Memory Trick Increases Password Security

Scientific American

Passwords have steadfastly remained the primary way we prove our identity to the many Web sites and apps that have become integral to daily life. Despite years of predictions that passwords would eventually be phased out in favor of more secure approaches to authentication, such as biometrics, they persist because they are inexpensive and remain one of the better compromises between security and usability.

Managing dozens of passwords is even more challenging than coming up with good ones in the first place. Common sense provides some guidance when choosing them: A password should be an alphanumeric combination that a family member or friend can’t guess in five tries, and it should be complex enough so a person can’t figure it out by watching you type it once. That accomplished, now you just need to remember which password logs you onto which site or app.

A team of Carnegie Mellon University computer scientists is studying the possibility of employing memorization techniques and mnemonic devices to help cut through our password clutter. Their plan—inspired by the Person–Action–Object, or PAO, method described in Joshua Foer’s 2011 book Moonwalking with Einstein—involves both generating strong passwords and a schedule for committing them to memory.

The researchers’ proposed “shared cues” system (pdf) asks you to first select a an image of an interesting place (for example, a baseball field) as well as a photo of a familiar or famous person (say, Bill Gates). You would then imagine some random action along with a random object to create a PAO story, says Jeremiah Blocki, the lead researcher. Blocki proposes, “Bill Gates swallowing a bike on the baseball field.”

After you create and memorize stories for several different image pairs, you would use those stories generate unique passwords. In Blocki’s example, you might take the first three letters from “swallow” and “bike” so that you associate the image pair of Gates and a baseball field with “swabik.” String a few image pairs together and you’ve got a fairly inscrutable password. If you can memorize nine sentences, the system can generate distinct passwords for 126 accounts, Blocki says.

Here’s how shared cues might work in practice: You install an app developed by Blocki and his team in your browser that presents you with four image pairs whenever you visit a login screen. (A mobile version of the app would work the same way.) You recognize each image pair, and remembering the story associated with each, type in your password. A login screen for a different Web site would present a different subset of four stories from the nine that you’ve memorized.

If this all sounds like a lot of work, it is. The mobile version of the app, however, would serve as a coach to help you keep your stories straight. It would use the phone or tablet’s notification system to randomly present you with image pairs on a regular basis so the stories you created for those pictures remain fresh in your memory. Many cognitive and educational psychologists agree that frequent quizzing is a highly effective way to activate and search long-term memory. “From a usability standpoint, this practice is great—it minimizes the number of words you have to memorize and gives you more natural rehearsal, which is the more important factor,” Blocki says.

As the Carnegie Mellon researchers point out, the level of security passwords can provide depends on the amount of effort users put into creating and managing them. Simply reusing passwords across multiple sites is, of course, the easiest approach to password management but poses a problem highlighted by the recent theft of tens of millions user names and passwords from Adobe. Given how easy it is to guess a person’s user name for any given account—often, it’s their e-mail address—how difficult would it be for the thieves to access other accounts secured by those same user names and passwords? Even Adobe acknowledged that people often reuse passwords and recommended that its customers change their passwords on any Web site sharing the same user ID and password as the purloined Adobe accounts.

Another barrier to complicated password programs is the temptation simply to use the reset function available on most Web sites whenever password recall remains stubbornly elusive. Password resets create security vulnerabilities, however. A 2008 Scientific American article by security specialist Herbert Thompson explains how someone could easily search the Web for all of the information they need to surreptitiously reset your password and gain access to your e-mail, Facebook, Twitter and many other accounts.

Follow Scientific American on Twitter @SciAm and @SciamBlogs.

Visit for the latest in science, health and technology news.

© 2014 All rights reserved.

View Comments (12)