Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Unbreakable Crypto: Store a 30-character Password In Your Subconscious Mind

samzenpus posted more than 2 years ago | from the locked-away dept.

Security 287

MrSeb writes "A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture — i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence."

cancel ×

287 comments

Sorry! There are no comments related to the filter you selected.

"Reliably better" (4, Interesting)

FireballX301 (766274) | more than 2 years ago | (#40709121)

How many standard deviations above 'random guessing' are we talking about? Over how many trials? And 2 weeks is fine, but what about 6 months to a year?

I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

Re:"Reliably better" (0)

Anonymous Coward | more than 2 years ago | (#40709193)

I have stopped using persistent information if it needs to be classified. I have l3ftNu7Z as password everywhere! (and boot all my OS's from RO media) This works well! :-)

Re:"Reliably better" (5, Funny)

Anonymous Coward | more than 2 years ago | (#40709261)

He's not kidding. I just logged onto his /. account and posted this after reading the password he posted.

Re:"Reliably better" (5, Funny)

rjgii (1176021) | more than 2 years ago | (#40709493)

He must have changed it... I can not log in as "Anonymous Coward" anymore =(

Re:"Reliably better" (0)

Anonymous Coward | more than 2 years ago | (#40709221)

I can still play various pieces of piano music I learnt about 15 years ago, and they are a lot longer than 30 notes!

Re:"Reliably better" (0)

Anonymous Coward | more than 2 years ago | (#40709273)

That's exactly what I was going to say, for most of us song lyrics can't be forgotten, and in case of doubt you can always find them on the internet.
The only thing you really need to remember is the beginning and end positions, and maybe the way to handle spaces and punctuations.
The drawback is that long passphrases can be cumbersome to type in...

Personaly I use a 30+ characters long easily typed sentence, and for extreme security needs (aka passphrase for sensitive backups) the whole paragraph wich comes at a hefty 180 chars...

Re:"Reliably better" (3, Funny)

hlavac (914630) | more than 2 years ago | (#40709743)

Next up: Most popular song lyrics added to cracklib wordlist :)

Re:"Reliably better" (1)

aaaaaaargh! (1150173) | more than 2 years ago | (#40709291)

I still prefer 80+ character passphrases lifted from song lyrics whenever possible. If you know the song well enough it's impossible to crack, and the search space is still large among people who know you like that particular song

I highly doubt that the search space is large enough. You cannot memorize many song texts (no more than a few thousand, and I'm being optimistic here) and it is easy to predict from background information which songs you know and like. Given that, plus the fact that it is highly likely that you will start your passphrase at a word boundary, it looks awfully easy to break your 80+ character passphrase using a customized dictionary attack.

Passphrases from books might fare better, assuming that you have a few thousand books and choose the book and passage fairly randomly. (Then again, we all know the guy with the rubber gloves from movies, who inspects your books by letting them "fall open" and finds the right passage immediately...)

Only one song stays in my mind day after day... (5, Funny)

Anonymous Coward | more than 2 years ago | (#40709745)

and I can never remember exactly how many "na-na-na"s go in between the "hey, hey, hey"s and the "good-bye"s.....

(welcome to MY hell, and you're welcome!)

Re:"Reliably better" (1)

jaymemaurice (2024752) | more than 2 years ago | (#40709751)

How can you predict which song is used if the person doesn't like it? Also, if the stored hash is small enough, you'd probably sooner brute-force a collision or threaten to kill the persons family.

Re:"Reliably better" (2)

0100010001010011 (652467) | more than 2 years ago | (#40709405)

I like irreversible hashes generate passwords for me salted with wherever I am.

sha1('mypassword'+'slashdot.org')

Tada. Or if you're really paranoid.

sha512(md5(rot13('mypassword'+'slashdot.org');

Even sha512("") is just 0x cf83e1357eefb 8bdf1542850d66d8007d620e4050b5715dc8 3f4a921d36ce9ce4 7d0d13c5d85f 2b0ff8318d2877 eec2f63b931 bd47417a81a538327af927da3e

Good luck cracking that in your or my lifetime.

echo "Hello Worldslashdot.org" | sha512sum
78dce89143430dbbda805 9e7cc12a90c9d8f95090972579cb11bc23d119f7bea9f59646a40 b9da6dfd091d68d 9cac705e95091d778509af721402277b5d57ddf -

And if for some reason that wasn't enough. You could left shift everything by 64 to the left. So 97 would become 33 (!). Now you've just converted all of your a-o into '!' through '/'. And since most passwords require it start with a letter (for some arbitrary and unknown reason) prefx that with x.

