Feature

How to turn your embarrassing Google searches into a hack-proof password

From The Idea Factory, our special report on innovation

We have a password problem. Each year, millions of our accounts are broken into, and no matter how many times we're told to make our PINs more secure, the most common passwords last year were almost willfully obvious: "123456," "password," and "12345".

There must be a better way.

Imagine if, when logging in to check your email, you were prompted with a personal question like, "What new song did you download yesterday?" or "Who was the first person to text you this morning?"

Researchers believe this kind of very personalized (and arguably creepy) authentication process could be the future of passwords. Secrets shared only between a user and her devices — like private Facebook activity, or web browsing habits — were turned into very effective passwords in research trials.

"Whenever there's something you and your phone share and no one else knows, that's a secret, and that can be used as a key," Romit Roy Choudhury, an associate professor at the University of Illinois at Urbana-Champaign who co-authored a paper on this topic, told MIT Technology Review.

For the project, called "ActivPass," researchers from Urbana-Champaign, the Indian Institute of Technology Kharagpur, and the University of Texas at Austin developed an app to mine subjects' smartphone activity, along with an algorithm to identify good sources for questions. They found that to serve as an adequate password prompt, events have to be unique enough to jog a user's memory.

And have very short memories. Recall rate of activities that happened one day ago was about 90 percent, and that rate declined quickly to less than 60 percent after about four days. This means password prompts would need to be pegged to very recent events, like that song you downloaded last night, to stand any chance of being effective.

We're also terrible at recalling our own browsing history. "Several users were not able to recall whether they browsed a ‘lsbf.org.uk' website," the study says. "But immediately responded positively when asked if they visited the 'London School of Business' site. As a result, webpage titles and descriptors are needed."

What about security? What are the chances of someone guessing the right answer? The questions would need to be about specific, private behavior, and unrelated to a user's public Facebook profile. The researchers write that "several 'friends' were able to predict, say, that a student of MIT was visiting an alumni group of MIT Robotics."

Overall, the study's socially mined questions worked effectively as password prompts: 95 percent of the time, users answered three questions correctly. On the flip side, and somewhat reassuringly, they were able to answer questions about other people only 6 percent of the time.

Choudhury tells MIT Technology Review that he and his team are currently in talks with several companies, including Yahoo and Intel.

Recommended

Macron tells Elon Musk that Twitter must follow rules of E.U.
French President Emmanuel Macron meets with Twitter CEO Elon Musk.
Emmanuel and Elon

Macron tells Elon Musk that Twitter must follow rules of E.U.

Troubled union: Apple's China problem
An Apple protest.
Feature

Troubled union: Apple's China problem

The rise and regulation of killer police robots
A killer robot.
Briefing

The rise and regulation of killer police robots

How to save money without thinking about it
Money.
Briefing

How to save money without thinking about it

Most Popular

Once-a-decade critics' poll names greatest film ever
Movie theater
we come to this place for magic

Once-a-decade critics' poll names greatest film ever

Home of Iranian climber who competed without hijab reportedly destroyed
Rekabi in interview
Iran protests

Home of Iranian climber who competed without hijab reportedly destroyed

Houston police arrest 2 in connection with killing of Migos rapper Takeoff
Migos rapper Takeoff memorial billboard
'an innocent bystander'

Houston police arrest 2 in connection with killing of Migos rapper Takeoff