Passwords are a pain. Your everyday password is vulnerable to being forgotten; passwords in high-security situations are vulnerable to being extracted by “rubber hose cryptography” or, more colloquially, torture. An article last week in the MIT Technology Review detailed an innovative new fix for both problems being developed by researchers at Stanford and Northwestern: a passcode that sits safely in your unconscious, which makes it hard to forget and even harder for interrogators to extract.
The idea, which was presented last year at the USENIX cybersecurity conference, sounds like something out of the movie “Inception.” The researchers use “implicit learning”—the same kind of learning we employ to learn to ride a bike or swing a tennis racket—to implant a passcode in a user’s brain. The user is then able to reproduce the code without actually knowing what it is, in the same way that, once learned, you’re unlikely to forget how to ride a bike even if you can’t really explain how you do it.
The implicit learning takes place through a video game environment that resembles “Guitar Hero”: Balls fall down columns, and users press buttons that correspond to the correct columns as the balls land. Some of the falling-ball
sequence they encounter is random noise and some of it is their actual passcode sequence, which is occasionally repeated. Users train at the game for about 45 minutes, during which the repeated passcode sequence implants itself in the user’s brain through repetition. Later, they play the same game for a shorter period of time in order to enter a secure facility; their identity is authenticated based on their ability to perform better when “playing” their passcode sequence than they do playing random elements that have been introduced into sequence.
The key is, though, that people have never consciously memorized the “password,” and wouldn’t recognize it if they saw it—meaning that even under waterboarding-style duress, they couldn’t give up the goods even if they wanted to.