My favorite bit of password trivia head-bangery is that pet names are the most common passwords.
A crook – who doesn’t care that hacking somebody’s account is illegal and immoral – will likely do well to just go ahead and plug in your cat’s name.
It’s statistically likely to work quite often, Google Apps found when it surveyed 2,000 Brits last year.
But who can blame people for using – and, yikes, reusing! – passwords that are easy to remember?
But the numbers don’t lie. Statistics show that we – well, people who aren’t security savvy, at any rate – don’t use strong passwords.
Enter Microsoft Research’s Stuart Schechter and Princeton University’s Joseph Bonneau, who on Friday presented an experiment they created to teach people to memorise very strong 56-bit random passwords through “spaced repetition” at the Symposium on Usable Privacy and Security.
It turns out that it can actually be surprisingly easy to burn a complex password into your brain.
With the researchers’ process, which took an average of about 12 minutes per user, 94% of subjects were able to remember a 56-bit password or passphrase.
A password of this strength would require a hacker to try quadrillions of guesses to successfully crack it.
Obviously, when you’re talking about swapping out “password” or “123456”, 56-bit represents a super-sized improvement.
The experiment’s results are particularly enlightening from a wetware perspective, said Bonneau, a fellow at Princeton’s Center for Information Technology Policy.
Our goal was to show that there’s a big dimension of human memory that hasn’t been explored with passwords. They may seem hard to remember up front. But if you’re given the right training and reminders, you can memorise almost anything.
The researchers recruited hundreds of participants from Amazon’s Mechanical Turk crowdsourcing platform and paid them to take a phony series of attention tests.
They were, in reality, studying how users logged in to the tests.
Each time the login screen appeared, it would prompt a user to type in a series of words or letters.
Each time the screen showed up, it took an increasingly long time to present the string of characters. That prompted users to enter the string from memory.
Over the course of the test, the string of letters and words grew longer, until, after 10 days of testing, the user was required to enter 12 random letters or six random words to start the test.
Without being aware of it, the test subjects were being trained to remember passwords via a technique called spaced repetition.
Spaced repetition is a learning technique that exploits a psychological phenomenon whereby animals (including humans) more easily remember things repeated over a long time, vs. items repeatedly studied in a short span of time.
Test subjects had to log in 90 times to finish the tests, but they managed to type their password or passphrase without prompting after a median of 36 tries, with a success rate of 94%.
After three days, 88% still recalled the string or passphrase, with a minority – only 21% – reporting that they wrote their secret down.
“The words are branded into my brain”, one subject told the researchers.
This technique obviously won’t help people remember random, complex strings for each and every website they need to access.
But it could help people remember the one random, complex string of characters or the passphrase they need to unlock a password manager.
Or, as the researchers suggest, it could help people to memorise an enterprise login, or to come up with sufficiently difficult-to-crack passwords for corporate networks.
It is, at the very least, another handy tool for security engineers’ toolboxes, the researchers said, as well as representing hope for the human race in surviving the crunch between users and security mechanisms.
From the conclusion to their study:
For those discouraged by the ample literature detailing the problems that can result when users and security mechanisms collide, we see hope for the human race. Most users can memorize strong cryptographic secrets when, using systems freed from the constraints of traditional one-time enrollment interfaces, they have the opportunity to learn over time.
Our prototype system and evaluation demonstrate the brain's remarkable ability to learn and later recall random strings - a fact that surprised even participants at the conclusion of our study.