My company has weird old unix password system that needs to be changed every month. Has to start with a letter. Has to have at least !$%or # in it. Has have numerous other requirements.

Take the month. Run it through a standard known crypto function that you wrote and tada, easily generated/memorized number, difficult to crack.

Filter error: That's an awful long string of letters there.

Re:"Reliably better" (0)

Anonymous Coward | more than 2 years ago | (#40709567)

We now know your trick.

Re:"Reliably better" (4, Insightful)

Joce640k (829181) | more than 2 years ago | (#40709691)

There's numerous flaws in your plan, but that's beside the point.

The whole point of this system (which you missed) is that it's secure against rubber hose cryptanalysis (aka $5 wrench cryptanalysis).

Re:"Reliably better" (2)

hlavac (914630) | more than 2 years ago | (#40709755)

Can you do SHA512 in your head? I can't, dammit!

Re:"Reliably better" (1)

jaymemaurice (2024752) | more than 2 years ago | (#40709789)

Parents described flaws: Like only characters being 0-9 a-f? Such a crypto function can be known/modified without you knowing?

It's not really secure against the decrypt it or people you know die cryptanalysis, only the don't tell us and people protected by the encryption will live but not you situation.

Re:"Reliably better" (0)

Anonymous Coward | more than 2 years ago | (#40709793)

Good luck cracking that in your or my lifetime.

Makes it a bit easier as you posted accurate instructions how you do it.

Re:"Reliably better" (1)

Yvanhoe (564877) | more than 2 years ago | (#40709433)

The search space is incredibly small. You better add one or two unrelated words to that if you want to have a chance.

Re:"Reliably better" (0)

Anonymous Coward | more than 2 years ago | (#40709827)

The search space is amazingly larger. If he starts with *the first word* of the song, or refrain, and types *the entire verse* or chorus, then yes. However, there are a lot of songs, a whole lot of songs.

Re:"Reliably better" (5, Interesting)

errandum (2014454) | more than 2 years ago | (#40709507)

That is not true. It has been proven that passphrases can be weaker than passwords, simply because words usually follow each other in an ordered pattern.

You'll be safe from brute force attacks, but not any attack that adds intelligence to the mix. And if the person cracking your password knows it uses music lyrics you love, you'll be even more at risk since it only has to test for the songs you like.

What you just described is NOT safety.

Re:"Reliably better" (5, Interesting)

djmurdoch (306849) | more than 2 years ago | (#40709775)

But the brute forcer also has to try all sorts of stupid variations:

One ton O'Mara
Feel the beat from the tangerine
Scuse me while I kiss this guy
I can see Deirdre now Lorraine has gone

Re:"Reliably better" (2)

jaymemaurice (2024752) | more than 2 years ago | (#40709807)

Deftones and many genres of music have lyrics which don't follow normal language ordering. How about the song scatman - not many actually like it but the lyrics easily burn into your head.

Re:"Reliably better" (1)

RivenAleem (1590553) | more than 2 years ago | (#40709579)

But you don't get around the extraction by torture. You can tell someone your password is the first verse of God Save the Queen, but what you've got here is actually a form of biometric password, but instead of a finger print, it is instead using the unique process by which you learn a given task, a kind of 'brainprint'. You can still be coerced to enter the password, having been brought to the location. But would you be able to enter the password under duress?

Re:"Reliably better" (1)

Anonymous Coward | more than 2 years ago | (#40709589)

it's impossible to crack, ...

