A new Guitar Hero-like password authentication system relies on muscle memory.
“Don’t give out your password to anyone.” This oft-repeated warning is necessary because, in most encryption systems, humans are the weakest link. As big a problem as this is in the consumer space, it’s even worse for government, military, and other organizations with high stakes and determined attackers. “Rubber hose cryptanalysis,” which involves bypassing security systems by coercing a working password from someone, has been a virtually unpreventable attack – until now. A team of neuroscientists and cryptographers have devised a new encryption system that relies purely on subconscious muscle memory, preventing users from actually remembering the passwords they can enter.
The training program, based on Serial Interception Sequence Learning, actually plays a lot like a keyboard-based, soundless Guitar Hero; users hit keys in accordance with falling circles, and there’s even a score and ‘streak’ stat displayed. The SISL program gives the user a 30-character set of letters, which is repeated three times and then followed by 18 non-password and non-repeating keys.
The 30-character-long password is made up of pairs of letters chosen from the s, d, f, j, k, and l keys, a setup that can generate nearly 248 billion unique passwords. Each character appears the same number of times, and no character is repeated twice in a row – this is done to reduce users’ abilities to consciously memorize the password over time. Additionally, the letters in the training program fall fast enough that, even if a user is trying to consciously memorize the password, there is not enough time for them to associate keystrokes with letters.
After training, users were tested on their knowledge with a shortened version of the same program, which gave users two incorrect passwords and one correct sequence. If they performed better on the correct password compared to the others, that constituted subconscious memorization. Not only did users still subconsciously remember the password after two weeks, but the difference in performance between those users and a group tested after one week was practically nonexistent, indicating that memory loss of the password slowed as time went on.
The paper published on the experiment takes great pains to consider all the different ways an attacker may try to break this system, and offers varying solutions and answers. For example, the authentication program compares the user’s performance at login to the user’s performance during training, so attackers can’t try to fool the system by purposefully performing poorly on what they think the incorrect sequences are. The researchers also suggest using more than one 30-character password, which they believe is possible based on separate study of memorization.
The system has some limitations; it doesn’t work if the login process is observable by an attacker, or if the system can be accessed remotely, which would allow an attacker to coerce the password holder to complete authentication. This is still good news for organizations that take cryptography seriously, but the system is a bit impractical for consumer use – unless, of course, you want to spend 30-45 minutes learning your next password.