July 19, 2012 at 5:39 PM ET
The problem with even the most secure password in the world is that you have to remember it — and if you can remember it, that means that a hacker or a judge can convince you to turn it over. But researchers at Stanford, Northwestern University and SRI International, led by Hristo Bojinov, have created a system where you put in your password without even knowing it.
It takes advantage of the fact that your brain records some things without your knowing you've recorded them. Even typing takes advantage of this — it would probably take you quite a while to recreate the layout of your keyboard exactly, but you can type quickly and without hesitation. Similarly, the researchers thought, you should be able to "know" a password without being able to write or recite it, by a process called "implicit learning."
To demonstrate this, they created a sort of game where the user must press keys sequentially and with precise timing, not unlike popular rhythm games like "Dance Dance Revolution" and "Guitar Hero." In the researchers' game (bearing the slightly less marketable title "Serial Interception Sequence Learning"), the users are fed semi-random sequences, one of which is repeated over multiple training sessions, or games — this is their "password."
A couple weeks later, when playing the game again, users will reliably score better on their password sequence as compared with random ones. Not a lot — 10-15 percent better — but enough that it's steady and detectable:
Yet the users don't even notice they're putting in a password, and perhaps don't even realize there were sequences being repeated at all. Nevertheless, the system recognizes them and could authenticate them as if they had put in an ordinary password.
There are several benefits to this approach:
But there are also drawbacks:
It may not be practical for everyday password purposes, but it's still interesting research that suggests our passwords may not always be an simple alphanumeric sequence or biometric. Bojinov's findings will be presented next month at the Usenix Security Symposium, but you can read through the paper on his site (PDF). The game itself can be played here, though unlike the study's participants, you won't be paid.
Devin Coldewey is acontributing writer for NBC News. His personal website iscoldewey.cc.