back to article Boffins demo passwords even users don’t know

What if you could use a password with 38 bits of entropy without memorizing it? Stanford University researchers think they've found a way to deliver. Their argument is that attackers can steal passwords from ill-defended servers, install keyloggers in drive-by attacks, or force people to hand over their security tokens. The …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    "The aim is to defeat the 'rubber hose' attack (i.e., beating the information out of some unfortunate insider) – since you can’t divulge what you don’t know."

    So the bad guys sit you in front of a computer and beat you with the hose until you successfully complete the game. If they are particularly cunning they can record your keystrokes (or mouse movements or whatever) and replay the game.

    How does this help?

  2. Paul Renault

    Heck, I don't know most/nearly-all of my passwords.

    And they have much more than 38 bits of entropy.

    Lastpass, FTW!

    1. Aqua Marina

      Re: Heck, I don't know most/nearly-all of my passwords.

      I'm guessing that comment was said tongue in cheek.

      Lastpass is great until say something like this happens

      All your eggs in one basket much.

      1. Paul Renault

        Re: Heck, I don't know most/nearly-all of my passwords.

        I wasn't concerned when the 'breach' happened. (At the time, Lastpass wasn't sure that whether some/all of the database had been stolen - but reported suspicious activity.)

        No big deal: Within a day or so of the announcement, I changed my master password and in the next few days, I changed (and muchly strengthened) all of the critical passwords, and some of the less-than-critical ones. This was relatively painless - as it was handled by the Lastpass software.

        And, no I don't know what most of my passwords are. Heck, I've even displayed some of the 100plus-character passwords to friends - warning them beforehand that this was their ten-second chance to steal a password of mine. (It always elicited a laugh, once they saw the completely-impossible-to-memorize passphrase...)

  3. Notas Badoff

    Vulnerable to cracks

    Arm in cast means password lost?

    "Sorry boss, no can do, my arthritis is acting up!" "What did you say!? That's ageist!!"

    "What do you mean I've been goofing off? I was learning some new passwords. But for extra extra security I decided these servers on the left were going to be left-handed servers, and I'm right-handed, and so it took me 3 hours to beat the game the first time, and I needed to be sure I'd trained it right and so that's what I've been doing since Monday. I _had_ to check the entropy you see! It's for security purposes!!"

    "Oh by the way, the bring your child to work day had a slight downside this year. Seems that Alex's little Ella got in and reset the master password to the accounting app. Had great fun I hear, playing that game. Anyway, now she's demanding a motorbike before she'll come in and play that game again. She's bored with it now..."

  4. chris lively

    Dumb ass idea. Period.

    First off, the password itself isn't the problem. Most of them are lost due to bad systems security. Ie: dumb programmers who have failed to read ( or put into practice) owasp guidelines.

    Second, even if it was only 5 minutes, that's too long. People would flat out refuse to use it.

    Third, there are a lot of passwords out there that people only use once a month ( exa: paying bills). If all you get is a couple weeks before you need a relearn then this idea is DOA.

    Morons. I want my tax money back that funded this crap.

  5. Anonymous Coward
    Anonymous Coward

    I don't know any of my passwords...

    For years, I've been creating passwords based on patterns of the positions of keys rather than the characters on them. Not obvious patterns like each key along a row, but more complex ones that are still within my ability to remember. Even if threatened, I wouldn't be able to give away my passwords.

    I also use DVORAK keyboard layout, so the patterns end up becoming quite random when converted to a standard QWERTY keyboard.

    Anonymous because I'm revealing my password strategies. :)

  6. Anonymous Coward

    If They Weren't Retard Researchers

    ..they would spend their working time in creating a hardware token device which is formally proven correct, from the hardware up to the software running on the device and the services which need to be authenticated. Publish the circuit schematics and the software as open source.

    One-Time PIN generators can be done securely and correctly; no need to use the brain-fucked approach of RSA "Security".

  7. Richard 81

    I can see it working.


    1. Anonymous Coward
      Anonymous Coward

      Re: I can see it working.

