Feature

How to turn your embarrassing Google searches into a hack-proof password

From The Idea Factory, our special report on innovation

We have a password problem. Each year, millions of our accounts are broken into, and no matter how many times we're told to make our PINs more secure, the most common passwords last year were almost willfully obvious: "123456," "password," and "12345".

There must be a better way.

Imagine if, when logging in to check your email, you were prompted with a personal question like, "What new song did you download yesterday?" or "Who was the first person to text you this morning?"

Researchers believe this kind of very personalized (and arguably creepy) authentication process could be the future of passwords. Secrets shared only between a user and her devices — like private Facebook activity, or web browsing habits — were turned into very effective passwords in research trials.

"Whenever there's something you and your phone share and no one else knows, that's a secret, and that can be used as a key," Romit Roy Choudhury, an associate professor at the University of Illinois at Urbana-Champaign who co-authored a paper on this topic, told MIT Technology Review.

For the project, called "ActivPass," researchers from Urbana-Champaign, the Indian Institute of Technology Kharagpur, and the University of Texas at Austin developed an app to mine subjects' smartphone activity, along with an algorithm to identify good sources for questions. They found that to serve as an adequate password prompt, events have to be unique enough to jog a user's memory.

And have very short memories. Recall rate of activities that happened one day ago was about 90 percent, and that rate declined quickly to less than 60 percent after about four days. This means password prompts would need to be pegged to very recent events, like that song you downloaded last night, to stand any chance of being effective.

We're also terrible at recalling our own browsing history. "Several users were not able to recall whether they browsed a ‘lsbf.org.uk' website," the study says. "But immediately responded positively when asked if they visited the 'London School of Business' site. As a result, webpage titles and descriptors are needed."

What about security? What are the chances of someone guessing the right answer? The questions would need to be about specific, private behavior, and unrelated to a user's public Facebook profile. The researchers write that "several 'friends' were able to predict, say, that a student of MIT was visiting an alumni group of MIT Robotics."

Overall, the study's socially mined questions worked effectively as password prompts: 95 percent of the time, users answered three questions correctly. On the flip side, and somewhat reassuringly, they were able to answer questions about other people only 6 percent of the time.

Choudhury tells MIT Technology Review that he and his team are currently in talks with several companies, including Yahoo and Intel.

Recommended

Mortgage rates highest since 2008
A house for sale.
Feature

Mortgage rates highest since 2008

Brazil suspends sale of iPhones that come without a charger
iphone and charger
Power Struggle

Brazil suspends sale of iPhones that come without a charger

Moonbound
Space.
Briefing

Moonbound

The consequential war for control of Miami's Spanish-language radio
A radio tower.
Briefing

The consequential war for control of Miami's Spanish-language radio

Most Popular

The most shocking claims from the newest books about Trump's presidency
A book.
Briefing

The most shocking claims from the newest books about Trump's presidency

New Pacific island forms after underwater volcano erupts
Home Reef Erupts
Speed Reads

New Pacific island forms after underwater volcano erupts

Will Republicans impeach Biden?
President Biden.
Briefing

Will Republicans impeach Biden?