In this month’s Nautilus story, “Safecracking the Brain,” I dug into the work of two research groups that are stealing tips from cryptology to better understand how our brains work. While reporting that story, I came across a scientist who’s taking the opposite approach: using tricks of the brain to design stronger encryption tools. His name is Hristo Bojinov, and he has figured out a way for the subconscious mind to learn and store long passwords—with the conscious mind none the wiser.

One of the most effective ways to undermine a security system is with a so-called “rubber hose attack,” in which the attacker forces a person who knows the code to reveal it—for example, a thief taking someone at gunpoint to an ATM to withdraw money.

Bojinov, a graduate student in Dan Boneh’s computer science lab at Stanford University, has been working with cognitive psychologists at Northwestern University to prevent rubber hose attacks. Their solution allows you to learn a code not with conscious, explicit memory—which is vulnerable to outside pressures—but rather with implicit memory, which you’re not consciously aware of, and therefore, could never be compelled to divulge.

One of the most effective ways to undermine a security system is with a “rubber hose attack.”

We use implicit, or so-called “procedural memories” all the time. People ride bikes, play pianos, and type on keyboards without ever consciously recalling the steps to do so. Unlike explicit memories, which our conscious mind encodes in the hippocampus, amygdala, and frontal cortex (among other areas), procedural memory is thought to be managed mostly by the striatum and basal ganglia, deep regions of the brain involved in forming habits and motor control. Bojinov created a computer game that allows the player to use this deep muscle memory to learn a 30-character password.

The game looks something like the popular video game Guitar Hero. (You can play it here.) Balls fall vertically down six different columns, each labeled at the bottom with a different letter. The goal for the player is to press the correct letter just before the ball reaches the bottom of the column.

Unknown to the players, the letters they’re typing form a repeating 30-character sequence. Over the course of a 30- to 60-minute game session, they press the keys thousands of times, essentially teaching their fingers a very long password that they’d never be able to consciously recall. The game is repetitive and requires a lot of focus, Bojinov says. “I wouldn’t say it’s fun, exactly, but it’s completely do-able.”

Bojinov tested this game on several hundred participants using Mechanical Turk, a service from Amazon.com that allows people to earn money for rote computer jobs. A few weeks after the training session, he had the same participants play the game again. This time, some of the sequences in the game matched the previously learned password, whereas others were new. The players’ accuracy for the learned sequences was slightly but significantly (5 to 10 percent) better than for the unfamiliar sequences, Bojinov says. In other words, their fingers had learned the key. If this game were required before, say, getting access to a protected Web page, the software would be able to detect authenticated users from hackers by comparing their speeds on the password sequences versus random sequences that they had not practiced before.

A couple of companies have been in touch with the researchers expressing interest in using these methods for password encryption, Bojinov says, but he wants to do a lot more tweaking before testing it in the commercial world. For example, he wants to figure out how much time it takes for a player to forget the password, how many refresher sessions might be needed to retain the memory, and whether one person could learn several sequences at once. “We want to understand better what the capabilities are of the brain,” Bojinov says. “Then we can figure out the real-world applications.”





Virginia Hughes is a science journalist specializing in neuroscience, genetics, and medicine.