... until you start singing "Never gonna give you up. Never gonna let you down." every time you enter your password.

repetitive phrases slightly modified (5, Funny)

alphatel (1450715) | more than 2 years ago | (#40709123)

This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there’s a short pause. This entire process is repeated six more times, for a total of 3,780 items.

Replace 'character' with 'note' and it's clear subjects were tortured with Philip Glass for 80 hours and won't soon forget.

Re:repetitive phrases slightly modified (1)

Black Parrot (19622) | more than 2 years ago | (#40709635)

Replace 'character' with 'note' and it's clear subjects were tortured with Philip Glass for 80 hours and won't soon forget.

I notice the study didn't report on how many subjects jumped out the window afterward [imdb.com] .

So to recover your password ... (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40709125)

State Security forces you to play this game?

Re:So to recover your password ... (5, Interesting)

Dr_Barnowl (709838) | more than 2 years ago | (#40709289)

The game only works if the machine knows what your password is, so that you can succeed at playing that sequence better.

Which reveals the flaw in the scheme ; currently, the computer you are logging into doesn't need to know your password - it stores a hash instead. With this scheme, the machine needs a way to recover your password as plaintext, so that it can test you on it. Which means that if you can sieze the system itself, you can get into it, you just need to extract the password and train someone else to know it.

Re:So to recover your password ... (1)

Grantbridge (1377621) | more than 2 years ago | (#40709391)

If you've seized the system already, then the passwords might as well be in plaintext. With this system users can't choose their own password, so knowing their password at once website won't help you break into their accounts on other websites, since they cannot be the same (except by chance.)

Re:So to recover your password ... (2)

Rich0 (548339) | more than 2 years ago | (#40709553)

I think this is one of the biggest weaknesses with any password-based system. We're too dependent on uncontrolled terminals, and nobody has figured out to do SSL directly to the human brain.

We like to blanket ourselves in feel-good measures like PCI/etc, but the fact is that nobody really knows if that box you're punching a PIN/etc into has been tampered with.

Re:So to recover your password ... (3, Interesting)

dohzer (867770) | more than 2 years ago | (#40709569)

I'm fairly sure that by the time anyone can SSL directly into your brain, they'll also have some sort of high-res MRI scanner to simply read your brain's contents.

Re:So to recover your password ... (0)

Anonymous Coward | more than 2 years ago | (#40709701)

The game only works if the machine knows what your password is, so that you can succeed at playing that sequence better.

Are you sure of that?

I could rig the game to let the user play random strings. The user would play better at some, suggesting that those substrings are part of his key. After a while, most key components are identified. Now we can do a limited brute-force search, using only variations of the useful substrings.

Another more serious problem: If several services uses this system, the user will eventually become "good" at playing many different "keys". So his own key on one particular system might not stand out anymore.

And then there is the oprion of denial-of-service. Make a (funny) game that is too similiar to this authentication method. Not only will you gain some key substrings in the beginning - but then the user get so good at the game that he no longer show any preference for his key. The key drowns in the increasing noise of gameplay, so he can't log in anymore.

Re:So to recover your password ... (1)

martas (1439879) | more than 2 years ago | (#40709777)

I could rig the game to let the user play random strings

Seems like that would take a pretty long time for 30 characters. Plus it might not work the way you describe -- it's not necessarily true that the user would be better at playing any substring.

How ingenious (5, Funny)

Chrisq (894406) | more than 2 years ago | (#40709127)

The "cross-disciplinary team of US neuroscientists" came up with the most original excuse ever for why they were spending all their grant money on games consoles and all their time playing games.

Re:How ingenious (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40709251)

I can't stand idiots like you, who always act as if games were an "excuse" or "waste of time", when they are the MOTHER of all education, art, sports and entertainment.
There is no better way to explore something new, than games. That's what they are there for.
It's things like school as we know it, that is a waste of time and deeply utterly wrong.

Re:How ingenious (1)

Anonymous Coward | more than 2 years ago | (#40709565)

whoosh....

Re:How ingenious (2)

metacell (523607) | more than 2 years ago | (#40709257)

How on Earth did the parent get modded "Informative"? Funny, yes, informative, no.

