All the latest UK technology news, reviews and analysis

Scientists mimic Guitar Hero to create subliminal passwords for coercion-proof security

01 Aug 2012
Password login security screen

Researchers from Stanford University will next week reveal a security system that can defeat the most aggressive attackers by ensuring that users cannot be coerced in to revealing their password, even under duress, because they simply never know it: it is a subliminal password.

The team behind the subliminal password wanted to know if they could use implicit learning – where people learn patterns without consciously realising it – to nullify the threat of users being coerced in to revealing a password.

To create the subliminal password, the team created a computer training game, which mimicked features of the popular video game Guitar Hero, by getting users to time inputs with on-screen prompts.

The team set up a website hosting this training game and taught subjects how to use it, recruiting them from Amazon's Mechanical Turk.

In the training game, circles were depicted falling in to one of six columns; players scored points if they pressed keys on the keyboard to correspond to column positions on screen just before the circle hit the column's floor.

Each column had three possible positions where the circles could fall, along with an empty column, which helped users map the circles to columns more effectively when the game was played at high speed.

The subliminal password is created from a sequence of 30 characters using that set of keys, but users are never told what the sequence is.

Instead, they are presented with a number of training sessions that include that 30-character sequence, along with a several random sequences.

The players spent around 35 to 40 minutes repeating this training session.

To then authenticate the user, the team tested subjects with the game again. But this time, the subject is presented with some circles that fall in the patterns they saw in the training programme and others that they didn't.

The team showed that users consistently scored better on the sequences they had been trained to implicitly learn than the random ones. Users that had never undergone the training sessions showed no such distinctions.

The team which comprises of Hristo Bojinov and Dan Boneh from Stanford, along with colleagues Daniel Sanchez and Paul Reber from Northwestern University and Patrick Lincoln from SRI, will present their work at the Usenix Security Symposium in Bellevue, Washington, next week. 

They acknowledge that the system is just a proof-of-concept model at present.

“We hope to further analyse the rate at which implicitly learned passwords are forgotten, and the required frequency of refresher sessions,” they said in their research paper.

But their Mechanical Turk research provides a “basis for confidence that it is possible” to build a subliminal password system via implicit learning, they added. That's a very neat way to defeat a proper brute force attack.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Head of Digital Product Management

Head of Digital Product Management is required for a...

Front End UI / UX Developer - HTML5 - Big Data Analytics

Front End UI / UX Developer - HTML5 - Big Data Analytics...

Software Trainer - Marketing Data Analysis & Automation Software

Software Trainer - Marketing Data Analysis & Automation...

Technical Support Consultant -SQL- Marketing Analysis/Automation

SaaS / Technical Support Consultant - SQL - Marketing...
To send to more than one email address, simply separate each address with a comma.