Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Memory Method Lets Users Remember Long Passwords -- Subconsciously

'Implicit learning' lets users store a 30-character password in their memories -- without remembering it

Remembering passwords is the biggest bane of security for most users. But what if you could learn a long password and remember it subconsciously, like you remember how to ride a bike?

According to a report about subconscious passwords in the publication Extreme Tech, a group of neuroscientists and cryptographers have developed a password system that does just that.

"The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you’re completely unaware that you’ve actually learnt anything," the report states. "In short, the system teaches the password to a part of your brain that you cannot physically access — but it is still there in your subconscious, just waiting to be tapped.

"The process of learning the password involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero," the report states. "There are six buttons — S, D, F, J, K, L — and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes — and here’s the genius bit: Around 80 percent of those keystrokes are being used to subconsciously teach you a 30-character password."

Once the user has completed the training, future authentication is done by playing the game again -- the user is authenticated if he or she performs reliably better on his or her sequence than on other random sequences presented during the game, the report says.

"The most important aspect of this work is that it [seemingly] establishes a new cryptographic primitive that completely removes the danger of rubber-hose cryptanalysis — i.e. obtaining passkeys via torture or coercion," the report states. "It also gives you deniability: If a judge or policeman orders you to hand over your password, you can plausibly say that you don’t actually know it."

Bojinov will present his findings at the Usenix Security Symposium in August.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13523
PUBLISHED: 2020-08-04
An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.
CVE-2020-16134
PUBLISHED: 2020-08-04
An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device's plus or r...
CVE-2020-16199
PUBLISHED: 2020-08-04
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read/modify information, execute arbitrary code, and/or crash the applicat...
CVE-2020-16201
PUBLISHED: 2020-08-04
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple out-of-bounds read vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read information.
CVE-2020-16203
PUBLISHED: 2020-08-04
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. An uninitialized pointer may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash...