How to Remember Strong, Unique Passwords

It’s 2014, Lockheed Martin recently announced that it is making real progress toward developing a compact nuclear fusion reactor capable of providing unimaginably vast supplies of energy in exchange for

It’s 2014, Lockheed Martin recently announced that it is making real progress toward developing a compact nuclear fusion reactor capable of providing unimaginably vast supplies of energy in exchange for a couple handfuls of clean, somewhat easily available fuel. And yet, we’re still stuck memorizing ever-longer lists of passwords like it’s 1999. If we’re going to rely on an ancient authenticator for future technology, then we might as well come up with a solid way to remember our passwords, which is exactly what our friends at Carnegie Mellon University’s computer science department have done.

Unfortunately, it turns out that remembering long lists of complicated passwords requires us to do something that no one likes: study. According to research developed by Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor and Anupam Datta, a system of spaced repetition paired with mnemonics increases the likelihood that users will remember their passwords over long periods of time.

The password construction element of this is similar to a certain XKCD comic about password strength, which is to say, think sentences rather than words:

password_strength

The participants in the Carnegie Mellon study were made to choose a person from a drop down menu and being assigned with machine-generated random action and object pair. This method is known as a person-action-object (PAO) story. So you get something like this: “Master Yoda dropping a microphone.”

The mnemonic device at play here is that the participants in the study were also shown a picture of a setting in which to imagine their person-action-object story occurring. Let’s say that the picture associated with our story is of an underwater laboratory. In this way we end up with sentence like “Master Yoda dropping a microphone in an underwater laboratory”.

So you have 6 words and the password you can construct of these words is strong enough — you can make sure at our Secure Password Check page. The point of mnemonic technique is that you don’t have to remember all the sentence.

In this study, participants were prompted with scene and person pair (Master Yoda in an underwater laboratory) and made to perform a rehearsal routine to recall the action and object at a set number of spaced intervals over a period of 100 or so days. The specific intervals for these rehearsal rituals and the number of passwords (either one, two or four) a given user was expected to recall varied from one trial group to the next.

The users with the best results were those that initially rehearsed after 12 hours and then in 12×1.5 hour increasing intervals (0.5 days, 1.75 days, 4.15 days, 8.15 days, 14.65 days, 24.65 days, 40.65 days, 64.65 days and 101.65 days). In that group, 77.1 percent of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days.

I suppose you could say that I was a little bit surprised. If you had forced me to guess which condition would yield the best results before the study I probably would have guessed that the 30minX2, though I would not have been entirely confident

I reached out to Blocki and asked is he was surprised by the results.

“I suppose you could say that I was a little bit surprised,” he said. “If you had forced me to guess which condition would yield the best results before the study I probably would have guessed that the 30minX2, though I would not have been entirely confident. Yes, the 12hrX1.5 group had a longer initial rehearsal interval. However, the intervals between successive rehearsals did not increase quite as quickly as they did in the 30minX2 condition. The results indicate that the spacing of rehearsals is significant (not just the total number of prior rehearsals).”

Incidentally, most of the forgetting happened in that first 12 hour period. Some 94.9 percent of participants who remembered stories in the early rounds continued to remember them in subsequent rounds. Not surprisingly, the recall rate for participants asked to remember one or two stories was substantially better than those that were asked to remember four stories.

There is a lot going on in this study, titled “Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords,” [PDF]. Feel free to wade through it on your own, but there’s a lot of spooky math problems going on in there.

So what did we learn today? First of all we learned it’s easier to remember fewer passwords. Which is probably why nearly everyone uses the same password across multiple accounts – despite knowing that password sharing is a bad idea.

1

But there is good news: you can improve your passwords using relatively easy mnemonic techniques:

  • Create story passwords that you can associate with a picture.
  • Avoid password sharing where possible.
  • Study your passwords early and often.

And may the force be with you.

Tips
Sign up to receive our headlines in your inbox
  • For all other countries