How to Make Your Password So Secret, Even *You* Don't Know It

More

A bit of software that teaches your fingers a 30-letter pattern, stored in muscle-memory, that you could not consciously recall

bojinov-sisl-implicit-learning-guitar-hero-615.jpg

Hristo Bojinov et al.

For most of us, the weaknesses in our online security come from big-data breaches or from using passwords that are too short and too common to guard against hackers. But for a rarefied set -- people who work in intelligence, military operations, and security, for examples -- there is another, more terrifying concern: What if they were to be captured and tortured or coerced into providing passwords? How would they keep their lips sealed?

Researchers from Stanford, Northwestern, and SRI have a new paper laying out a crafty little solution: Make people memorize passwords that they don't know. If you don't know your password, you can't tell it to anyone.

Huh? How can you have a password you don't know?

Perhaps the best analogy is the playing of a song on a musical instrument. If you've ever memorized a piece of music, you know that, given the instrument, you could play it no problem. The piece is in your muscle memory. But given a staff sheet and a pencil, writing it out would be a challenge. You would need to thump it out with your fingers and write down your observations, but you don't just know the order of the notes.

As ExtremeTech explains:

The system ... relies on implicit learning, a process by which you absorb new information -- but you're completely unaware that you've actually learnt anything; a bit like learning to ride a bike. In short, the system teaches the password to a part of your brain that you cannot physically access -- but it is still there in your subconscious, just waiting to be tapped.

The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero [pictured above]. There are six buttons -- S, D, F, J, K, L -- and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes -- and here's the genius bit: Around 80% of those keystrokes are being used to subconsciously teach you a 30-character password.

Before running, the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. This equates to around 38 bits of entropy, which is thousands/millions of times more secure than your average, memorable password. This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there's a short pause. This entire process is repeated six more times, for a total of 3,780 items.

The catch is that unlike a piece of music, for which you've memorized a sequence that someone could, perhaps, record if they watched you tap it out enough times, this system then "tests" whether you are the real you, by having you "play" all sorts of strands, with the ones you've practiced mixed in. Only someone who has received the training will play their own sequences more smoothly and rapidly. "A performance gap that is substantially different from the one obtained after training indicates an attack," the authors explain.

In effect, the software is creating a code by which you can say, I am who I say I am, and the computer recognizes it. Of course, all passwords convey that to some extent, this one is just much, much harder to pass on.

Jump to comments
Presented by

Rebecca J. Rosen is a senior editor at The Atlantic, where she oversees the Business Channel. She was previously an associate editor at The Wilson Quarterly.

Get Today's Top Stories in Your Inbox (preview)

CrossFit Versus Yoga: Choose a Side

How a workout becomes a social identity


Join the Discussion

After you comment, click Post. If you’re not already logged in you will be asked to log in or register. blog comments powered by Disqus

Video

CrossFit Versus Yoga: Choose a Side

How a workout becomes a social identity

Video

Is Technology Making Us Better Storytellers?

The minds behind House of Cards and The Moth weigh in.

Video

A Short Film That Skewers Hollywood

A studio executive concocts an animated blockbuster. Who cares about the story?

Video

In Online Dating, Everyone's a Little Bit Racist

The co-founder of OKCupid shares findings from his analysis of millions of users' data.

Video

What Is a Sandwich?

We're overthinking sandwiches, so you don't have to.

Video

Let's Talk About Not Smoking

Why does smoking maintain its allure? James Hamblin seeks the wisdom of a cool person.

Writers

Up
Down

More in Technology

Just In