All the latest UK technology news, reviews and analysis


Scientists mimic Guitar Hero to create subliminal passwords for coercion-proof security

01 Aug 2012
Password login security screen

Researchers from Stanford University will next week reveal a security system that can defeat the most aggressive attackers by ensuring that users cannot be coerced in to revealing their password, even under duress, because they simply never know it: it is a subliminal password.

The team behind the subliminal password wanted to know if they could use implicit learning – where people learn patterns without consciously realising it – to nullify the threat of users being coerced in to revealing a password.

To create the subliminal password, the team created a computer training game, which mimicked features of the popular video game Guitar Hero, by getting users to time inputs with on-screen prompts.

The team set up a website hosting this training game and taught subjects how to use it, recruiting them from Amazon's Mechanical Turk.

In the training game, circles were depicted falling in to one of six columns; players scored points if they pressed keys on the keyboard to correspond to column positions on screen just before the circle hit the column's floor.

Each column had three possible positions where the circles could fall, along with an empty column, which helped users map the circles to columns more effectively when the game was played at high speed.

The subliminal password is created from a sequence of 30 characters using that set of keys, but users are never told what the sequence is.

Instead, they are presented with a number of training sessions that include that 30-character sequence, along with a several random sequences.

The players spent around 35 to 40 minutes repeating this training session.

To then authenticate the user, the team tested subjects with the game again. But this time, the subject is presented with some circles that fall in the patterns they saw in the training programme and others that they didn't.

The team showed that users consistently scored better on the sequences they had been trained to implicitly learn than the random ones. Users that had never undergone the training sessions showed no such distinctions.

The team which comprises of Hristo Bojinov and Dan Boneh from Stanford, along with colleagues Daniel Sanchez and Paul Reber from Northwestern University and Patrick Lincoln from SRI, will present their work at the Usenix Security Symposium in Bellevue, Washington, next week. 

They acknowledge that the system is just a proof-of-concept model at present.

“We hope to further analyse the rate at which implicitly learned passwords are forgotten, and the required frequency of refresher sessions,” they said in their research paper.

But their Mechanical Turk research provides a “basis for confidence that it is possible” to build a subliminal password system via implicit learning, they added. That's a very neat way to defeat a proper brute force attack.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
23%
14%
4%
17%
30%
12%

Popular Threads

Powered by Disqus
Galaxy S5 vs iPhone 5S vs Nexus 5 showdown

Galaxy S5 vs iPhone 5S vs Nexus 5

We speed test three of the most popular smartphones

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Digital Project Manager - Creative Technology House

Digital Project Manager - Creative Technology House Henley...

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows 2012

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows...

SharePoint Lead Developer - SharePoint 2013, C#, .Net

SharePoint Lead Developer – SharePoint 2013, C#, .Net...

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange...
To send to more than one email address, simply separate each address with a comma.