Securing Passwords Beyond Human Capabilities with a Wearable Neuro-Device
The election of strong passwords is a challenging task for humans that could undermine the secure online subscription to services in mobile applications. Composition rules and dictionaries help to choose stronger passwords, although at the cost of the easiness to memorize them. When high-performance computers are not available, such as in mobile scenarios, the problem is even worse because mobile devices typically lack good enough entropy sources. Then, the goal is to obtain strong passwords with the best efficiency in terms of level of entropy per character unit. In this study, we propose the use neuro-activity as source of entropy for the efficient generation of strong passwords. In our experiment we used the NIST test suite to compare binary random sequences extracted from neuro-activity by means of a mobile brain-computer interface with (i) strong passwords manually generated with restrictions based on dictionary and composition rules and (ii) passwords generated automatically by a mathematical software running on a work station. The results showed that random sequences based on neuro-activity were much more suitable for the generation of strong passwords than those generated by humans and were as strong as those generated by a computer. Also, the rate at which random bits were generated by neuro-activity (4 Kbps) was much faster than the passwords manually generated. Thus, just a very small fraction of the time and cognitive workload caused to manually generate a password has enough entropy for the generation of stronger, shorter and easier to remember passwords. We conclude that in either mobile scenarios or when good enough entropy sources are not available the use of neuro-activity is an efficient option for the generation of strong passwords.
KeywordsWearable brain-computer interfaces Neuro-activity Secure passwords
This work was supported by Nicolo Association for the R+D in Neurotechnologies for disability, the research project P11-TIC-7983 of Junta of Andalucia (Spain), the Spanish National Grant TIN2015-67020-P, co-financed by the European Regional Development Fund (ERDF) and the Spanish National Grant TIN2016-75097-P (AEI/FEDER, UE).
- 1.Chang, C.-C., Wu, H.-L., Sun, C.-Y.: Notes on secure authentication scheme for IoT and cloud servers. Pervasive Mob. Comput. 24, 210–223 (2016)Google Scholar
- 2.Altop, D.K., Levi, A., Tuzcu, V.: Deriving cryptographic keys from physiological signals. Pervasive and Mobile Computing (2016)Google Scholar
- 3.Zheng, G., Fang, G., Shankaran, R., Orgun, M., Zhou, J., Qiao, L., Saleem, K.: Multiple ECG fiducial points based random binary sequence generation for securing wireless body area networks. IEEE J. Biomed. Health Inf. 1–9 (2016)Google Scholar
- 7.Eastlake, D., Schiller, J., Crocker, S.: Randomness requirements for security (2005)Google Scholar
- 8.Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E.: A statistical test suite for random and pseudorandom number generators for cryptographic applications. Technical report NIST Special Publication 800–22 Revision 1a. National Institute of Standards and Technology (2010)Google Scholar
- 10.Florencio, D. Herley, C.: A large-scale study of web password habits, pp. 657. ACM Press (2007)Google Scholar
- 12.Burr, W.E., Dodson, D.F., Newton, E.M., Perlner, R.A., Polk, W.T., Gupta, S., Nabbus, E.A.: Electronic authentication guideline. Technical report NIST SP 800–63-1. National Institute of Standards, Technology, Gaithersburg, MD (2011). 10.6028/NIST.SP.800-63-1