Re:How ingenious (2, Funny)

loimprevisto (910035) | more than 2 years ago | (#40709825)

Mods occasionally rate a funny post as something else to boost that person's karma rating, since Funny doesn't give a karma boost.

...or at least that's how it used to work, something might have been tweaked in the moderation system since that was true.

How is that resistant to rubber-hose cryptography? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40709135)

Log in or else!

Re:How is that resistant to rubber-hose cryptograp (0)

Anonymous Coward | more than 2 years ago | (#40709237)

Have you ever listen to these guys play?

Re:How is that resistant to rubber-hose cryptograp (1)

shentino (1139071) | more than 2 years ago | (#40709325)

Presumably the stress of duress would ruin your performance.

Added bonus (-1, Flamebait)

Chrisq (894406) | more than 2 years ago | (#40709141)

For the Muzzies playing guitar is Haraam

Re:Added bonus (0)

Anonymous Coward | more than 2 years ago | (#40709345)

If that is true, their god is a false one - not that there are any true ones, so this makes their falser?.

Who the hell forbids playing the guitar?

Re:Added bonus (0)

Chrisq (894406) | more than 2 years ago | (#40709455)

If that is true, their god is a false one - not that there are any true ones, so this makes their falser?.

Who the hell forbids playing the guitar?

Well, I worked out that the Muslim God is false when it told them to subdue non Muslims and kill them if they don't accept punitive taxes, not to practice religion in public, not to repair or build places of worship, and not to be able to testify against Muslims (like the non-muslim girls kidnapped and raped in Pakistan, where the rapist just has to say it was consensual and even when a whole congregation of non-Muslims witnessed it he is acquitted because there is no evidence against him.

However, if it takes the guitar being banned to convince you that the Muslim God is false, see Guitar Haraam? [ummah.com] .

Does the server need to know the password? (4, Insightful)

kasperd (592156) | more than 2 years ago | (#40709145)

It sounds like the way this works, the server will need to know what the password is in order to produce the combined sequence. Doesn't that make it weaker than ordinary passwords? And if you repeatedly get the same random sequence, over time you'll learn that as well. OTOH if you get different random sequences, then it would be possible to extract the original sequence. Did I miss something here?

Re:Does the server need to know the password? (1)

queazocotal (915608) | more than 2 years ago | (#40709247)

Sort of - there are caveats.

There are a few ways to do this.
Pretending that it's for the moment typing a letter in response to some other letter.
If the correct response to a stimulus 'A' is 'a' - then the server can take a response to a randomly chosen phrase -
AQRGS, and then get response fqrgs, and hand both of these over to an authentication server, which determines the match.

Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
In some apps, this may be a valid way to do things.

If you can get a reliable enough response from the user in a binary manner that you can determine the exact key, then you can simply hash this as any other password.
Having one server know all the passwords is a weakness, but it's a very known weakness.

Re:Does the server need to know the password? (3, Insightful)

realityimpaired (1668397) | more than 2 years ago | (#40709279)

Or, it can contact an authentication server, which deals with both the exact challenge to be sent, and verifies the response.
In some apps, this may be a valid way to do things.

Not really... if I want to crack your password, all I have to do is send a few requests to the authentication server, and look at the challenges it responds with. Find the sequence of 30 characters that's repeated in all of them, and there's your password.

Re:Does the server need to know the password? (1)

Anonymous Coward | more than 2 years ago | (#40709271)

Exactly so.

Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences.

This means attackers will play it twice recorded on video, then know your password. I think they're considering this a non-issue, since "knowing" is only half the battle -- but it can then be defeated by training offline on the known password, or possibly by deliberately muffing the random (non-password) sequences.

Re:Does the server need to know the password? (0)

Anonymous Coward | more than 2 years ago | (#40709429)

Exactly my thoughts.

Also. We already have destroyable keyfiles/chipcards/etc to prevent the rubber hose thing. You destroy the key, show them the destroyed key, and if they had any interest in letting you live at all, that's it. (If they want to kill/torture you, no matter what, there is no way around anyway.)

unbreakable my shiny ass (1)

Anonymous Coward | more than 2 years ago | (#40709147)

what prevents the rubber hose cryptanalysts from making you play guitar hero in front of their eyes? nothing.

