Okay, let's get the first part out of the way really quickly: this would be an amazing piece of technology, if it were to be implemented successfully. Having a password that even you don't consciously know would be a huge leap in security, and would presumably make password guessing all but impossible--after all, if you don't need to remember your password in the traditional sense, it could be significantly more complex than traditional "Pa55w0rd1!"-style passphrases.
I, personally, don't know enough about the science behind this to comment on its feasibility.
I do, however, know a lot about security in general. Every time there is a leap in "password technology," meaning public key authentication, or password-keepers, or xkcd's "let's use several words instead of random characters," people seem to think that it would protect all their online assets. That if the password is secure, so is their data that's stored somewhere on the Internet.
On one hand, yes, this technology would easily protect you from brute-force and dictionary-based attacks. After all, if there's no dictionary (because no words are used in the secret "pattern,"), how could a dictionary be used to attack the protected account?
What isn't factored into this example is the service you're protecting itself. If you look at high profile breaches over the last year, you'll notice that few, if any of them are straightforward password-guess breaches. Sure, some (like the Wired journalist) could have been prevented with strong and unique passphrases. Most of the attacks could not.
If there is, for example, a buffer overflow in a service that is listening on the Internet, remote code execution may be possible. If you can execute arbitrary code on a remote service, you are able to effectively take over that machine. Combine this with privilege escalation, and it's pretty much game over for most data stored there. Proper database security like unique salts per user account can minimize the damage, but the fact is that the compromise still happened and the data--like your personal photos, or documents uploaded to cloud storage--are probably in the hands of an attacker.
It's always great to see cutting edge research in any field related to computer security, but don't think that "passwords even you don't know!" are going to protect anything behind them. Passwords are just the front door to the mansion, and there's a whole lot of other ways to break in.
The short version is that there will always be a difference between account security and application security.
> On one hand, yes, this technology would easily protect you from brute-force and dictionary-based attacks.
I highly doubt that.
There will be a finite number of possible patterns. So brute force will be possible. There will likely be some types of patterns or some pattern components that do not follow an even distribution, so dictionary attacks will still exist. (Really, a dictionary attack is simply a brute force attack that takes advantage of the non-uniform choices of passwords.)
My guess is that such games would be chosen based on techniques that produce the best (aka, most uniform) distributions of responses from users, but I doubt that it will be perfect. A brute-force attacker would probably be able to do noticeably better than blind brute-force.
What about the other end of the spectrum, by which I mean mean low profile breaches affecting one person, caused by -for example- a jealous ex. Are the compounded losses due to these considered too minor in comparison to high profile breaches?
This would be awesome, but I feel skeptical of how practical it would be.
First, the biggest problem today isn't password quality, it's protecting them.
1) Hack the password verification/storage database. If you can do that and recover the user-provided input, who cares what type of data it was?
2) Be the man in the middle. Convince the user to give you their password. No password is immune from being entered into, for example, a false bank website.
That said, this type of password input opens up a new set of side-channel password attacks:
* What about people who can record the audio of you pressing keys? If you share an office with a co-worker, could he set his cell-phone to record when you enter your "password" a few different times and learn to copy your rhythm?
* What about extenuating circumstances? Stress, unfamiliar "password entry" layouts, or personal injuries may cause your "password" entry rhythm to get goofed up (I don't know in detail how resilient these schemes are, but I'm assuming that something as drastic as switching hands would mess it up), so you need a fall-back. If you have a traditional password backup authentication, this scheme simply offers an alternative to passwords and not a replacement of them, so what else do you do? More potential "I can't input my password" problems means that it will be easier for an attacker to con his way through the password work-around process. It's already a weak-point of security infrastructures.
It sounds awesome, but might be better suited for covert agents who need to be able to not be capable of giving up a password. Not sure how well it would work as a replacement for passwords in an enterprise or for GMail.
(Also, for the curious, at least one of the authors of the original paper is a high-profile cryptography researcher from Stanford. So this paper isn't just another "hey, this might have security uses" after-thought from researchers outside the field.)
I, personally, don't know enough about the science behind this to comment on its feasibility.
I do, however, know a lot about security in general. Every time there is a leap in "password technology," meaning public key authentication, or password-keepers, or xkcd's "let's use several words instead of random characters," people seem to think that it would protect all their online assets. That if the password is secure, so is their data that's stored somewhere on the Internet.
On one hand, yes, this technology would easily protect you from brute-force and dictionary-based attacks. After all, if there's no dictionary (because no words are used in the secret "pattern,"), how could a dictionary be used to attack the protected account?
What isn't factored into this example is the service you're protecting itself. If you look at high profile breaches over the last year, you'll notice that few, if any of them are straightforward password-guess breaches. Sure, some (like the Wired journalist) could have been prevented with strong and unique passphrases. Most of the attacks could not.
If there is, for example, a buffer overflow in a service that is listening on the Internet, remote code execution may be possible. If you can execute arbitrary code on a remote service, you are able to effectively take over that machine. Combine this with privilege escalation, and it's pretty much game over for most data stored there. Proper database security like unique salts per user account can minimize the damage, but the fact is that the compromise still happened and the data--like your personal photos, or documents uploaded to cloud storage--are probably in the hands of an attacker.
It's always great to see cutting edge research in any field related to computer security, but don't think that "passwords even you don't know!" are going to protect anything behind them. Passwords are just the front door to the mansion, and there's a whole lot of other ways to break in.
The short version is that there will always be a difference between account security and application security.