Learning passwords you can use but not remember
How can you make sure that you’ll never share your password with anyone, even under threat of bodily harm, or other illegal and illegal type of coercion? The answer is simple: don’t actually know your password.
A group of scientists led by researcher Hristo Bojinov from Stanford University have designed a method whose goal is to “teach” users a password through implicit learning – the process of learning of patterns without any conscious knowledge of the learned pattern.
The Serial Interception Sequence Learning (SISL) is executed with the help of a specially crafted computer game that results in implicit learning of a specific sequence of key strokes that functions as an authentication password.
After playing the game for 30 to 45 minutes, the participants learned a random password with 38 bits of entropy which they were unable to consciously reconstruct or even recognize, but were able to unconsciously recreate after having been presented after a couple of weeks with multiple SISL tasks where one of the tasks contained elements from the trained sequence.
“By exhibiting reliably better performance on the trained elements compared to untrained, the participant validates his or her identity within 5 to 6 minutes,” the researchers explained in the paper. “An attacker who does not know the trained sequence cannot exhibit the user’s performance characteristics measured at the end of training.”
The researchers admit that there is still much work and testing to be done in order to see whether this system is ultimately usable.
They also say that it will probably never be used to secure computers and smartphones, but the work does show great promise in regards to securing physical access to facilities or equipment.