Whenever someone states that his computer uses super strong passwords that cannot be broken within a lifetime, security experts tend to react with this “obligatory xkcd” – threatening with violence will make you surrender. However, there are new efforts towards a “subconscious password” that cannot be extracted by force. This will prove to be a very important step for password-based authentication.

Earlier this year, Bonneau et al. (2012) stated that “the continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers”, which is a very valid statement, given that passwords have all sorts of problems and that users are not very fond of them. Without discussing all issues in detail, one can imagine the problems raised by having to memorise a lot of different strong passwords and the tendency of users to circumvent security measures in order to gain some usability.

At Gunpoint, Every Security Measure Is Futile
The point that the xkcd comic gets across very well is the futility of very good security measures, when you can be forced. If someone were to torture you, chances are very high that you would prefer to give away your strongly protected password rather than enduring more pain.

Traditional solutions against such – described with an euphemism – physical password extraction methods are biometrics and token-based solutions. The first type refers to everything that relies on physical attributes such as fingerprints or the iris. The second type refers to objects one needs to present while authenticating such as cards and RSA tokens. Of these, biometric solutions commonly are very expensive and scare users – especially after seeing some action films. Tokens, on the other hand, can still be stolen, although they do tend to provide good security when combined with a password.

The Not-Extractable Password
In a promising recent proposal, neuroscientists and cryptologists got together to propose the subconscious password. Using the psychological concept of implicit learning, they devised a password that one does remember, but cannot reproduce. In other words, they found a password that cannot be extracted from a person with violence.

Implicit learning refers to the way humans can learn certain patterns without being able to show any conscious knowledge of those. Common examples in everyday life are learning to ride the bicycle, to walk or to swim: one is not able to explain how he does it, but is still able to perform the task easily.

The researches embedded the implicit learning of the password in a specially crafted computer game. Although seemingly random and pure for entertainment, certain repetitive patterns were used in a way that they became imprinted in the subconscious memory of the player. This way, the authors were able to teach users a password that is not extractable by threatening or torturing them.

A New Horizon for Passwords?
Before reading about subconscious passwords, I would have stated that passwords have had their time and that replacement by modern solutions is inevitable. With the new concept of these implicitly learned passwords, the problems of remembering and torturing to obtain the password have been tackled. Therefore, passwords seem to have gained a new horizon and a new future in the world of modern authentication. Of course, there is still a theoretical case were an attacker uses coercion to make you enter the password, but this problem persists with practically all authentication methods.

Tagged with:

3 Responses to The Subconscious Password

  1. Ingrid says:

    Well the problem with Implicit learning is that instead of a threatened at gun point you know will be kidnapped first and threatened at gunpoint to do your implicitly learned trick.

    For normal social engineering prevention (no weapons / physical violence) it is much better to encourage people to use a very shamefull passphrase something they will never share to help someone nice on the phone! Lets call that concept: Henk and Ingrids password theorem 🙂

    • Dear Ingrid,

      If I understand the psychological concept correctly, it is required that the entering interface is the right one. So, the gun point situation is a viable attack, but only if the subject of the attack is dragged over to the password entering interface. Thus, if this interface is only available at a certain door, the attacker has to rebuild it, or to drag his target to that door, with the risk of being spotted.

      Another interesting situation is where the attacker does not believe the target cannot reproduce the password, and just continues the torturing anyway.

      Please also note that the theorem you propose is extractable by force, as it just revolves around traditional password methods. Although social engineering is, probably, the most common type of attack, it is not the attack vector at hand.

  2. For the interested reader, I should point out that an example can be found online.

Leave a Reply

Your email address will not be published. Required fields are marked *