Even the most Fort Knox of passwords remain vulnerable if you leave them on a sticky note next to your computer.
To combat the human error that can leave passwords vulnerable, researchers have developed an alternative system, one that stores your password within your subconscious through a Guitar Hero-esque game.
The system was designed by Hristo Bojinov and Dan Boneh of Stanford University, in partnership with neuroscientists and cryptographers from Northwestern University and SRI International. According to their research paper proposal, each person in search of a new password will take part in a 30- to 45-minute training session. During this session, you’ll watch six columns corresponding with the S, D, F, J, K, and L keys. You just tap a key when its respective “fret” falls down the column.
“For each user, the system selects a unique sequence of 30 characters, selected from over 240 billion such possible sequences,” explained Bojinov in an email. “The user trains on his or her selected sequence, practicing the motor aspects of playing it.” Once a user has completed training, the unique sequence is implanted in his or her subconscious.
Upon their next login attempt, users will play a short round of the game, where they will be tested on their trained sequence alongside two randomly selected sequences. The system authenticates the user if she performs better on their trained sequence than on the two dummy sequences, taking into account their skill exhibited at training.
Because the system is based on performance and speed, rather that rote memorization, it cannot be written down or given away—even to legal authorities, as Gizmodo points out.
It is “thousands/millions of times more secure than your average, memorable password,” reports Extreme Tech, giving a detailed breakdown of the system’s step-by-step process. However, it would still be vulnerable to those who can physically see and memorize the correct sequence of inputs, notes ArsTechnica.
So are people willing to spend this much time with their password? Even after the initial 30+ minute session, users will still need to spend five to six minutes in the game each time they validate their identity. Besides, it’s not like the average person even prioritizes passkey security. The popularity of passwords like “123456,” “welcome,” and, well, “password,” indicates impatience, not caution.
But this system isn’t meant for everyday security. Bojinov believes it’s ideal for monitoring access to “highly secure, sensitive physical areas,” or as a secondary authentication measure, such as password recovery. “We see our scheme as complementary to other authentication methods, not as a replacement for them,” he writes.
