There is an article on popsci.com about secure passwords entitled “Why TheOnly Secure Password Is One You Don’t Even Know That You Know”. It deals with a method to create passwords that can be entered, but because the user does not actually know the password, she cannot forget it or share it. You should read the article.
I was first exposed to this idea when I read a passage in Leo Marks’ Between Silk and Cyanide a good book about cryptography and spying. The section discusses verifying someone’s identity in such a way that he “himself, if caught later by the enemy, would be unable to remember it.”I wondered if someone could create a computer password like this. It would be a password that could not be shared.
Then this last week I started reading the book Moonwalking with Einstein: The Art and Science of Remembering Everything by Joshua Foer. The book is as good as its title and it has lots of great stories and information about memory research. I’m reading the book on the Kindle Fire so I cannot give you a page number for the research I’m about to describe. The idea behind the research was that we (humans) have a great memory for images – in fact, that is far better than our memory for words and numbers. No kidding. The researchers showed subjects pictures very briefly. The subjects then had to select the ones they’d seen from a selection of similar ones. The example was that the subjects saw a picture with a windmill and had to select it from others with windmills. The thing was, even without specifically trying to remember the photos they could reliably choose correctly the one they’d seen. This was similar to “Passwords you’ll never forget, but can’t recall” by Daphna Weinshall and Scott Kirkpatrick. (Or maybe he was referring to the same research.) The interesting aspect of the research was that the subjects could not describe the correct photo accurately enough that someone else could choose the right one amongst similar images.
Foer was interested in the cognitive issues behind picture recognition because that is part of the memory challenge for which he was training. But like Weinshall and Kirkpatrick I think the idea of a password you cannot share because you don’t know what it is is intriguing.
I am not sure of the best and most reliable way of choosing a password the user is not consciously aware of. I suspect it will need to be used with a second factor such as a biometric check. The research is quite interesting and as more comes out, I will be sure to report it here. In the mean time, Learning Tree Course 468 discusses various modes of authentication and is a good course for security novices or those wanting to flesh out their knowledge of the basics. I hope to see you there soon.