Remember Uncrackable Passwords With Your Fingers

[TMM]

"unless, of course, you want to spend 30-45 minutes learning your next password."

Well, I don't know about the author, but that sounds like a steal. My current passwords are all generated nonsense of 15 characters just to stay ahead of the computer curve, and I'm losing. Learning a new password now takes me a day or more, and then at least 2 weeks of frequent mistyping.

30-45 minutes for a secure way of identifying myself? I'll TAKE IT!

For your viewing pleasure:

You are of course entirely right (well XKCD is) but my passwords of 15 characters consisting of all ASCII printable characters has an entropy value of 96 bits (http://en.wikipedia.org/wiki/Password_strength) rather than the 44 bits in xkcd's example with much less typing.

Also my password does not become significantly less secure if you know the method, whereas I would guess that an attack based on the knowledge of the structure of the password would help with cracking it. My English wordlist contains 99156 words at this moment, meaning that the amount of possible passwords for a '4 word password' is 99156^4 or 9.666650018×10^19 wheres a random password of ASCII printable characters is roughly 120^15 1.540702157×10^31 a significantly higher number. To match the password strength you would need a 6 or 7 word password.

 

[Roander]

I know you just posted it ironically, but the comic is actually wrong (because of dictionary attacks). The 4 random words are easier to brute-force than the first password.

There is nothing wrong with using random words along in a password, but mix in a few uppercase-letters, signs and numbers. It's still manageable to remember after a short pause.

c0Rrect#horSEbattery!253-

Alternatively do like me: Remember a FEW very very hard passwords, and use a Password manager for the rest (i use KeePass [http://keepass.info/], but there is also online-services like LastPass).

4 words from a 40k word dictionary (# of words in the oxford mini dictionary. Their normal dictionary is about 220k.)
40000^4
2.56e+18

11 characters from alphanumeric(62) plus typical special characters I basically just picked off of my keyboard (17)
89^11
2.775173073766990340489e+21

so you're right. the first password in the comic is better by a factor of about a thousand, but if you add a fifth dictionary word:
40000^5
1.024e+23

it's now legitimately better than the 11 character password.

You're password is obviously harder to crack than either of these

89^25
5.4293790913464640719266311175815e+48

but you seem to have completely missed the point that it's hard to memorize what characters you've randomly changed or added. You've taken the original example that was presented as too difficult to remember, one word with two replaced characters and two added ones, and made it longer and more complex, two words with 4 replaced characters and 6 added ones.

Of course this is academic when institutions are still limiting passwords to ridiculously short lengths.

Also, thanks for the tip about keepass. There are also hardware solutions that do this but all the ones I've found seem to have severe usability issues and too many limitations on what they can store.

 

[kitsuta]

Actually, you can still force people to execute the password, you just need a similar input device, and force them to enter the password, while recording the right order. Hell, you might even make the re-execution automatic, no need to get a human to learn it, a machine can probably do it better. Of course, the problem is the interface, that will probably be non-standard, but it's still not that big of a problem (if your fear is if someone can leak the password, you have to imagine he/she is captured or a similar situation, so they probably have all the time they need to do this properly).

The people who know the password can lie, of course, but that's true also for normal passwords, isn't it? It doesn't sound that great, but I might be wrong...

Because the memory is subliminal - more subliminal than most muscle memory - the password holder cannot enter it spontaneously. They have absolutely no idea which keys are correct. In order to obtain authentication, the system in question must already know the correct password.

The researchers go into a lot of depth explaining the whole idea and how it works, and the various ways different attack tactics would fail, so I'd recommend reading the paper if you're interested.

 

[mdqp]

If one can't enter it spontaneously, one can't enter it, period. They must be capable of entering it whenever is needed, otherwise it's pointless, isn't it? What I mean is that the guy who knows the password, must be capable of repeating the right movements. He can't tell what the password is, but he can repeat the movements, and you can record such movements, and repeat them yourself afterward. The only problem is only if you use non-standard keyboards each time, making it harder to learn to repeat said movements, since you miss the hardware, but it isn't an impossible obstacle.

You need the appropriate equipment, but it's definitely possible to extort it from human beings.

