Guest Blog: Security
Imagine this: someoneâ€™s pulling your fingernails out one by one in an effort to make you reveal your password. At this stage in the proceedings youâ€™d love to spill the beans, to be frank, but you canâ€™t.Â Because the information is stored in an inaccessible area of your brain, youâ€™re completely unable to express it, verbally or in writing.
Now thatâ€™s what I call secure.
Science fiction? Funnily enough itâ€™ll soon be fact, if a team of massive-brained researchers at Stanford University in California have anything to do with it.
Hristo Bojinov and colleagues have taught volunteers passwords that they can use but canâ€™t remember, using a spooky combination of cryptography and neuroscience. Itâ€™s all about implicit learning and it could eventually change the face of electronic security forever.
The magic of implicit learning
Implicit learning, in a nutshell, means unconsciously learning a pattern. Initial results suggest the phenomenon could form the basis of a super-safe security system. Apparently users can â€˜learnâ€™ a unique sequence of letters and/or numbers in just one session, but canâ€™t for the life of them recite it back or write it down.
The phenomenon occurs all the time in everyday life. Say you hear a new word. You find yourself using it correctly straight away, without having to consciously puzzle over the rules behind the grammar youâ€™re using. Bingo – youâ€™ve learned all the complexities behind the wordâ€™s use, context and meaning implicitly.
Just how safe is an implicitly-learned password?
You could try to identify someoneâ€™s password by forcing them to play the same kind of game used to teach them the password in the first place. But because the password sequences are made up of thirty key presses in six varying positions, itâ€™d be a mighty slow process. The researchers reckon testing 100 users non-stop for a year would deliver less than a 1 in 60,000 chance of hitting the jackpot, which is reassuringly unlikely.
When and where might we see implicit learning used for electronic security?
Itâ€™s a way off yet. At the moment the system isnâ€™t user-friendly enough. And thereâ€™s a snag: security could still be compromised if a hacker got into a user authentication area. The researchers predict itâ€™ll probably be best used in high-risk scenarios, for example access systems for military facilities.
As for the longer term, who knows? One day you might just find yourself the proud owner of a password so secure you donâ€™t even know it yourself. In the meantime, Bojinov will present his teamâ€™s findings at the USENIX Security Symposium in Washington DC on August 8th.