Scientific Security: Storing Passwords in Your Subconscious

While creating a secure password isn't all that difficult, remembering it often is. And while you could use a manager like 1password, here's a new idea proposed by a team of scientists: try storing them in your subconscious memory instead.

A team of US neuroscientists and cryptographers from Stanford University, Northwestern University and SRI has developed a password system which uses just subconscious memory. Like riding a bike, that means you never have to actually understand what's going on—and it could help systems become a whole lot more secure, because passwords could never be written down or obtained via coercion.

So, how the hell does that work? Well, the team has developed a system which teaches a password to a part of your brain that you cannot physically access—your subconscious memory—but from where it can be tapped given a test which complements the learning exercise. Extreme Tech explains the concept well:

The process of learning the password involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. There are six buttons - S, D, F, J, K, L - and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes - and here's the genius bit: Around 80% of those keystrokes are being used to subconsciously teach you a 30-character password.

Before running, the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. This equates to around 38 bits of entropy, which is thousands/millions of times more secure than your average, memorable password. This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there's a short pause. This entire process is repeated six more times, for a total of 3,780 items.

By that point, a 30-character password is deeply lodged in your subconscious. When you need to authenticate yourself, you simply play a quick round of the game, in which both your password and other random strings appear. Obviously you do best when your password forms part of the game and reliably performing that section better than the others grants you access. You can read the full paper here.

Now, there are problems with the concept—not least having to play a short game of faux-Guitar Hero every time you log on to a service—but the underlying theory is a good one. Implanting a password in your subconscious means you can never write it down; it can never be obtained by coercion or torture; and, perhaps best of all, it means you could legitimately never hand over a password to legal authorities. I like Guitar Hero more than ever. [Stanford via Extreme Tech]

Image by marc falardeau under Creative Commons license