informa
/
Analytics
Quick Hits

New Memory Method Lets Users Remember Long Passwords -- Subconsciously

'Implicit learning' lets users store a 30-character password in their memories -- without remembering it
Remembering passwords is the biggest bane of security for most users. But what if you could learn a long password and remember it subconsciously, like you remember how to ride a bike?

According to a report about subconscious passwords in the publication Extreme Tech, a group of neuroscientists and cryptographers have developed a password system that does just that.

"The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you’re completely unaware that you’ve actually learnt anything," the report states. "In short, the system teaches the password to a part of your brain that you cannot physically access — but it is still there in your subconscious, just waiting to be tapped.

"The process of learning the password involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero," the report states. "There are six buttons — S, D, F, J, K, L — and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes — and here’s the genius bit: Around 80 percent of those keystrokes are being used to subconsciously teach you a 30-character password."

Once the user has completed the training, future authentication is done by playing the game again -- the user is authenticated if he or she performs reliably better on his or her sequence than on other random sequences presented during the game, the report says.

"The most important aspect of this work is that it [seemingly] establishes a new cryptographic primitive that completely removes the danger of rubber-hose cryptanalysis — i.e. obtaining passkeys via torture or coercion," the report states. "It also gives you deniability: If a judge or policeman orders you to hand over your password, you can plausibly say that you don’t actually know it."

Bojinov will present his findings at the Usenix Security Symposium in August.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5