Remember Uncrackable Passwords With Your Fingers

Remember Uncrackable Passwords With Your Fingers

image

A new Guitar Hero-like password authentication system relies on muscle memory.

"Don't give out your password to anyone." This oft-repeated warning is necessary because, in most encryption systems, humans are the weakest link. As big a problem as this is in the consumer space, it's even worse for government, military, and other organizations with high stakes and determined attackers. "Rubber hose cryptanalysis," which involves bypassing security systems by coercing a working password from someone, has been a virtually unpreventable attack - until now. A team of neuroscientists and cryptographers have devised a new encryption system that relies purely on subconscious muscle memory, preventing users from actually remembering the passwords they can enter.

The training program, based on Serial Interception Sequence Learning, actually plays a lot like a keyboard-based, soundless Guitar Hero; users hit keys in accordance with falling circles, and there's even a score and 'streak' stat displayed. The SISL program gives the user a 30-character set of letters, which is repeated three times and then followed by 18 non-password and non-repeating keys.

The 30-character-long password is made up of pairs of letters chosen from the s, d, f, j, k, and l keys, a setup that can generate nearly 248 billion unique passwords. Each character appears the same number of times, and no character is repeated twice in a row - this is done to reduce users' abilities to consciously memorize the password over time. Additionally, the letters in the training program fall fast enough that, even if a user is trying to consciously memorize the password, there is not enough time for them to associate keystrokes with letters.

After training, users were tested on their knowledge with a shortened version of the same program, which gave users two incorrect passwords and one correct sequence. If they performed better on the correct password compared to the others, that constituted subconscious memorization. Not only did users still subconsciously remember the password after two weeks, but the difference in performance between those users and a group tested after one week was practically nonexistent, indicating that memory loss of the password slowed as time went on.

The paper published on the experiment takes great pains to consider all the different ways an attacker may try to break this system, and offers varying solutions and answers. For example, the authentication program compares the user's performance at login to the user's performance during training, so attackers can't try to fool the system by purposefully performing poorly on what they think the incorrect sequences are. The researchers also suggest using more than one 30-character password, which they believe is possible based on separate study of memorization.

The system has some limitations; it doesn't work if the login process is observable by an attacker, or if the system can be accessed remotely, which would allow an attacker to coerce the password holder to complete authentication. This is still good news for organizations that take cryptography seriously, but the system is a bit impractical for consumer use - unless, of course, you want to spend 30-45 minutes learning your next password.

Source: Hristo Bojinov via Extreme Tech

Permalink

Seems like one of these things that work flawlessly until the first overworked and sleep deprived employee shows up at 7 in the morning. Without his coffee.

Yeah because why should have to use brain memory?

Sounds like not such a good idea. What if someone has bad motor skills? And muscle memory changes over time too. It's far from flawless.

The real uncrackable passwords of course are derived from images that are personal, impossible to reason about for an outsider but easy to remember but long to describe. The password "myowncomputerhasabluebuttonasaresetbutton" is one small detail to remember for the passwordholder, but a total nightmare to crack through bruteforcing.

Don't forget to turn 'forgot my password' questions into something weird too. If they ask what the colour of your first cat was, the answers are limited and guessable. But fill in "my cat was a dog, and an invisible one too" and the first hacker to guess-answer your secret question will do so well after our lifetimes.

DVS BSTrD:
Yeah because why should have to use brain memory?

Because man isn't strong because of his brain that has allowed him to create the world in his image, make medicine to cure disease, divulge into science, plan ahead and stratigize in life threatening situations- HE DID IT WITH HIS BUNS AND THIGHS!

My friend and I were laughing during that one (The Amazing) Spiderman scene where Peter 'cracks' the code for Doctor Connor's lab (with the radioactive spiders). It was like this touch screen game kind of thing that appeared -amazingly- simple (if you were peeking from the side), which he was

TOP NOTCHED SECURITY INDEED

That's actually how I remember phone numbers: by where my thumb is when I key it. I actually don't know most of the numbers on my contact list by the actual numbers themselves, but by muscle memory.

thats really good for old people with Rheumatoid arthritis. /sarcasm

Blablahb:
The real uncrackable passwords of course are derived from images that are personal, impossible to reason about for an outsider but easy to remember but long to describe. The password "myowncomputerhasabluebuttonasaresetbutton" is one small detail to remember for the passwordholder, but a total nightmare to crack through bruteforcing.

