How to Teach Humans to Remember Really Complex Passwords
If passwords are considered the bane of the data security industry, it’s partly because humans are awful at choosing them: By some counts, we still pick “password” a facepalm-inducing one in 20 times.
But a study from two researchers at Microsoft and Princeton suggests there’s hope for those much-maligned secret strings of charters. Randomly generate a long, nearly uncrackable password, and it can be surprisingly easy to burn it into your neurons.
At the Symposium on Usable Privacy and Security today, Stuart Schechter and Joseph Bonneau plan to reveal an experiment they designed to teach people to remember very strong, random passwords. With their process, which took a total of 12 minutes of users’ time on average, about nine out of 10 test subjects were able to remember a 56-bit password or passphrase–one for which a hacker would have to try quadrillions of guesses to successfully crack the secret.
“Our goal was to show that there’s a big dimension of human memory that hasn’t been explored with passwords,” says Bonneau, a fellow at Princeton’s Center For Information Technology Policy. “They may seem hard to remember up front. But if you’re given the right training and reminders, you can memorize almost anything.”
Schechter and Bonneau recruited hundreds of test subjects from Amazon’s Mechanical Turk crowdsourcing platform and paid them to take a phony series of attention tests. What they were really studying was how users logged in to those tests. Every time the login screen appeared, the user would be prompted to type in a series of words or letters on the screen. Over time that string of characters took increasingly long to appear, prompting the user to enter it from memory. More letters and words were added to it over time: After 10 days of testing, the user was required to enter a series of 12 random letters or six random words–for example, “rlhczwpsnffp” or “hem trial one by sky group” to start the test.
In fact, the users were unwittingly being taught passwords and passphrases strong enough that the researchers estimate they’d require an attacker to use more than a million dollars worth of computing power to crack them within a year. Their repetitive teaching process used a technique called “spaced repetition,” the process of periodic quizzes, reviews and additions of new information that’s familiar to anyone who’s ever taken a foreign language class. By the end of the process, 94 percent of the users could type their password or passphrase from memory. Though they had to log in 90 times to finish the tests, the subjects could type their password or passphrase without any prompting after a median of 36 tries. Three days later, 88 percent still recalled it, and only 21 percent said that they had written it down. One subject told the researchers that “the words are branded into my brain.”
Bonneau and Schechter admit that the system of forcing users to memorize a randomly-generated strong password isn’t quite practical for just any service. Nobody wants to memorize a different random string for every website they use. But they suggest that the system could be limited to an enterprise login, a password manager or a PGP key–a single, high-security application that requires the user to type the string on a regular basis to avoid forgetting it. On a corporate network, for instance, new users could be allowed to choose their own password, and then be weaned off it in favor of a random, stronger password in their first few days on the job. “In debunking the myth that users are inherently incapable of remembering a strong secret, we advocate that using spaced repetition to train users to remember strong secrets should be available in every security engineer’s toolbox,” they write in their study.
The lesson isn’t limited to security administrators, either. Users can generate the same sort of random passwords on their own with web services like PasswordsGenerator.net or Random.org, or with Diceware, a method of generating random words with die rolls. Bonneau says that he generates his own random passwords, writes them down, and keeps them in his wallet. “It’s just enough of a pain that after a week I start trying to type it without getting my wallet out,” he says. “It’s amazing how fast you end up memorizing the password. Human memory will surprise you.”