Remember Uncrackable Passwords With Your Fingers

Recommended Videos

mdqp

New member
Oct 21, 2011
190
0
0
If one can't enter it spontaneously, one can't enter it, period. They must be capable of entering it whenever is needed, otherwise it's pointless, isn't it? What I mean is that the guy who knows the password, must be capable of repeating the right movements. He can't tell what the password is, but he can repeat the movements, and you can record such movements, and repeat them yourself afterward. The only problem is only if you use non-standard keyboards each time, making it harder to learn to repeat said movements, since you miss the hardware, but it isn't an impossible obstacle.

You need the appropriate equipment, but it's definitely possible to extort it from human beings.

Even in the paper, they don't directly address this. If you can record the movements of the password holder, and you have access to a device with the same structure (even only the external structure, as that is all you need to get the required feedback), you can learn the password. You just need to ask the subject to repeat multiple times the password, record it multiple times to see if there are any differences (if there aren't, you can be sure that it is a sequence he knows, not something he is making up on the spot), and go with the most consistent one.

It only works against conventional measures not ones thought specifically for this method.
 

FalloutJack

Bah weep grah nah neep ninny bom
Nov 20, 2008
15,485
0
0
Kargathia said:
Seems like one of these things that work flawlessly until the first overworked and sleep deprived employee shows up at 7 in the morning. Without his coffee.
DVS BSTrD said:
Yeah because why should have to use brain memory?
Ding and double ding.

I've seen what muscle memory CAN do when I type my passwords without even looking, but that's not a definite thing even with work to it. I program the compuer. You don't try to program me. If I am not master of the system in totality, something is wrong with this system.

The other thing is that, yes, what we really need is more brain power, or rather less about gibberish crap and more about the intrinsic way your mind works. Use things that other people CAN'T guess, because they don't think like you. I mean, think about it, Random Escapist-Goer... D'you think Jack has ANY hope of getting into your mind and guessing your password? Hell no.

The rubber hose thing can't be solved by a system that will likely make logging in harder for the RIGHT user. It's only through making the PEOPLE better that this works.
 

SnowyGamester

Tech Head
Oct 18, 2009
938
0
0
I've actually been doing this for a few years now, just pressing keys on the keyboard in a certain order instead. Was originally a phone dial version (where the letters are on a phone keypad) of an old password done on the number keys, but then I just moved it down only the qwerty keys. If I ever want to change it again, I can just move where I place my hand when I type it.
 

Athinira

New member
Jan 25, 2010
804
0
0
Roander said:
Of course this is academic when institutions are still limiting passwords to ridiculously short lengths.
Well since i mentioned the software anyway, i would also like to mention that KeePass features a very nice security implementation to prevent brute-force/dictionary attacks.

KeePass features a Database-setting (individual per database of passwords) that you can change at your will. This setting is called "Number Of Key Transformation Rounds". What it basically means is that the master key used to decrypt the password must itself be encrypted X amount of times before it is used (X specified by the user). This means that for every brute-force/dictionary attempt an attacker makes, the attacker must transform the key X amount of times using CPU-power, adding a constant work factor to each brute-force attempt.

While this does make it take longer to encrypt/decrypt the database, it does increase security. My personal setting is 576000 transformation rounds (with my i5 being able to handle around 8 times that amount per second). This basically means that for every attempt an attacker takes at my password, he has to use 576000 as much CPU power compared to normal encryption.

It would be prudent if more systems were to use that kind of security when appropriate (aka. the CPU-increase being a non-issue).
 

kitsuta

<Clever Title Here>
Jan 10, 2011
367
0
0
mdqp said:
If one can't enter it spontaneously, one can't enter it, period. They must be capable of entering it whenever is needed, otherwise it's pointless, isn't it?
Incorrect. Authentication is not just a blank box on a login screen. It is the same program as the training program, but with the correct password thrown at the user interspersed two incorrect passwords. The system simply measures how much better the user does at the correct password - which, by the way, doesn't mean they have to hit it 100% correctly.

Think of the real Guitar Hero. After you play a song a few times, you can play it a little better than a song you haven't tried before, right? Does that mean you can spontaneously hit all, or even most of the notes? Of course not.* This same principle applies without the music, and that's what the authentication program relies on.

*EDIT: Though if you could, that'd be pretty awesome.
 

mdqp

New member
Oct 21, 2011
190
0
0
kitsuta said:
Incorrect. Authentication is not just a blank box on a login screen. It is the same program as the training program, but with the correct password thrown at the user interspersed two incorrect passwords. The system simply measures how much better the user does at the correct password - which, by the way, doesn't mean they have to hit it 100% correctly.

Think of the real Guitar Hero. After you play a song a few times, you can play it a little better than a song you haven't tried before, right? Does that mean you can spontaneously hit all, or even most of the notes? Of course not.* This same principle applies without the music, and that's what the authentication program relies on.

*EDIT: Though if you could, that'd be pretty awesome.
I understand that, but it doesn't sound that risk free to me as they want it to appear. Since the game must have margins to compensate for the limits that an execution like that might have (even when you know very well the timing, you aren't going to score "perfect" each time, right?), I seriously believe that a counterfeit system for training/gathering informations might be more successful than what they imagine. Of course, I might be wrong.