Yesterday I featured the preliminary work of a Stanford/Northwestern University team claims to have succeeded in embedding 30-character passwords into the subconscious memory of it’s subjects. The group will present their findings at the 21st USENIX Security Symposium in August. The interesting part for me was how they accomplished this. As mentioned yesterday, implicit memory governs over tasks that are so common or well-trained, that they are automatic. So when it came time to “train” their subjects, what did Bojinov and his team do? Play Guitar Hero.
Well, not really. But what they did play was a really boring version of the popular musical instrument game—if you took out the guitar, the music, and the heroism. Dubbed Serial Interception Sequence Learning (SISL), participants in the study would play this game, wherein dots would move down the screen and the player taps the key when the dot reaches the bottom of the screen.
In a typical training session of 30-60 minutes, participants complete several thousand trials and the order of the cues follows a covertly embedded repeating sequence on 80% of trials. The game is designed to keep each user at (but not beyond) the limit of his or her abilities by gradually varying the speed of the falling circles to achieve a hit rate of about 70%. Knowledge of the embedded repeating sequence is assessed by comparing the performance rate (percent correct) during times when the cues follow the trained sequence to that during periods when the cues follow an untrained sequence.
The password is padded with 18 random characters to mix things up. So rather than make the user simply memorize a sequence of keys, the game forces your fingers to do the learning. Like learning to play an instrument, the correct key combinations are performed through muscle memory.
When it comes time to authenticate, the player is sat in front of the same game, except the trained password is mixed up with other passwords. After about 5 minutes of play, the program analyzes the success rate of the player. Naturally, key combinations from the trained password will have a higher success rate than new combinations generated by the authenticator. As a result, there is no way to memorize the password, it is reflected in your familiarity with your unique, trained segments. If the success rate is adequate, the password is authenticated. It’s clever, but it also sounds exhausting.
Regardless, I give them free reign to call it “Password Hero” if they should decide. That stuff’s too good.
So, as a reminder as to why we don’t do a daily comic here, our content management program overwrote yesterday’s comic. I’ll put the correct one back up later tonight. Apologies.
DISREGARD THAT. The hero, Andrew, has set the Universe right with a cached version of the file.