In The Great Escape, a Gestapo officer wishes Gordon Jackson’s character “good luck” in English as he attempts to board a bus.
In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word “lollapalooza” to spot Japanese spies amongst Pilipino allies.
Judges 12-6: “Then said they unto him, ‘Say now Shibboleth’ And he said Sibboleth, for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan”.
These are all examples of shibboleths, named after the final example, in which a group of Gileadites identify an enemy Ephraimite from how he says a word.
Could subtle shibboleths also buy time until we can properly resolve the password reuse crisis? To answer that, we need a sprinkle of theory.
To log into a service, you must authenticate yourself by presenting certain bona fides. These fall into three broad categories:
- Something you know
- Something you have
- Something you are
To shore up authentication, two factor authentication is becoming more popular, and usually involves a password backed by something you have, such as a mobile phone to receive a passcode. Something you have could also be a special device that generates a one-time code. Some banks insist on such devices being present when transferring money from accounts.
What about things you are? Biometrics are the best known examples, but gait recognition has also been examined as a method of identifying people. Early research focused on thwarting smartphone theft, but has since been used in other applications.
The trouble with all this is that everything beyond simple passwords make the user do something extra or use special hardware. Everyday users tend to resist being made to change their ways for someone else’s convenience. There are also parts of the world where secondary authentication is impossible. Are we condemning those users to a second class, less secure internet. This is where shibboleths could help.
When your bank identifies rogue transactions, it’s identifying shibboleths in normal spending patterns. If you’ve ever had a text asking you to confirm unusual payments after some toerag has cloned your card, you’ll be thankful for this.
Think about this in terms of passwords. If a typical user types the same password for many years, he naturally falls into a predictable rhythm of key presses. If anyone else enters that password, the timing data will be different.
Encrypt the timing data before storing it, and it must be included in any password decryption effort. Remote brute force attacks would become impossibly difficult. Dumb phishing campaigns that don’t collect timing data would also be rendered useless overnight, and God knows that’d be a good thing.
It’s far from a perfect solution. You can probably think of a dozen difficulties (keyloggers, for example), but competent client-side shibboleth-spotting could at least buy the world time while someone clever creates a solution to password reuse that doesn’t divide the internet into secure haves and insecure have-nots.