I fail to see how this solves the problem of the use actually giving the password to the attacker. You know, the problem this system is trying to fix.

Social engineering attacks isn't collecting data on the person and trying to deduce the password from that. It's coercing the person to believe he can and should tell you the password.

Or just plain ol' phishing...

Funny. I've been playing piano pieces on my keyboard for passwords for over a decade.

"unless, of course, you want to spend 30-45 minutes learning your next password."

Well, I don't know about the author, but that sounds like a steal. My current passwords are all generated nonsense of 15 characters just to stay ahead of the computer curve, and I'm losing. Learning a new password now takes me a day or more, and then at least 2 weeks of frequent mistyping.

30-45 minutes for a secure way of identifying myself? I'll TAKE IT!

What happens if the hacker is just shit hot at guitar hero?

-|-:
What happens if the hacker is just shit hot at guitar hero?

then remove the guitar hero controller from your computer

TMM:
"unless, of course, you want to spend 30-45 minutes learning your next password."

Well, I don't know about the author, but that sounds like a steal. My current passwords are all generated nonsense of 15 characters just to stay ahead of the computer curve, and I'm losing. Learning a new password now takes me a day or more, and then at least 2 weeks of frequent mistyping.

30-45 minutes for a secure way of identifying myself? I'll TAKE IT!

For your viewing pleasure:

image

30-45 minutes if you had any music experiance or pleyed Gh. for those that are tonedef and never had any music experiance this would be a nightmare.

I prefer cat on KB method, randomly type keys on the keyboard then use the first 7 that are there. for email and anything credit card put a cat on the KB and let it wander(as in put it back on the KB every 5 seconds until it scratches you) then use that.

actauly I dont use a cat, I put my hands as flat as i can on my KB and one on my numpad after. even is KB and odd is numpad. 8 characters or more.

Ok joking done even if good advice aside from the cat part.

rules of thumb, "dont use the same password twice". any that is personal use completely random alpha numeric. any that you could care less if they get hacked.. use whatever you want just not one from the first group.

Thats pretty basic password security and why a company is overcomplicating things when "DO NOT USE THE SAME PASSWORD" is said by every security company worth anything is being ignored hopes to actualy fix thing... yeah they are crazy 20+ years telling people the first rule and most dont get it...

captcha: safety first

Scrythe:
That's actually how I remember phone numbers: by where my thumb is when I key it. I actually don't know most of the numbers on my contact list by the actual numbers themselves, but by muscle memory.

Likewise, I've long forgotten many of my friend's numbers but can dial them with ease.

JET1971:
30-45 minutes if you had any music experiance or pleyed Gh. for those that are tonedef and never had any music experiance this would be a nightmare.

There is no music involved - the researchers compared the program to Guitar Hero because of the way the circles fall down in slots corresponding to keys.

Sounds like a fun thing to do for people who can be bothered with the effort. Otherwise its a bit over the top.

Actually, you can still force people to execute the password, you just need a similar input device, and force them to enter the password, while recording the right order. Hell, you might even make the re-execution automatic, no need to get a human to learn it, a machine can probably do it better. Of course, the problem is the interface, that will probably be non-standard, but it's still not that big of a problem (if your fear is if someone can leak the password, you have to imagine he/she is captured or a similar situation, so they probably have all the time they need to do this properly).

The people who know the password can lie, of course, but that's true also for normal passwords, isn't it? It doesn't sound that great, but I might be wrong...

Rabid Toilet:
For your viewing pleasure:

image

I know you just posted it ironically, but the comic is actually wrong (because of dictionary attacks). The 4 random words are easier to brute-force than the first password.

There is nothing wrong with using random words along in a password, but mix in a few uppercase-letters, signs and numbers. It's still manageable to remember after a short pause.

c0Rrect#horSEbattery!253-

Alternatively do like me: Remember a FEW very very hard passwords, and use a Password manager for the rest (i use KeePass, but there is also online-services like LastPass).

