Tag Archives: password

My thoughts are my password, because my brain reactions are unique

File 20181018 67185 dbf3km.png?ixlib=rb 1.1

A test subject entering a brain password. Credit: Wenyao Xu, et al., CC BY-ND.

Your brain is an inexhaustible source of secure passwords – but you might not have to remember anything. Passwords and PINs with letters and numbers are relatively easily hacked, hard to remember and generally insecure. Biometrics are starting to take their place, with fingerprints, facial recognition and retina scanning becoming common even in routine logins for computers, smartphones and other common devices.

They’re more secure because they’re harder to fake, but biometrics have a crucial vulnerability: A person only has one face, two retinas and 10 fingerprints. They represent passwords that can’t be reset if they’re compromised.

Like usernames and passwords, biometric credentials are vulnerable to data breaches. In 2015, for instance, the database containing the fingerprints of 5.6 million U.S. federal employees was breached. Those people shouldn’t use their fingerprints to secure any devices, whether for personal use or at work. The next breach might steal photographs or retina scan data, rendering those biometrics useless for security.

Our team has been working with collaborators at other institutions for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed.

Inside the mind

When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that every person’s brain responds differently to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different.

This process is automatic and unconscious, so a person can’t control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way – though differently from everyone else’s.

We realized that this presents an opportunity for a unique combination that can serve as what we call a “brain password.” It’s not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it’s a mix of the person’s unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.

Making a brain password

A person’s brain password is a digital reading of their brain activity while looking at a series of images. Just as passwords are more secure if they include different kinds of characters – letters, numbers and punctuation – a brain password is more secure if it includes brain wave readings of a person looking at a collection of different kinds of pictures.

A range of visual stimuli generates the best brain password. Credit: Wenyao Xu, et al., CC BY-ND.

A range of visual stimuli generates the best brain password. Credit: Wenyao Xu, et al., CC BY-ND.

To set the password, the person would be authenticated some other way – such as coming to work with a passport or other identifying paperwork, or having their fingerprints or face checked against existing records. Then the person would put on a soft comfortable hat or padded helmet with electrical sensors inside. A monitor would display, for example, a picture of a pig, Denzel Washington’s face and the text “Call me Ishmael,” the opening sentence of Herman Meville’s classic “Moby-Dick.”

The sensors would record the person’s brain waves. Just as when registering a fingerprint for an iPhone’s Touch ID, multiple readings would be needed to collect a complete initial record. Our research has confirmed that a combination of pictures like this would evoke brain wave readings that are unique to a particular person, and consistent from one login attempt to another.

Later, to login or gain access to a building or secure room, the person would put on the hat and watch the sequence of images. A computer system would compare their brain waves at that moment to what had been stored initially – and either grant access or deny it, depending on the results. It would take about five seconds, not much longer than entering a password or typing a PIN into a number keypad.

After a hack

Brain passwords’ real advantage comes into play after the almost inevitable hack of a login database. If a hacker breaks into the system storing the biometric templates or uses electronics to counterfeit a person’s brain signals, that information is no longer useful for security. A person can’t change their face or their fingerprints – but they can change their brain password.

It’s easy enough to authenticate a person’s identity another way, and have them set a new password by looking at three new images – maybe this time with a photo of a dog, a drawing of George Washington and a Gandhi quote. Because they’re different images from the initial password, the brainwave patterns would be different too. Our research has found that the new brain password would be very hard for attackers to figure out, even if they tried to use the old brainwave readings as an aid.

Brain passwords are endlessly resettable, because there are so many possible photos and a vast array of combinations that can be made from those images. There’s no way to run out of these biometric-enhanced security measures.

Secure – and safe

As researchers, we are aware that it could be worrying or even creepy for an employer or internet service to use authentication that reads people’s brain activity. Part of our research involved figuring out how to take only the minimum amount of readings to ensure reliable results – and proper security – without needing so many measurements that a person might feel violated or concerned that a computer was trying to read their mind.

We initially tried using 32 sensors all over a person’s head, and found the results were reliable. Then we progressively reduced the number of sensors to see how many were really needed – and found that we could get clear and secure results with just three properly located sensors.

Three electrodes high on the back of a user’s head are enough to detect a brain password. Credit: Wenyao Xu et al., CC BY-ND.

Three electrodes high on the back of a user’s head are enough to detect a brain password. Credit: Wenyao Xu et al., CC BY-ND.

This means our sensor device is so small that it can fit invisibly inside a hat or a virtual-reality headset. That opens the door for many potential uses. A person wearing smart headwear, for example, could easily unlock doors or computers with brain passwords. Our method could also make cars harder to steal – before starting up, the driver would have to put on a hat and look at a few images displayed on a dashboard screen.

Other avenues are opening as new technologies emerge. The Chinese e-commerce giant Alibaba recently unveiled a system for using virtual reality to shop for items – including making purchases online right in the VR environment. If the payment information is stored in the VR headset, anyone who
uses it, or steals it, will be able to buy anything that’s available. A headset that reads its user’s brainwaves would make purchases, logins or physical access to sensitive areas much more secure.

