Boffins from Stanford University, Northwestern University, and SRI International have come up with a way to stop people from ever divulging their password by simply not remembering them.
The system uses something called “implicit learning” so a user never actually gets told what their password is, but enter it much like the game Guitar Hero or Dance Dance Revolution.
The report, titled Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks, shows how a user can learn a password but would never be able to describe or tell it to someone as you would with normal passwords. The system takes its cue from rubber-hose cryptanalysis, where a password can be revealed with the threat of a beating.
The system uses Serial Interception Sequence Learning (SISL), which to non-boffins looks rather like playing Guitar Hero. Learning the password involves the use of the GuitarHero like a game with six buttons – S, D, F, J, K, L — and the user has to touch the matching key when the disk reaches the end. During a 45-minute training period, a user will hit the keyboard around 4,000 times — and where the user learns the password is in the fact that around 80 per cent of keys are being used to subconsciously impart a 30-character password.
The learned password has 38 bits of entropy, meaning that a computer would take eight years at a thousand guesses per second to figure out the password. IT also means that the user wouldn’t be able to divulge the password. Whether it means that a criminal still wouldn’t use the excuse to beat someone to a pulp is something the scientists didn’t answer.