Social Question

wundayatta's avatar

How would you create a password that could not be recovered via "human" engineering?

Asked by wundayatta (58525points) August 19th, 2009

Security is important, especially with one’s own data. Most of us wouldn’t want government or business to be able to track our movements or our health situation or our spending habits. Yet any encryption system requires a password, and you can always be tortured enough to reveal the password.

So, can you think of any way to create a password that would use, say, undecodable random biometric information in combination with volitional information in order to decrypt the data? How would it work? For extra credit, as system, could you think of a way to make the information recoverable upon the death of the person?

Observing members: 0 Composing members: 0

18 Answers

cwilbur's avatar

Authentication can be based on three things: who you are (biometrics), what you have (keys), and what you know (passwords). Things dependent on who you are can be used against your will—lopping off your finger, for instance, to use your fingerprint, or taking a DNA swab. Things you have can be stolen. Things you know can be guessed or tortured out of you.

By using more than one of these factors, of course, you can increase the security. Something that requires your fingerprint and your password is going to be more secure than something that requires either your fingerprint or your password. But there’s no perfect security.

bpeoples's avatar

Also, using two or more people to authenticate helps—e.g., you have to compromise both of them to get the information.

evelyns_pet_zebra's avatar

I once visited a website that would create a perfectly random password up to 100 digits, and how you could remember that, who knows? But then, if the computer remembers it, as some software can be used to do, I don’t see how secure you could be, given that you’d have to have a master password to access the other randomly generated passwords. So the master password could be tortured out of you, I suppose. How about a retinal scan, or would they simply chop off your head and stick the reader up to your eye?

Great Question, and now I have one more thing to worry about. =)

robmandu's avatar

If you use a password manager (like 1Password) to remember all of your passwords for you… then you can forget your individual site passwords.

Tough to socially engineer a password out of a person if they don’t actually know it. Would probably work great for your bank or Fluther (dot) com or similar… but likely not so good if you provide your password manager’s password.

wundayatta's avatar

I was thinking that there would be several biometric measures that had to be taken, but they wouldn’t work without some MRI scan or something that indicated the information was being given volitionally. I don’t know. Maybe it’s impossible.

robmandu's avatar

I don’t trust biometrics. Seems like there are simply too many ways (some gruesome!) to circumvent them.

wundayatta's avatar

Well, surely there’s some really smart flutherite who can come up with something ingenious!

robmandu's avatar

Let me make sure I understand the challenge.

You want a password – or similar conceptual item(s) - that you can safely use continually day-to-day but which cannot be coerced from you, knowingly or unknowingly, through social engineering, confidence scams, or direct force?

geniusatwork's avatar

First of all, this is a brilliant question, and one that inspired me to join fluther just so I could have the opportunity to answer it!

Having given this question much thought, I have decided that such a password or biometric device only serves one function, and that is to delay. You see, with human nature and the advent of human engineering, all things are possible, but the deciding factor is time spent achieving what we want. So in a sense, nothing will prevent a determined person or group of people from getting the information (in this case) they desire given enough time, energy, and resources.

Therefore, any protective measure used to conceal your data must be strong enough to delay the attacker from getting to it, or at the very least, take too much time or overwhelm their resources to the point where the work isn’t going to be worth the gain.

I hope this makes sense. :)

wundayatta's avatar

I just read Corey Doctorow’s Little Brother which made me think about this. It seems to me that any password can be tortured out of you, which means that, unless you have a mechanism that makes it impossible for you to know your password, yet still allows you to use it, you can get the password tortured out of you.

If you are paranoid enough, than you can take the time to set up an alternate data set that does not include your secrets, and let yourself be tortured to give up that password, and hope they don’t continue the torture, once they don’t find what they are looking for. Hell, you could set up several fake datasets.

All of this would serve to delay an attacker, but, unless they were really stupid, they might continue torturing you forever. In fact, even after you gave up the “real” password, they might still believe there was more, and keep on torturing you. To fend off an attack, you’ve got to make an attacker believe they have what they want, or that it is impossible to get what they want, since you don’t know it.

Perhaps you could leave several parts of the key with different people around the world, who would give you their parts if you provide them with the proper code in person (perhaps biometrically). This might serve the delaying function @geniusatwork suggested.

Just out of curiosity, @geniusatwork, how did you hear about this question? Were you lurking on fluther or did it show up in some search? If so, what search terms were you using? And why have you been giving this question much thought?

Noel_S_Leitmotiv's avatar

Wait.. I thought one of the arguments against ‘torture’ was that it doesnt work.

cwilbur's avatar

@Noel_S_Leitmotiv: one of the arguments against torture is that it doesn’t reliably work.

You torture a suspected terrorist; he may not know anything, but he will tell you what he thinks you want to hear, and you have no way of verifying it.

You torture someone to get his computer password, and when he tells you something, you can verify it right then and there.

geniusatwork's avatar

@daloon – Actually, I was using Google reader and this discussion was suggested to me, so I’m here by total coincidence. I’ve been giving this so much thought because it is something I’ve been working on for a long time.

wundayatta's avatar

@geniusatwork What approaches have you tried, so far?

geniusatwork's avatar

@daloon – My dad is a scientist and we have been discussing this problem for quite some time, unfortunately, we are limited by technology at the moment. Perhaps the best way is to create a 2-part password based upon a mathematical equation that changes randomly and requires an electronic key. Unfortunately, anyone who holds the electronic key (USB flash drive, for example), can access the data.

wundayatta's avatar

@geniusatwork Yeah, it always seems to come back to that. I was trying to think of some random biometric key, so your body was required, but you wouldn’t know what part was the key. But then I thought that that would work even if your body was there under duress. So the key to this key is that it can only work when you are not under duress or not being coerced. However, I am not sure if there is a reliable way to detect coercion, and even if there was, surely someone could develop a way to spoof it.

robmandu's avatar

@geniusatwork, such a thing already exists today: RSA SecurID.

It can come in several forms and how it interacts with a particular piece of software (like a VPN client) can be managed in interesting ways.

Usually, the “token” (random numeric string) is not sufficient on its own, though. You, the user, must also enter your own personal password/PIN.

Those two pieces are then combined to make the final “passcode”. So… if a bad guy gets one of the two pieces, he still cannot gain access.

While it’s much more secure than a password alone, and it’s nigh impossible to crack remotely, it’s still not up to @daloon‘s challenge, though. If the bad guy were to physically attack you in your own home/office, he could still force you to put the two pieces together for him.

geniusatwork's avatar

@robmandu – The time-tested way is to create multiple levels of authentication such that someone must be authorized through a series of steps before the data is revealed.

Also, thanks for the RSA SecurID link, that’s what I was talking about earlier.

Answer this question




to answer.
Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
Knowledge Networking @ Fluther