My favorite bit of password trivia head-bangery is that pet names are the most common passwords.
A crook – who doesn’t care that hacking somebody’s account is illegal and immoral – will likely do well to just go ahead and plug in your cat’s name.
It’s statistically likely to work quite often, Google Apps found when it surveyed 2,000 Brits last year.
But who can blame people for using – and, yikes, reusing! – passwords that are easy to remember?
Of course, we should choose a strong password, such as a long string of numbers, letters and special characters, or a passphrase (correct horse battery staple indeed, xkcd!)
But the numbers don’t lie. Statistics show that we – well, people who aren’t security savvy, at any rate – don’t use strong passwords.
Enter Microsoft Research’s Stuart Schechter and Princeton University’s Joseph Bonneau, who on Friday presented an experiment they created to teach people to memorise very strong 56-bit random passwords through “spaced repetition” at the Symposium on Usable Privacy and Security.
It turns out that it can actually be surprisingly easy to burn a complex password into your brain.
With the researchers’ process, which took an average of about 12 minutes per user, 94% of subjects were able to remember a 56-bit password or passphrase.
A password of this strength would require a hacker to try quadrillions of guesses to successfully crack it.
Obviously, when you’re talking about swapping out “password” or “123456”, 56-bit represents a super-sized improvement.
The experiment’s results are particularly enlightening from a wetware perspective, said Bonneau, a fellow at Princeton’s Center for Information Technology Policy.
Our goal was to show that there’s a big dimension of human memory that hasn’t been explored with passwords. They may seem hard to remember up front. But if you’re given the right training and reminders, you can memorise almost anything.
The researchers recruited hundreds of participants from Amazon’s Mechanical Turk crowdsourcing platform and paid them to take a phony series of attention tests.
They were, in reality, studying how users logged in to the tests.
Each time the login screen appeared, it would prompt a user to type in a series of words or letters.
Each time the screen showed up, it took an increasingly long time to present the string of characters. That prompted users to enter the string from memory.
Over the course of the test, the string of letters and words grew longer, until, after 10 days of testing, the user was required to enter 12 random letters or six random words to start the test.
Without being aware of it, the test subjects were being trained to remember passwords via a technique called spaced repetition.
Spaced repetition is a learning technique that exploits a psychological phenomenon whereby animals (including humans) more easily remember things repeated over a long time, vs. items repeatedly studied in a short span of time.
Test subjects had to log in 90 times to finish the tests, but they managed to type their password or passphrase without prompting after a median of 36 tries, with a success rate of 94%.
After three days, 88% still recalled the string or passphrase, with a minority – only 21% – reporting that they wrote their secret down.
“The words are branded into my brain”, one subject told the researchers.
This technique obviously won’t help people remember random, complex strings for each and every website they need to access.
But it could help people remember the one random, complex string of characters or the passphrase they need to unlock a password manager.
Or, as the researchers suggest, it could help people to memorise an enterprise login, or to come up with sufficiently difficult-to-crack passwords for corporate networks.
It is, at the very least, another handy tool for security engineers’ toolboxes, the researchers said, as well as representing hope for the human race in surviving the crunch between users and security mechanisms.
From the conclusion to their study:
For those discouraged by the ample literature detailing the problems that can result when users and security mechanisms collide, we see hope for the human race. Most users can memorize strong cryptographic secrets when, using systems freed from the constraints of traditional one-time enrollment interfaces, they have the opportunity to learn over time.
Our prototype system and evaluation demonstrate the brain's remarkable ability to learn and later recall random strings - a fact that surprised even participants at the conclusion of our study.
Image of brain courtesy of Shutterstock.
14 comments on “How to burn a password into your brain”
So, what happens when you have to remember a new one after 90 days? And how do you tell it from the 48 others that you also have to remember for every website you visit or access system you use? The system is broken, folks! Stop pretending it can be fixed!
as they say in the article – “for the passphrase they need to unlock a password manager”
LOL “I respond to cash and spicy sites,..” good one.
It is not wise to put many eggs in a basket. Password managers should be considered only for low-security jobs. Textual memory is only a small part of what we remember. We could consider to expand our password memory to include non-texts as well as texts.
It’s better to put all your eggs in one basket than it is to juggle them.
It may mean that an accident has worse consequences, but that accident is comparatively less likely to happen. And when it does happen, it may be unpleasant enough to get one to seriously consider the strength of one’s egg basket and the durability of one’s eggs.
Sometimes we have to accept what is possible as a first step to that which is good.
Swap letters for numbers where appropriate. This is the first 39 words of a famous Wordsworth poem. DON’T use this one… we all know about it. Use one of your own poems. Even longer passwords are very easy this way… Enjoy your passwords and enrich your life at the same time.
56 bits is like 8 characters from a palette of 128 7-bit characters. Can’t imagine why anyone would have trouble memorizing that.
Including caps, my keyboard has 96 characters. In reality, my passwords don’t even have 6 bits of entropy– open and close bracket don’t get a lot of play, for instance. The authors actually use 4 and two-thirds bits of entropy per character, suggesting a 26 character alphabet.
I agree with what you might be suggesting though: that’s not enough for a password manager (where if you’re going to be attacked, it’s offline, and it’s a single point of failure). The actual point of this seems to be geared at institutions who want to pick passwords for their users because they feel their users are picking poor passwords.
Worrisome, though, is the 6% failure rate. Consider what actual failure means when using a password manager: locked out of everything, including accounts to which the low security accounts will send recovery information. (And hopefully the high security accounts simply won’t be recoverable– otherwise, that’s the weak link that needs addressing.) If you’re going to have a single point of access, non-zero failure rates become very expensive.
I like to change a forgetful client’s pass word to “ICRMPWAD” or I Can’t Remember My Pass Word Again.
Then I tell them to make up a sentence of who, or ware, or a job, or job duty’s, something that make sense to them, and wright it down if it is a longer description of something. I jokingly tell them to wright it down in their underwear. One day I had a user stop me all excited pulled up his shorts and showed me his password. Not much you can say but an “all right.” I think I laughed for over a week when I remembered him showing me.
To “wright” is only done by playwrights, shipwrights and wheelwrights.
Um, I’m not sure I’d take advice from someone who doesn’t know how to spell the word “write”. It could get a bit confusing righting doun words four wons pass word, unless you always misspell the same way every time.
And please folks, don’t write it down in your underwear, we don’t want to see your junk when you’re on a public computer or using your cell phone while walking down the street.
56-bit password? Are you kidding? There are eight bits to a byte. A byte is the same as one character.
Thus 56-bit passwords could be any of:
Were you maybe thinking of 56-byte passwords?
A 56-bit password is 8 *7-bit* bytes, and a byte may or may not be the same “one character,” sometimes even in the same string! (Many a buffer has overflowed on the basis of that assumption.)
That’s 8 ASCII characters, or 10 base64 characters, at least to the closest whole number of characters with more than 56 bits’ worth).
So a 56-bit password could be ‘password,’ but it could also be ‘!@@W_~a4’, and could have any of the 32 non-printable control characters in there, too.
I just wish people could stop being lazy. The article is telling you how to keep your own crap safe! (excuse my french). But I guess its human nature for people to only change after a major catastrophe happens to them.