Scientists mimic Guitar Hero to create subliminal passwords for coercion-proof security

Researchers from Stanford University will next week reveal a security system that can defeat the most aggressive attackers by ensuring that users cannot be coerced in to revealing their password, even under duress, because they simply never know it: it is a subliminal password.

The team behind the subliminal password wanted to know if they could use implicit learning – where people learn patterns without consciously realising it – to nullify the threat of users being coerced in to revealing a password.

To create the subliminal password, the team created a computer training game, which mimicked features of the popular video game Guitar Hero, by getting users to time inputs with on-screen prompts.

The team set up a website hosting this training game and taught subjects how to use it, recruiting them from Amazon's Mechanical Turk.

In the training game, circles were depicted falling in to one of six columns; players scored points if they pressed keys on the keyboard to correspond to column positions on screen just before the circle hit the column's floor.

Each column had three possible positions where the circles could fall, along with an empty column, which helped users map the circles to columns more effectively when the game was played at high speed.

The subliminal password is created from a sequence of 30 characters using that set of keys, but users are never told what the sequence is.

Instead, they are presented with a number of training sessions that include that 30-character sequence, along with a several random sequences.

The players spent around 35 to 40 minutes repeating this training session.

To then authenticate the user, the team tested subjects with the game again. But this time, the subject is presented with some circles that fall in the patterns they saw in the training programme and others that they didn't.

The team showed that users consistently scored better on the sequences they had been trained to implicitly learn than the random ones. Users that had never undergone the training sessions showed no such distinctions.

The team which comprises of Hristo Bojinov and Dan Boneh from Stanford, along with colleagues Daniel Sanchez and Paul Reber from Northwestern University and Patrick Lincoln from SRI, will present their work at the Usenix Security Symposium in Bellevue, Washington, next week. 

They acknowledge that the system is just a proof-of-concept model at present.

“We hope to further analyse the rate at which implicitly learned passwords are forgotten, and the required frequency of refresher sessions,” they said in their research paper.

But their Mechanical Turk research provides a “basis for confidence that it is possible” to build a subliminal password system via implicit learning, they added. That's a very neat way to defeat a proper brute force attack.