Unbreakable Passwords – An unchained melody

Last updated: 21 March 2014

Being a security professional I always find it fascinating to hear from the world of code breaking. More often than not, cryptography is the stuff of Hollywood movies (from Mercury Rising, Enigma to Swordfish) but last month I come across a new system of encryption that claims to be ‘unbreakable’. How? You ask. Well, let me drum it into your sub-consciousness.

The system, devised by Hristo Bojinov of Stanford University relies on implicit learning, a process by which you absorb new information — but you’re completely unaware that you’ve actually learnt anything.

To illuminate, Serial Interception Sequence Learning (SISL) teaches the password to a part of your brain that you cannot physically access — but it is still there in your subconscious, just waiting to be tapped. If you think your memory will struggle to retain this paragraph… you can find Mr Bojinov’s full research paper here.

Fully explained in this article by Sebastian Anthony, the encryption process actually resembles the much loved (and often infuriating) computer game Guitar Hero. Being the father of an 11 year old boy, I am well aware of the concept of repetitive learning as he destroys me every time we play. So is this new innovation simply a gimmick? Or are we heading in the wrong direction when we use words to protect our possessions online?

Well as tempting as it is to burst into my favorite Linkin Park tune every time I gain access to my digital assets, the truth is that a combination of techniques will always be the most practical method of digital security – also known as multi-factor authentication.

The fact that a 30 character password is memorized through playing a Guitar Hero-like game, which would have to be repeated to gain access is a bit far-fetched for most enterprises – although it might be amusing to watch an executive staff meeting with them all logging in at the same time. The key characteristic of the subconscious password is that it can’t be acquired by a malicious user as you can’t theoretically ‘give’ it to another. However, the fact that you enter the password subconsciously would surely indicate that if asked to repeat the login procedure, it would still be memorable under duress.

Perhaps, from an enterprise point of view, it seems counterproductive to go to such extremes when there is a non-password based option that provides near unbreakable authentication that is trusted by some of the world’s most secure environments… including the master keys to the internet.

There are plenty of innovations that we are working on to ensure greater user convenience while providing the necessary security. Here are just three:

  1. Converged authentication devices – these devices provide the ability to provide authentication using a one-time password or certificate based identity and access to a physical building.
  2. Mobile authentication – using your mobile phone as another factor of authentication (OTP app or SMS based OTP)
  3. Near field communication – This can leverage several form factors including a mobile handset enabled with NFC. Certificate based identity is stored in the secure element and accessed when the device is used to gain access to a network or online service and building access with the right physical access system.

In short, why try and fix or enhance a broken technology when there are so many other options available to address the critical business issue of security without a significant amount of pain.

Leave a Reply

Your email address will not be published. Required fields are marked *