, the problem is the interface, that will probably be non-standard, but it's still not that big of a problem (if your fear is if someone can leak the password, you have to imagine he/she is captured or a similar situation, so they probably have all the time they need to do this properly).

The people who know the password can lie, of course, but that's true also for normal passwords, isn't it? It doesn't sound that great, but I might be wrong...
 

Athinira

New member
Jan 25, 2010
804
0
0
Rabid Toilet said:
For your viewing pleasure:

I know you just posted it ironically, but the comic is actually wrong (because of dictionary attacks). The 4 random words are easier to brute-force than the first password.

There is nothing wrong with using random words along in a password, but mix in a few uppercase-letters, signs and numbers. It's still manageable to remember after a short pause.

c0Rrect#horSEbattery!253-

Alternatively do like me: Remember a FEW very very hard passwords, and use a Password manager for the rest (i use KeePass [http://keepass.info/], but there is also online-services like LastPass).