Rabid Toilet:

TMM:
"unless, of course, you want to spend 30-45 minutes learning your next password."

Well, I don't know about the author, but that sounds like a steal. My current passwords are all generated nonsense of 15 characters just to stay ahead of the computer curve, and I'm losing. Learning a new password now takes me a day or more, and then at least 2 weeks of frequent mistyping.

30-45 minutes for a secure way of identifying myself? I'll TAKE IT!

For your viewing pleasure:

You are of course entirely right (well XKCD is) but my passwords of 15 characters consisting of all ASCII printable characters has an entropy value of 96 bits (http://en.wikipedia.org/wiki/Password_strength) rather than the 44 bits in xkcd's example with much less typing.

Also my password does not become significantly less secure if you know the method, whereas I would guess that an attack based on the knowledge of the structure of the password would help with cracking it. My English wordlist contains 99156 words at this moment, meaning that the amount of possible passwords for a '4 word password' is 99156^4 or 9.66665001810^19 wheres a random password of ASCII printable characters is roughly 120^15 1.54070215710^31 a significantly higher number. To match the password strength you would need a 6 or 7 word password.

Athinira:

I know you just posted it ironically, but the comic is actually wrong (because of dictionary attacks). The 4 random words are easier to brute-force than the first password.

There is nothing wrong with using random words along in a password, but mix in a few uppercase-letters, signs and numbers. It's still manageable to remember after a short pause.

c0Rrect#horSEbattery!253-

Alternatively do like me: Remember a FEW very very hard passwords, and use a Password manager for the rest (i use KeePass, but there is also online-services like LastPass).

4 words from a 40k word dictionary (# of words in the oxford mini dictionary. Their normal dictionary is about 220k.)
40000^4
2.56e+18

11 characters from alphanumeric(62) plus typical special characters I basically just picked off of my keyboard (17)
89^11
2.775173073766990340489e+21

so you're right. the first password in the comic is better by a factor of about a thousand, but if you add a fifth dictionary word:
40000^5
1.024e+23

it's now legitimately better than the 11 character password.

You're password is obviously harder to crack than either of these

89^25
5.4293790913464640719266311175815e+48

but you seem to have completely missed the point that it's hard to memorize what characters you've randomly changed or added. You've taken the original example that was presented as too difficult to remember, one word with two replaced characters and two added ones, and made it longer and more complex, two words with 4 replaced characters and 6 added ones.

Of course this is academic when institutions are still limiting passwords to ridiculously short lengths.

Also, thanks for the tip about keepass. There are also hardware solutions that do this but all the ones I've found seem to have severe usability issues and too many limitations on what they can store.

mdqp:
Actually, you can still force people to execute the password, you just need a similar input device, and force them to enter the password, while recording the right order. Hell, you might even make the re-execution automatic, no need to get a human to learn it, a machine can probably do it better. Of course, the problem is the interface, that will probably be non-standard, but it's still not that big of a problem (if your fear is if someone can leak the password, you have to imagine he/she is captured or a similar situation, so they probably have all the time they need to do this properly).

The people who know the password can lie, of course, but that's true also for normal passwords, isn't it? It doesn't sound that great, but I might be wrong...

Because the memory is subliminal - more subliminal than most muscle memory - the password holder cannot enter it spontaneously. They have absolutely no idea which keys are correct. In order to obtain authentication, the system in question must already know the correct password.

The researchers go into a lot of depth explaining the whole idea and how it works, and the various ways different attack tactics would fail, so I'd recommend reading the paper if you're interested.

If one can't enter it spontaneously, one can't enter it, period. They must be capable of entering it whenever is needed, otherwise it's pointless, isn't it? What I mean is that the guy who knows the password, must be capable of repeating the right movements. He can't tell what the password is, but he can repeat the movements, and you can record such movements, and repeat them yourself afterward. The only problem is only if you use non-standard keyboards each time, making it harder to learn to repeat said movements, since you miss the hardware, but it isn't an impossible obstacle.

You need the appropriate equipment, but it's definitely possible to extort it from human beings.

