A brute force attack, when it comes to hacking or breaking a password, refers to software--like using a billion-word dictionary to try endless letter combinations until one finally clicks. A rubber-hose attack is the physical counterpart to the brute force attack--it's extracting information from someone through coercion or torture. Like beating them with a rubber hose. This isn't the kind of password security most of us worry about, but it is an issue, especially when dealing with sensitive data. So how do you prevent someone from giving up a password under torture?
Aside from psychological conditioning, which may not work quite as well as it does in spy movies, there's this option: Don't let people know what their passwords or high security cryptographic sequences are. Consciously, at least. According to one researcher, there's a way we can unconsciously remember passwords with our conscious mind being completely oblivious.
Stanford grad student Hristo Bojinov worked with cognitive psychologists to come up with a system that stores passwords in implicit memory, the same kind of memory we use to internalize habits and skills we eventually find to be second nature. This method of storing passwords activates the same part of the brain as riding a bike or tying our shoes--things we learn and eventually can do without a second thought.
Bojinov's system is essentially a game of typing Guitar Hero, with each column representing a letter. Players who tested out the system had to press the proper letter just as the ball reached the bottom of the column. As Nautilus writer Virginia Hughes explains, "Unknown to the players, the letters they’re typing form a repeating 30-character sequence. Over the course of a 30- to 60-minute game session, they press the keys thousands of times, essentially teaching their fingers a very long password that they’d never be able to consciously recall."
It's a repetitive process, but it serves to unconsciously drill that pattern into the player's brain. Bojinov tested it with Amazon Mechanical Turk users, then had those same users re-play the game several weeks later. But on the second test, he introduced some new patterns in addition to the old one. On average, they performed 5 to 10 percent better on the sequence they already knew, which Bojinov says is enough for a system to differentiate those who implicitly know a sequence and those who don't.
There are issues, of course, like how often people would need to refresh their memory of the pattern, and how long it really sticks in memory. It may never be a practical security method, but it's an interesting new take on memorizing passwords.