A research team of neuroscientists and cryptographers from Stanford University, Northwestern University, and SRI International have devised a system that guards its users from being threatened or tortured for their passwords. It uses implicit learning so that users can never actually tell anyone their password — they have to actually key it in themselves to get it right. Naturally, there’s some epic math involved in this, but when you actually try it out, it feels a lot like Guitar Hero.
Their report is titled Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks, which tells us a few things:
- They really know how to get attention
- The system is more of a concept than a full-fledged authentication procedure
- The system focuses on rubber-hose cryptanalysis and may not guard against other forms of code breaking
Users “learn” their password, but they can never actually say what their password is, the same way you can ride a bike but never actually describe exactly how you did it. The system first trains the user to do something called Serial Interception Sequence Learning (SISL) via this game that looks a lot like Guitar Hero.
During training, users are made to learn a sequence of randomly generated keystrokes that, by sheer repetition, they become familiar with. The sequences are 30-character sequences chosen from S, D, F, J, K, and L with no letters repeated after itself, padded with 18 random characters that are played over and over again for a total of 3,780 times, and that sounds exhausting.
The team reported 30-45 minute training sessions, during which participants “learned” a password with 38 bits of entropy, which gives it 8 years at 1,000 guesses per second (see this for context). That’s pretty decent for a password that your hands know but your brain doesn’t.
Trained users showed an advantage over untrained users during authentication, so it might very well be worth looking into. Here, have a graph.
All I can say for sure is, with this system, they can’t threaten to break my fingers if I don’t cooperate.
The paper is slated to be presented at the 21st USENIX Security Symposium, so hopefully it will see more development. A password system that makes people do a little Guitar Hero to authenticate something that’s srs bzns will make spy movies look kinda cool (or lame, depending on how you imagined it, I guess).
- DARPA wanted something like this
- Scientists can crack SecurID tokens in 13 minutes
- Papercraft Enigma code machine