Re:unbreakable my shiny ass (1)

jpate (1356395) | more than 2 years ago | (#40709379)

what if they already broke your hands to find out which computer system the sooper sekret information is kept on? </morbid>

So, brute force it is. (0)

Anonymous Coward | more than 2 years ago | (#40709167)

This would be easy to break with brute force. If it is subconscious you just have to precent the subject with the right conditions (drugs / hypnosis should be able to do that) and the entry system and he will produce the key. Its just like a normal password only you have no conscious control over it.

Why can't this be rubber-hosed out of someone? (1)

Anonymous Coward | more than 2 years ago | (#40709173)

If the user authenticates by performing some action, they can be coerced into performing that action.

Re:Why can't this be rubber-hosed out of someone? (1)

Black Parrot (19622) | more than 2 years ago | (#40709655)

If the user authenticates by performing some action, they can be coerced into performing that action.

Do you think having your piano teacher stand beside you slapping a rubber hose in her palm while you play makes it less likely for you to miss a note?

Re:Why can't this be rubber-hosed out of someone? (2)

kanweg (771128) | more than 2 years ago | (#40709725)

the hose isn't necessary. Just the rubber would do, I guess.

Bert

Standard password security practices. (4, Insightful)

mwvdlee (775178) | more than 2 years ago | (#40709191)

Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game

I'm assuming I'll still be automatically logged out after 5 minutes of inactivity, cannot recover but will have to change my password when forgotten and passwords will expire every month?

Also; the research suggests users will have to perform better on the injected "password" sequences than random sequences... how will they deal with top players that get a perfect score every time for the entire sequence?

Re:Standard password security practices. (0)

Anonymous Coward | more than 2 years ago | (#40709527)

Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game

I'm assuming I'll still be automatically logged out after 5 minutes of inactivity, cannot recover but will have to change my password when forgotten and passwords will expire every month?

Nevermind that: They seriously expect people to sit through 45 minutes of training to learn a password? Am I going to have to do that for every job, financial institution, and online ordering system I interact with? What happens with the server gets hacked and my precious maze-solution gets stolen?

It may be more fun than typing "password123" twelve times a day, but password123 takes less than 2 seconds, and I doubt that the fun lasts for more than a week. Worst. Solution. Ever.

Re:Standard password security practices. (1)

arth1 (260657) | more than 2 years ago | (#40709615)

Nevermind that: They seriously expect people to sit through 45 minutes of training to learn a password?

And how long to log in?

But the biggest problem I see apart from the plain text storage of passwords is that people don't just authenticate to one place, but dozens or more. This could only work it was a global SSO system, where you log in once. But that implies that if the system is compromised anywhere it's compromised everywhere.

Colour me unimpressed. It's good that people study these things, but we need a system where scientists can report their study as a failure and still be thanked for their job. As it is, everything is marketed as a success, because that's what those who fund research want to see. Those are the idiots - they should reward the scientists for telling the truth, not for making a spin.

Because they can't possibly coerce you... (0)

Anonymous Coward | more than 2 years ago | (#40709195)

completely removes the danger of rubber-hose cryptanalysis — i.e. obtaining passkeys via torture or coercion. It also gives you deniability: If a judge or policeman orders you to hand over your password, you can plausibly say that you don’t actually know it.

Eh? Surely if they're inclined to use rubber-hose techniques (Or the XKCD Wrench Technique [xkcd.com] ) all they have to do is plonk you in front of the machine and tell you to play the game or they start with the wrenching? Same goes for a judge, surely they'll just adapt the law to "you have to provide access to the data", which means "type in the password or play the damn game".

Sure, it means they need physical access to the machine, but if they already have physical access to you then I doubt that'll often be a problem...

Easy to remember (1)

Centurix (249778) | more than 2 years ago | (#40709211)

Up, left, left, left, down, up, down, up, right. Got it.

Re:Easy to remember (0)

Anonymous Coward | more than 2 years ago | (#40709403)

...B, A, Start

There, FTFY.