Even in the paper, they don't directly address this. If you can record the movements of the password holder, and you have access to a device with the same structure (even only the external structure, as that is all you need to get the required feedback), you can learn the password. You just need to ask the subject to repeat multiple times the password, record it multiple times to see if there are any differences (if there aren't, you can be sure that it is a sequence he knows, not something he is making up on the spot), and go with the most consistent one.

It only works against conventional measures not ones thought specifically for this method.

 

[FalloutJack]

Seems like one of these things that work flawlessly until the first overworked and sleep deprived employee shows up at 7 in the morning. Without his coffee.

Yeah because why should have to use brain memory?

Ding and double ding.

I've seen what muscle memory CAN do when I type my passwords without even looking, but that's not a definite thing even with work to it. I program the compuer. You don't try to program me. If I am not master of the system in totality, something is wrong with this system.

The other thing is that, yes, what we really need is more brain power, or rather less about gibberish crap and more about the intrinsic way your mind works. Use things that other people CAN'T guess, because they don't think like you. I mean, think about it, Random Escapist-Goer... D'you think Jack has ANY hope of getting into your mind and guessing your password? Hell no.

The rubber hose thing can't be solved by a system that will likely make logging in harder for the RIGHT user. It's only through making the PEOPLE better that this works.

 

[SnowyGamester]

I've actually been doing this for a few years now, just pressing keys on the keyboard in a certain order instead. Was originally a phone dial version (where the letters are on a phone keypad) of an old password done on the number keys, but then I just moved it down only the qwerty keys. If I ever want to change it again, I can just move where I place my hand when I type it.

 

[Athinira]

Of course this is academic when institutions are still limiting passwords to ridiculously short lengths.

Well since i mentioned the software anyway, i would also like to mention that KeePass features a very nice security implementation to prevent brute-force/dictionary attacks.

KeePass features a Database-setting (individual per database of passwords) that you can change at your will. This setting is called "Number Of Key Transformation Rounds". What it basically means is that the master key used to decrypt the password must itself be encrypted X amount of times before it is used (X specified by the user). This means that for every brute-force/dictionary attempt an attacker makes, the attacker must transform the key X amount of times using CPU-power, adding a constant work factor to each brute-force attempt.

While this does make it take longer to encrypt/decrypt the database, it does increase security. My personal setting is 576000 transformation rounds (with my i5 being able to handle around 8 times that amount per second). This basically means that for every attempt an attacker takes at my password, he has to use 576000 as much CPU power compared to normal encryption.

It would be prudent if more systems were to use that kind of security when appropriate (aka. the CPU-increase being a non-issue).

 

[kitsuta]

If one can't enter it spontaneously, one can't enter it, period. They must be capable of entering it whenever is needed, otherwise it's pointless, isn't it?

Incorrect. Authentication is not just a blank box on a login screen. It is the same program as the training program, but with the correct password thrown at the user interspersed two incorrect passwords. The system simply measures how much better the user does at the correct password - which, by the way, doesn't mean they have to hit it 100% correctly.

Think of the real Guitar Hero. After you play a song a few times, you can play it a little better than a song you haven't tried before, right? Does that mean you can spontaneously hit all, or even most of the notes? Of course not.* This same principle applies without the music, and that's what the authentication program relies on.

*EDIT: Though if you could, that'd be pretty awesome.

 

[mdqp]

Incorrect. Authentication is not just a blank box on a login screen. It is the same program as the training program, but with the correct password thrown at the user interspersed two incorrect passwords. The system simply measures how much better the user does at the correct password - which, by the way, doesn't mean they have to hit it 100% correctly.

Think of the real Guitar Hero. After you play a song a few times, you can play it a little better than a song you haven't tried before, right? Does that mean you can spontaneously hit all, or even most of the notes? Of course not.* This same principle applies without the music, and that's what the authentication program relies on.

*EDIT: Though if you could, that'd be pretty awesome.

I understand that, but it doesn't sound that risk free to me as they want it to appear. Since the game must have margins to compensate for the limits that an execution like that might have (even when you know very well the timing, you aren't going to score "perfect" each time, right?), I seriously believe that a counterfeit system for training/gathering informations might be more successful than what they imagine. Of course, I might be wrong.