Even in the paper, they don't directly address this. If you can record the movements of the password holder, and you have access to a device with the same structure (even only the external structure, as that is all you need to get the required feedback), you can learn the password. You just need to ask the subject to repeat multiple times the password, record it multiple times to see if there are any differences (if there aren't, you can be sure that it is a sequence he knows, not something he is making up on the spot), and go with the most consistent one.

It only works against conventional measures not ones thought specifically for this method.

Kargathia:
Seems like one of these things that work flawlessly until the first overworked and sleep deprived employee shows up at 7 in the morning. Without his coffee.

DVS BSTrD:
Yeah because why should have to use brain memory?

Ding and double ding.

I've seen what muscle memory CAN do when I type my passwords without even looking, but that's not a definite thing even with work to it. I program the compuer. You don't try to program me. If I am not master of the system in totality, something is wrong with this system.

The other thing is that, yes, what we really need is more brain power, or rather less about gibberish crap and more about the intrinsic way your mind works. Use things that other people CAN'T guess, because they don't think like you. I mean, think about it, Random Escapist-Goer... D'you think Jack has ANY hope of getting into your mind and guessing your password? Hell no.

The rubber hose thing can't be solved by a system that will likely make logging in harder for the RIGHT user. It's only through making the PEOPLE better that this works.

I've actually been doing this for a few years now, just pressing keys on the keyboard in a certain order instead. Was originally a phone dial version (where the letters are on a phone keypad) of an old password done on the number keys, but then I just moved it down only the qwerty keys. If I ever want to change it again, I can just move where I place my hand when I type it.

Roander:
Of course this is academic when institutions are still limiting passwords to ridiculously short lengths.

Well since i mentioned the software anyway, i would also like to mention that KeePass features a very nice security implementation to prevent brute-force/dictionary attacks.

KeePass features a Database-setting (individual per database of passwords) that you can change at your will. This setting is called "Number Of Key Transformation Rounds". What it basically means is that the master key used to decrypt the password must itself be encrypted X amount of times before it is used (X specified by the user). This means that for every brute-force/dictionary attempt an attacker makes, the attacker must transform the key X amount of times using CPU-power, adding a constant work factor to each brute-force attempt.

While this does make it take longer to encrypt/decrypt the database, it does increase security. My personal setting is 576000 transformation rounds (with my i5 being able to handle around 8 times that amount per second). This basically means that for every attempt an attacker takes at my password, he has to use 576000 as much CPU power compared to normal encryption.

It would be prudent if more systems were to use that kind of security when appropriate (aka. the CPU-increase being a non-issue).

mdqp:
If one can't enter it spontaneously, one can't enter it, period. They must be capable of entering it whenever is needed, otherwise it's pointless, isn't it?

Incorrect. Authentication is not just a blank box on a login screen. It is the same program as the training program, but with the correct password thrown at the user interspersed two incorrect passwords. The system simply measures how much better the user does at the correct password - which, by the way, doesn't mean they have to hit it 100% correctly.

Think of the real Guitar Hero. After you play a song a few times, you can play it a little better than a song you haven't tried before, right? Does that mean you can spontaneously hit all, or even most of the notes? Of course not.* This same principle applies without the music, and that's what the authentication program relies on.

*EDIT: Though if you could, that'd be pretty awesome.

kitsuta:

Incorrect. Authentication is not just a blank box on a login screen. It is the same program as the training program, but with the correct password thrown at the user interspersed two incorrect passwords. The system simply measures how much better the user does at the correct password - which, by the way, doesn't mean they have to hit it 100% correctly.

Think of the real Guitar Hero. After you play a song a few times, you can play it a little better than a song you haven't tried before, right? Does that mean you can spontaneously hit all, or even most of the notes? Of course not.* This same principle applies without the music, and that's what the authentication program relies on.

*EDIT: Though if you could, that'd be pretty awesome.

I understand that, but it doesn't sound that risk free to me as they want it to appear. Since the game must have margins to compensate for the limits that an execution like that might have (even when you know very well the timing, you aren't going to score "perfect" each time, right?), I seriously believe that a counterfeit system for training/gathering informations might be more successful than what they imagine. Of course, I might be wrong.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here