All NES players have a subconscious password: (2)

cvd6262 (180823) | more than 2 years ago | (#40709217)

up-up-down-down-left-right-left-right-B-A-start

Re:All NES players have a subconscious password: (0)

Anonymous Coward | more than 2 years ago | (#40709599)

care to elaborate?

Re:All NES players have a subconscious password: (0)

Anonymous Coward | more than 2 years ago | (#40709665)

Search for Konami code. Oh Life Force, the memories...

Re:All NES players have a subconscious password: (1)

Black Parrot (19622) | more than 2 years ago | (#40709671)

up-up-down-down-left-right-left-right-B-A-start

care to elaborate?

Apparently some kind of masturbation joke.

38 bits of entropy (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40709219)

Only 38 bits of entropy because there's only 6 choices for each of the 30 characters. Yeah a Tesla GPU can chew through that in a day. I'd post the relevant XKCD comic but I'm pretty sure everyone here knows what it is already.

Another variant (2)

art6217 (757847) | more than 2 years ago | (#40709225)

The system requires that you copy-write a short random message by hand, but at no point do you actually remember the subtleties of your individual writing style, like the ballpoint pressure or distribution of the shape of "o"s, meaning it can't be presented as a plain sequence of letters and it can't be obtained via coercion or torture i.e. rubber-hose cryptanalysis. The system, devised by Anonymous Coward, relies on implicit learning, a process by which you absorb new information, but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) does NOT involve anything, as your writing style is likely already precisely and intricately shaped for years.

Without a human specialist, a dedicated OCR software would need to be developed, though...

No coercion? (2)

TranceThrust (1391831) | more than 2 years ago | (#40709229)

How does the scheme prevent ``play this game or I'll kill your family''?

Forty Five Minutes? (1, Interesting)

AlienIntelligence (1184493) | more than 2 years ago | (#40709231)

Who has 45 min to learn a new password? I can't see a company willing to
pay someone for 0.75hr just to learn a password.

-AI

Re:Forty Five Minutes? (1)

geekmux (1040042) | more than 2 years ago | (#40709421)

Who has 45 min to learn a new password? I can't see a company willing to pay someone for 0.75hr just to learn a password.

-AI

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people) from losing their second most valuable asset (information).

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

Re:Forty Five Minutes? (2)

Corbets (169101) | more than 2 years ago | (#40709465)

Who has 45 min to learn a new password? I can't see a company willing to
pay someone for 0.75hr just to learn a password.

-AI

Well then I suppose you would find a company who finds no point in protecting their most valuable asset (people) from losing their second most valuable asset (information).

Maybe the senior executives would sing a different tune if you showed them that 75% of their current workforce passwords were cracked in 45 seconds or less.

Or they just might figure that people who lack the capacity to memorize a reasonably complex password may not, after all, be all that valuable of an asset.

Re:Forty Five Minutes? (2)

Overzeetop (214511) | more than 2 years ago | (#40709645)

Who would allow a truly secure system to have static passwords - most require a change once a month. Now it costs 9 hours a year, or 0.5% of your entire payroll costs just to learn the passwords. Since the sequence must be played back using a large string of random sequences in which the password sequence is embedded, I presume that would probably take at least 2 minutes to be of both necessary and sufficient length. Let's presume that you only have to log in twice a day (when you arrive, and when you come back after lunch) to this truly secure system...that's 4 minutes a day or another 1000 minutes ~ 16 hours ~ a year. Now we're up to 1.25% of employee costs. If you have a 100,000 person company with US average wages (and they'll probably be higher than average if they're logging into a secure system), that's $75,000,000 a year.

Now, tell me again how much the executive board splitting an extra $75,000,000 in bonuses is going to react when you tell them that they need this highly secure password system, compared to the one they have that had resulted in few or no breaches in the past decade.

Uh, maybe I'm missing something but (1)

trifish (826353) | more than 2 years ago | (#40709249)

it can't be obtained via coercion or torture â" i.e. rubber-hose cryptanalysis

Correct me if I'm wrong, but I fail to see how that could be true. How could you NOT be forced to play the authentication "game" by torture or coercion? wtf?

