The problem with even the most secure password in the world is that you have to remember it — and if you can remember it, that means that a hacker or a judge can convince you to turn it over. But researchers at Stanford, Northwestern University and SRI International, led by Hristo Bojinov, have created a system where you put in your password without even knowing it.
It takes advantage of the fact that your brain records some things without your knowing you've recorded them. Even typing takes advantage of this — it would probably take you quite a while to recreate the layout of your keyboard exactly, but you can type quickly and without hesitation. Similarly, the researchers thought, you should be able to "know" a password without being able to write or recite it, by a process called "implicit learning."
To demonstrate this, they created a sort of game where the user must press keys sequentially and with precise timing, not unlike popular rhythm games like "Dance Dance Revolution" and "Guitar Hero." In the researchers' game (bearing the slightly less marketable title "Serial Interception Sequence Learning"), the users are fed semi-random sequences, one of which is repeated over multiple training sessions, or games — this is their "password."
A couple weeks later, when playing the game again, users will reliably score better on their password sequence as compared with random ones. Not a lot — 10-15 percent better — but enough that it's steady and detectable:
Yet the users don't even notice they're putting in a password, and perhaps don't even realize there were sequences being repeated at all. Nevertheless, the system recognizes them and could authenticate them as if they had put in an ordinary password.
There are several benefits to this approach:
- The user can reliably access their data without needing to remember a complicated password — and they can't forget it either.
- Hackers would be unable to break into the system by brute force, since the chances of their performing identically to the user on a certain sequence is next to nil. Even secretly recording every keystroke would likely fail.
- If the user is called upon by a hacker or court to reveal the password, they simply can't do it. They really don't know it! This means no court can order the user to reveal the password, a controversial legal procedure in the first place but nonetheless in use.
But there are also drawbacks:
- "Learning" the password is more like learning to ride a bike: it takes several hours of playing the game for your secret sequence to stick in your brain. In the study, they paid anonymous workers on Amazon's Mechanical Turk service to complete the training, but ordinary people may be less willing to put in that kind of time.
- It's not clear how long the sequence would last without interference. You can remember "turtledove82" easily enough ten years later, but your subconscious memory of a certain sequence could easily be dulled after a certain period of disuse. And it can be obliterated by playing the game for a while without your sequence appearing.
- Lastly, and perhaps most obviously, entering the password is itself a chore. Having to play the game for several minutes in order to log in would try anyone's patience. Another point to turtledove82.
It may not be practical for everyday password purposes, but it's still interesting research that suggests our passwords may not always be an simple alphanumeric sequence or biometric. Bojinov's findings will be presented next month at the Usenix Security Symposium, but you can read through the paper on his site (PDF). The game itself can be played here, though unlike the study's participants, you won't be paid.
Devin Coldewey is a contributing writer for NBC News. His personal website is coldewey.cc.