      Surely DOWN R UP L Y B X A? (Drop the X A if you're not turning Japanese..)


  8. Andrew Moore

    Already done...

    I've already done this with my ATM pin- I don't know what the number is, just the sequence of movements my fingers make.

  9. sazoo

    If necessary people can remember/reconstruct complex patterns...

    A la...


    AKA one lead of CS6 - which will mean a lot to some people, and nothing to others, but hundreds of people around the country could recreate that from the description of "1 lead of CS6"

  10. Mystic Megabyte

    Open the pod bay doors Hal

    "Only if you beat me at Pong!"

  11. daveeff

    If you can reproduce it doesn't that mean you know it???

    So do you play the game or just reproduce the key strokes?

    If you actually play the game any small kid who can REALLY play can access everything!

    Either way you can be rubber hosed into reproducing the keys. They could add a polygraph to check you aren't stressed - but having a system deny your password because you aren't relaxed enough would be a stress feedback loop!!!

    The only way to avert rubber hose attacks is to have a dummy login - same username but different password which gives access to a reduced / false a/c and locks / deletes the original. The "hosers" have less incentive to get the real password once they know it is locked - doesn't mean they won't "hose" the victim some more though!

    This would be handy for bank card PINs (I've known people frog marched to the hole in the wall to withdraw as much as they can & hand it over). If they could enter a 2ndary PIN which said they only had a tenner left at the same time alerting the police...

    1. Charles 9 Silver badge

      Re: If you can reproduce it doesn't that mean you know it???

      That's the "plausible deniability" premise behind hidden partitions. You use a normal partition that has only embarrassing information which you'd give under coercion while at the same time keeping hidden in the same place the real goods.

      Thing is, if the hose-users are aware of the possibility, they'll just keep rubber-hosing you to reveal ALL the secrets or hint that they know of the existence of a panic code---which can mean something very permanent to you if they suspect you're using that one instead of the real one.

      The big problem with security at this time is the problem of establishing necessary trust between Bob and Alice when neither have a history of trust (because they've never met before). It's a problem that goes both to physics and psychology and is therefore one of the "hard" problems of security.

    2. Anonymous Coward
      Anonymous Coward

      Re: If you can reproduce it doesn't that mean you know it???

      We had this at one facility I worked at, a panic PIN on any card-locled door would open the door in question and then send the entire facility into lockdown. The obvious problem is that the person who entered the panic PIN would then be trapped with the people forcing him to open dooors, as the doors were always in pairs and the inner doors could only be opened from the inside or remotely from the security centre (in the event that we had to completely evacuate so noone was left on the inside).

  12. Great Bu

    Access Denied

    I'm sorry - you cannot access your e-mail as you have failed to reach level 40 on WoW.

    Please try again, preferrably not as a night elf paladin.

  13. Anonymous Coward
    Anonymous Coward

    Looks like the worlds worst guitar hero clone.

  14. Anonymous Coward
    Anonymous Coward


    Don't tell the morons who run our corporate windows fail intranet, and who, contrary to proper security practise expire passwords all the bloody time so the users obviously pick something unsafe and tag it with numbers.

    I haven't yet thought of a way to get Bruce Schneieieieieier to come and Falcon Punch them into behaving, but they don't need a shiny idea like this either, no siree :D

  15. Anonymous Coward 15

    A strange game.

    The only winning move is not to play.

  16. Anonymous Coward
    Anonymous Coward

    What if you are spectacularly good at Guitar Hero?

    What if you are spectacularly good at Guitar Hero? Good enough that there is no measurable difference between the patterns you've learned and the patterns you haven't - one of those people who gets a Perfect on Free Bird?

  17. lambda_beta


    OK Here's the deal. You play the game and then forgot you played the game, but remember that you forgot the password. So when you need the password you forget to play the game, in which case you remember the password. But on a quantum level, you can both forget and not forget the password, so play the game and have some a beer and remember the password. ... it's really simple and foolproof (and nobody with rubber hoses knows you forgot)!

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022