Re:Uh, maybe I'm missing something but (1)

jamesh (87723) | more than 2 years ago | (#40709383)

it can't be obtained via coercion or torture â" i.e. rubber-hose cryptanalysis

Correct me if I'm wrong, but I fail to see how that could be true. How could you NOT be forced to play the authentication "game" by torture or coercion? wtf?

How are you going to type your password... if you have no fingers?

Re:Uh, maybe I'm missing something but (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#40709717)

Very slowly. With your tongue. On the super-grimy keyboard from the public kiosk in the lobby.

So why don't you just make things easier for everybody and log in before Mr. Nibbles gets hungry? *display bolt cutters*

Re:Uh, maybe I'm missing something but (1)

Grantbridge (1377621) | more than 2 years ago | (#40709411)

They can do, but they still wouldn't know the password itself to be able to log in again without you. Possibly there would be a mechanism to enter a distress code which would then summon the police and lock your account to a honeybox instead? But then you could have that with other password mechanisms.

Obligatory XKCD Reference.... (0)

craigtp (1356527) | more than 2 years ago | (#40709275)

Password Strength [xkcd.com]

But how to remember the many passwords used today (0)

Anonymous Coward | more than 2 years ago | (#40709297)

Nice solution, but what about the many passwords one has to remember for all the different systems one is using nowadays?
How to to remember many 30 letter sequences and where to find the time to make them?
Niek

Typing without knowing (0)

Anonymous Coward | more than 2 years ago | (#40709299)

I've been doing something similar to this for the past 4 years.

I have a password that I can hardly spell (without looking at the keyboard), but I know how to type it fast.

Re:Typing without knowing (1)

jamesh (87723) | more than 2 years ago | (#40709393)

I've been doing something similar to this for the past 4 years.

I have a password that I can hardly spell (without looking at the keyboard), but I know how to type it fast.

Ditto. My typo's frequently consist of typing completely the wrong word.

Re:Typing without knowing (0)

Anonymous Coward | more than 2 years ago | (#40709437)

(Or inserting apostrophes in plural nouns)

Good direction, impractical solution (2)

ItsIllak (95786) | more than 2 years ago | (#40709305)

Passwords are clearly a very bad idea - they just don't work for any number of logical, social and practical reasons. So it's great to see real thought going into alternatives. Although I think the overhead of 45 mins learning and other issues with this are a problem, I think the general premise must have something in it that would work well.

The fact we can recognise that we know something, even if we can't repeat it - e.g. you know if someone sings the wrong lyrics to a song even if you can't remember them yourself - MUST have some solution to this problem embedded in it somewhere...

Biometrics? (1)

k(wi)r(kipedia) (2648849) | more than 2 years ago | (#40709613)

Wouldn't biometrics already be a better solution if you want an authentication routine that strong? I mean to bypass multiple input biometrics (fingerprint + some other bodily feature) you'd have to kidnap the user. And if you already have the user under your control, you can probably force any strong password out of him.

Muscle Memory (0)

Anonymous Coward | more than 2 years ago | (#40709309)

Is what it is called

Read the article. (0)

Anonymous Coward | more than 2 years ago | (#40709311)

The character set is six characters and the entropy [wikipedia.org] is about 38 bits.

Congrats (1)

Anonymous Coward | more than 2 years ago | (#40709319)

You just refound how people learn masses of information when they need to.

Too bad when you forget it (0)

Anonymous Coward | more than 2 years ago | (#40709321)

I once had the 4-digit pin of my credit card memorized purely by typing it on the key pad of cash machines. I didn't remember consciously the actual numbers at all.

However, one day I went out in a bar with a good friend and we were drinking around 10 beers each of us. Turned out that the next day the motoric memory of my pin code was gone -- and it never, ever came back. I guess a few brain cells died the night before. (Arguably, the same can happen with ordinary memory techniques.)

Problem (2)

Arancaytar (966377) | more than 2 years ago | (#40709323)

Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences.

This requires the password to be stored in clear in the system. I think the brain is more trustworthy than that...

