Trying to remember complicated “secure” passwords may be a thing of the past if the Defense Advanced Research Projects Agency (DARPA) gets its way. The research arm of the US military is putting a call out to developers to begin work on software applications that will allow a computer system to identify a user by analyzing the way they type, instead of using the traditional password method. A novel idea that has its roots back when Morse code was the de facto standard for communications across the world.

In the early twentieth century, experienced Morse operators had distinctive traits to their signaling, called their “fist,” that would help to confirm their identities to people familiar with their style (i.e. Allied or German forces trying to crack radio communications). Think of it as handwriting identification for sounds. For example an operator could by habit elongate an individual character or word, or hang for a certain amount of time between words. Just like your middle school teacher could tell when you forged a note from home, Morse operators could tell when a message was coming from a person they usually dealt with or from a new person in the loop. This was also used to rate an operator’s transmitting skill. If they had clean messages that were easy to copy they were called a “Good Fist,” but if they transmitted poorly and made life hard on the receiving operator they received the label “Bad Fist.” DARPA is looking for a similar identification method for computers; it wants terminals to be able to identify your fist and use that as a pass phrase rather than having you create insecure passwords that are easy to remember.

The idea’s theory rests on the study of something called “keyboard dynamics.” Researchers at Carnegie Mellon University have observed people’s typing habits, and have identified that the methods of motion we have developed are not controlled by deliberate thought, but through learned motor controls. Their studies conclude that a potential hacker or thief would have a difficult time cracking and emulating your style, and that it would be more than capable of providing secure access to sensitive services.

The problem with passwords in this age of high connectivity is that phrases that are considered secure are usually very hard for a person to remember. “6tFcVbNh^TfCvBn” is an example of a password that passes DARPA’s security check, but would be a nightmare to try to commit to memory. This leads users to either create simple combinations of numbers and letters that are significant to their lives, or to put the complicated passwords on paper. Of course, both methods are incredibly insecure, but add in the fact that the average user uses the same password for everything (you do have unique passwords for all your services right?) and you have a security nightmare on your hands.

While I am all for creating a way that I don’t have to remember every single password for all the services I use, I am a bit skeptical about how long this method will actually stay secure. In my experience, there isn’t a security scheme in the world that hasn’t been cracked or duped in some way. Take for example the famous Life Lock case, where the CEO put his Social Security number on billboards around the US, claiming that no one could steal his identity. It took about two months for several individuals around the internet to crack and harass the man with junk mail, credit card applications, and Viagra samples. My question is how would this identification system stand up to a simple keylogger? It’s pretty simple to be able to record keystroke timings over a long period of time for analysis then emulation, so what kind of security would be applied in conjunction to make sure that it’s you and not some other punk trying to get your info?

A password perhaps?

Read more at The New York Times or DARPA

[Image credit: Sebastian Anthony]