Wenyao Xu, Assistant Professor of Computer Science and Engineering, University at Buffalo, The State University of New York; Feng Lin, Assistant Professor of Computer Science and Engineering, University of Colorado Denver, and Zhanpeng Jin, Associate Professor of Computer Science and Engineering, University at Buffalo, The State University of New York

This article is republished from The Conversation under a Creative Commons license. Read the original article.


The most popular hacked passwords of 2015. My god…


Two Pew Research Center surveys found that Americans feel privacy is important in their daily lives in a number of essential ways. But are people ready to take responsibility for their own data and privacy security? That’s another story, if we’re to browse the top 25 leaked passwords of 2015. The list was made by SplashData which ranked the most frequent entries found among the millions of stolen passwords made public throughout the last twelve months. The most popular? The old classic “123456”. Next, “password”. *facepalm. Some were a bit more creative and replaced “o” with “0”. That didn’t fool anyone, and for the first time “passw0rd” made the list. Among the list we can also find animal names, sports or popular blockbusters like “starwars”.

Here’s the entire list:

1. 123456 (Unchanged)

2. password (Unchanged)

3. 12345678 (Up 1)

4. qwerty (Up 1)

5. 12345 (Down 2)

6. 123456789 (Unchanged)

7. football (Up 3)

8. 1234 (Down 1)

9. 1234567 (Up 2)

10. baseball (Down 2)

11. welcome (New)

12. 1234567890 (New)

13. abc123 (Up 1)

14. 111111 (Up 1)

15. 1qaz2wsx (New)

16. dragon (Down 7)

17. master (Up 2)

18. monkey (Down 6)

19. letmein (Down 6)

20. login (New)

21. princess (New)

22. qwertyuiop (New)

23. solo (New)

24. passw0rd (New)

25. starwars (New)

What’s the best password?

The hardest to crack password might be a poem, according to a study ZME Science reported earlier. Here are some randomly generated passwords:

“The warnings nonetheless displayed
the legends undergo brocade”

“The homer ever celebrate
the Asia gator concentrate”

“Montero manages translates
the Dayton artist fluctuates”

“The market doesn’t escalate
or hiring purple tolerate”

“And Jenny licensed appetite
and civic fiscal oversight”

Make your own here.


Hard to crack and easy to remember password? Try a poem

“Please enter a strong password”, is now an ubiquitous greeting whenever we try to register online. Security experts advise we use long passwords at least 12 characters in length,  which should include numbers, symbols, capital letters, and lower-case letters. Most websites nowadays force you to enter a password under some or all of these conditions. Moreover, the password shouldn’t contain dictionary words and combinations of dictionary words. Common substitution like “h0use” instead of “house” are also not recommended – these naive attempts will fool no automated hacking algorithm. So, what we end up at the end is a very strong password, like the website kindly asked (or forced) us to do. At the same time, it’s damn difficult if not impossible to remember. People end up endlessly hitting “recover password” or, far worse, write down their passwords in email or other notes on their computer which can easily be recovered by any novice hacker.

A group of information security experts have found a workaround to make passwords both strong and easy to remember: using randomly generated poems. Marjan Ghazvininejad and Kevin Knight of the University of Southern California were oddly enough inspired by an internet comic written by the now famous and always witty Randall Munroe of Xkcd.


Credit: XKCD

The premise of the comic is that today’s passwords are easy for computers to guess and hard for humans to remember, which sounds rightfully ludicrous. Munroe proposed an alternative: four random common words; in this case “correct horse battery staple”, which sounds a lot more manageable. You could build a story around them, like Munroe did, or use a mnemonic technique like the memory palace to make things even easier. The catch though isn’t to select words from the top of your head. Instead, you use a computer to generate a large random number, which is then broken into four pieces with each section amounting to a code that corresponds to a word in the dictionary. In the first situation of the unintelligible password, the information contained amounts to 28 bits. Munroe’s password is 44 bits, which is higher and thus better.

Ghazvininejad and Knight advanced this further. They analyzed several password generation techniques, including Munroe’s, and found that the safest, but also easiest to remember passwords are those made up of rhyming words. If you look back in history, this sounds like a no-brainer. In ancient times, society was mostly oral. A culture’s history, scientific knowledge and literature were all passed on to subsequent generations by word of mouth. Think of poems like Homer’s Odyssey or the Epic of Gilgamesh.

To create the poems, each word of 327,868 found in the dictionary is assigned a code. A random number is generated, broken into pieces then used to generate two phrases. Here are some examples:

“And many copycat supplies
offenders instrument surprise”

“The warnings nonetheless displayed
the legends undergo brocade”

“The homer ever celebrate
the Asia gator concentrate”

“Montero manages translates
the Dayton artist fluctuates”

“The market doesn’t escalate
or hiring purple tolerate”

“And Jenny licensed appetite
and civic fiscal oversight”

Some are pretty good, some are awful, but at least they’re hard to break. In their paper, the authors say these passwords could take up to 5 million years to crack. You can generate your own rhyming password using this online tool, but the authors caution you shouldn’t actually use them since a potential hacker can download all the list. Instead, enter your email here and an automated program will send you a rhyming password which will be immediately deleted from the record there after.

Today, however, you’ll find little use for this trick. Most password policies require a number and/or special character. These passwords are also a bit too long for current policies. Then, if this system becomes common, automated hack methods can be made to guess these too much faster. It’s really interesting though and a much more entertaining password than 2d1s0gus71ng!93.