October 20, 2014

How to Remember Strong, Unique Passwords

News Tips

It’s 2014. Lockheed Martin recently announced that it is making real progress towards developing a compact nuclear fusion reactor capable of providing unimaginably vast supplies of energy, in exchange for a couple handfuls of clean, somewhat easily available fuel. And yet, we’re still stuck memorizing ever-longer lists of passwords like it’s 1999. If we’re going to rely on an ancient authenticator for future technology, then we might as well come up with a solid way to remember our passwords. This is exactly what our friends at Carnegie Mellon University’s computer science department have done.

password-brain

Unfortunately, it turns out that remembering long lists of complicated passwords requires us to do something that no one likes: study. According to research developed by Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor and Anupam Datta, a system of spaced repetition paired with mnemonics, increases the likelihood that users will remember their passwords over long periods of time.

The password construction element of this reminds us of the following XKCD comic about password strength, which is to say, think sentences rather than words with leetspeak.

password_strength

The participants in the Carnegie Mellon study were made to choose a person from a drop down menu that would be assigned with machine-generated random action and object pair. This method is known as a person-action-object (PAO) story. So you get something like this:”Master Yoda dropping a microphone.”

The mnemonic device at play here is that the participants in the study were also shown a picture of a setting in which to imagine their person-action-object story occurring. Let’s say that the picture associated with our story is of an underwater laboratory. In this way we end up with a sentence like “Master Yoda dropping a microphone in an underwater laboratory”.

So you have six words and the password you can construct from these words is strong enough —you can make sure at our Secure Password Check page. The point of the mnemonic technique is that you don’t have to remember the entire sentence.

[vine url=”https://vine.co/v/Ozt3iHtTmih” width=600 height=600]

In this study, participants were prompted with a scene and person pair (Master Yoda in an underwater laboratory) and were made to perform a rehearsal routine to recall the action and the object at a set number of spaced intervals over a period of 100 or so days. The specific intervals for these rehearsal rituals, and the number of passwords (either one, two or four) a given user was expected to recall, varied from one trial group to the next.

The users with the best results were those that initially rehearsed after 12 hours and then in 12×1.5 hour increasing intervals (0.5 days, 1.75 days, 4.15 days, 8.15 days, 14.65 days, 24.65 days, 40.65 days, 64.65 days and 101.65 days). In that group, 77.1 percent of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days.

“I suppose you could say that I was a little bit surprised. If you had forced me to guess which condition would yield the best results before the study, I probably would have guessed the 30minX2, though I would not have been entirely confident.”

I reached out to Blocki and asked if he was surprised by the results.

“I suppose you could say that I was a little bit surprised,”he said. “If you had forced me to guess which condition would yield the best results before the study, I probably would have guessed the 30minX2, though I would not have been entirely confident. Yes, the 12hrX1.5 group had a longer initial rehearsal interval. However, the intervals between successive rehearsals did not increase quite as quickly as they did in the 30minX2 condition. The results indicate that the spacing of rehearsals is significant (not just the total number of prior rehearsals).”

Incidentally, most of the forgetting happened in that first 12-hour period. Some 94.9 percent of participants who remembered stories in the early rounds, continued to remember them in subsequent rounds. Not surprisingly, the recall rate for participants asked to remember one or two stories was substantially better than those that were asked to remember four stories.

There is a lot going on in this study, titled “Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords,”[PDF]. Feel free to wade through it on your own, but be warned, there are a lot of spooky math problems going on in there.

So what did we learn today? First of all we learned it’s easier to remember fewer passwords. Which is probably why nearly everyone uses the same password across multiple accounts, despite knowing that password sharing is a bad idea. In other words, passwords remain desperately flawed.

But there is also good news —you can improve your passwords using the relatively easy mnemonic technique:

  • Create story passwords that you can associate with a picture.
  • It’s not simple, but avoid password sharing.
  • Study your passwords early and often for the rest of your natural born life. Or at least until a data breach happens and you have to start all over again.

And may the force be with you.