Subconscious Security – Storing Passwords in Memory with Implicit Learning

A team of neuroscientists and cryptographers have developed a prototype system which uses the concept of implicit learning to store a 30 character password in subconscious memory.

I wish I was reporting that this technology will soon be widely available, eliminating the annoyance of forgotten passwords for good. But if anything, the methods described here are more likely to be put into use at the highest levels of government/military operations. Even so, the concept, and the research pushing the boundaries of what we can knowingly do with our subconscious memory, is highly intriguing:

The system was designed by Hristo Bojinov and Dan Boneh of Stanford University, in partnership with neuroscientists and cryptographers from Northwestern University and SRI International. Their design for subconscious password storage involves the use of a specially crafted computer game (shown in the screenshot above). Before running, the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. In the training game, the user has to hit the corresponding key for each of those letters when a circle reaches the bottom of the screen. As others have noted, the training game isn’t so different from “Guitar Hero” at a glance. Results of the research so far suggest that it takes about 45 minutes of playing this game to deeply lodge a 30-character password in your subconscious.

To log back into a machine, the user simply plays a quick round of the game, in which some segments are their actual password, but others are randomly created strings of characters. The research team observed that users were consistently able to perform better on the portions of the game containing their password, as those patterns were stored subconsciously. Reliably performing the password sections better than the random sections is what authenticates the user, and allows them to log in.

Because the system is based on performance and speed, rather that rote memorization, it cannot be written down or given away, even to legal authorities or under threat. It is “thousands/millions of times more secure than your average, memorable password,” reports Extreme Tech.

As mentioned earlier, this system isn’t being developed with everyday security needs in mind. Lead designer Hristo Bojinov believes it’s ideal for monitoring access to “highly secure, sensitive physical areas. We see our scheme as complementary to other authentication methods, not as a replacement for them,” he writes.

In the team’s published paper describing their study, they describe goals for future research that would further illuminate the possibilities for making use of implicit learning/subconscious memory in this way. The team hopes to better analyze the rate at which passwords are forgotten after this training, and to more accurately determine when individual users have reliably learned the password. They also plan to test whether sequences as long as 80 items could be subconsciously stored, and whether even more complex structures can be learned implicitly.


Extreme Tech

Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks (Original research article)