Re:Problem (1)

Anonymous Coward | more than 2 years ago | (#40709489)

Worse than that. The password is repeatedly sent back to the user (though interspersed with random sequences).
Hence, I'm actually wondering whether this is the first authentication system that can be broken without understanding anything.
I.e. an attacker could simply try to break into someone's (let's call him Joe) account as follows:
The attacker pretends to be Joe. He gets the Joe's password to play and a few random notes. Since
Joe's password (or subsequences of it) appears more frequently than other stuff the attacker will eventually
learn to play the password better than random stuff. Hence eventually I'd expect that the attacker knows
Joe's password too without even realizing it until he manages to break into Joe's account.

Two weeks? (2)

aglider (2435074) | more than 2 years ago | (#40709423)

We need to recall the password after 1 year or even 2.
Please, go on with the tests!

Biggest market (0)

Anonymous Coward | more than 2 years ago | (#40709445)

Side channel identification of people

Sorry it took so long... (0)

Anonymous Coward | more than 2 years ago | (#40709495)

I know I'm two weeks late with the proposal....
Yeah, I was typing in my password.

Similar to PinPlus (1)

GroovinWithMrBloe (832127) | more than 2 years ago | (#40709523)

I've looked at these guys before, http://www.pinplus.net/content/pin-nutshell [pinplus.net] Basically you remember a pattern and then to log in you are presented with a large grid of letters/numbers which you then have to type in the letters/numbers corresponding to your pattern. So you never reveal your pattern at any point, keyloggers/screenscrapers never have access to your pattern. Even if someone did get a screengrab, there are multiple instances of each letter/number in the grid, so you can't tell which position in the grid the user was referring to.

Re:Similar to PinPlus (1)

ThatsMyNick (2004126) | more than 2 years ago | (#40709603)

It doesnt provide the same entropy as the regular password though. You can only move to 7 adjacent squares, and it very likely that you will travel in a straight direction. As long people understand password length, and pattern length are not the same, make it quite random, it should be good.

Insecure (0)

Anonymous Coward | more than 2 years ago | (#40709531)

1. This is not crypto.
2. This is not unbreakable.
3. The actual password has to be stored in the system for it to be integrated into the game.
4. If someone manages to access the database, they'll have all the passwords and can use them.

The secure way is that only the person knows the password, but not the server, now they turned it around - all passwords are stored unhashed in a central location. Good job!

And once you forget the password (1)

Anonymous Coward | more than 2 years ago | (#40709591)

They ask you for your cat's name...

Cannot protect (1)

hilather (1079603) | more than 2 years ago | (#40709611)

How are you supposed to protect a password that you don't even know? It seems to me if someone knew how the system worked, they could trick an unsuspecting user into divulging their password without the users knowledge. This is obfuscation, nothing more.

Completely broken. (3, Insightful)

bakuun (976228) | more than 2 years ago | (#40709697)

A few readers have commented that the system will need to know your unhashed password. This is clearly bad, but there are even worse flaws.

A 30-character password sounds awfully strong (60^30 combinations if upper/lower-case chars and numbers are used). However, from the article: "Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences". This means that the number of characters is irrelevant, really. What matters is the number of "30-letter sequences", and since you need to play them all, they will need to be limited. How many? 10 would probably too many to play, but will still only be the equivalent of a single-digit password. This system will be trivial to crack with brute-force guesses.

Even worse, repeated "login attempts" will reveal which sequence is the correct one - simply check which sequence repeats between tries.

Does my subconscious know the login URL? (1)

sco08y (615665) | more than 2 years ago | (#40709733)

How does your subconscious know which password to use? How many 30-bit passwords can be "implanted"?

Incidentally, the fact that the password is known is really not an issue, if you consider it simply another factor of security. I wouldn't want to play a damned game every time to log in anyway, but if I only occasionally used an account and this was used to verify the system I was on, that would be fine. Call it the Rumsfeld system: you log in with something you know, and something you don't know you know.

Login prompt (1)

Lord Lode (1290856) | more than 2 years ago | (#40709741)

So yeah, how'd you type this in a login prompt?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?