Your next PC password could be President Bill Clinton kissing a fish – and that disturbing mental image, and similar surreal “story images” could be the key to creating strong passwords across multiple accounts, according to Carnegie Mellon researchers.
The system relies on “story sentences” – a person, an action, an object – which can be memorised easily, using pictures as cues, the researchers say. The user carries an app with images as a reminder of “stories” – and the key is remembering combinations. It’s based on techniques used by memory experts.
The picture here illustrates the system – Person (Clinton), Action (Kiss), Object (Fish). There is, of course, no suggestion that the former President may engage in “improper sexual relationships” with goldfish.
“People can use “public cues” (eg a photo of Bill Gates) to help them to remember their passwords without writing them down in plain text. These cues could be stored in an app on a smartphone,” ZDNet wrote in its report. The user remembers how the images combine, and uses this to memorise sequences of letters (ie three letters from each word, or a similar pattern).
The researchers say that memorizing nine of these stories could allow users to create secure passwords for more than 100 acccounts, with ‘reminders’ stored in a smartphone app. A thief, however, wouldn’t be able to work out the combinations, thus the system is secure. Blocki himself has memorised 43 stories.
“If you can memorize nine stories, our system can generate distinct passwords for 126 accounts,” Jeremiah Blocki, a Ph.D. student at the university said.
By reusing and recombining within the app, users will “rehearse” the stories, thus helping them remember, Blocki says. The app works as a memory prompt, and was based on cognitive research into memory retention, and repetitive “rehearsal”. Blocki’s paper is available in full here.
The researchers say they were inspired by “Moonwalking with Einstein,” a 2011 bestseller, which described the world of competitive memorization – and which described the concept of Person-Action-Object, or PAO, and how it’s used in such contests to memorize long sequences of letters and numbers, according to Phys.org.
“For instance, photos of President Bill Clinton, a piranha and someone kissing might result in a story, “Bill Clinton kissing a piranha,” or “President smooches a fish,” the researchers say. “By taking the first letter from each word, or the first three letters from the first two words, the user could generate part of a password.”
Blocki says that the system is initially harder work for the user, and that using the app daily or every two days helps the passwords to “sink in”, but that after some time in use, normal password use would be enough for users to remember the details they needed. Blocki said users can rely on as few as nine photo/story pairs, though he personally has opted to use 43 stories to maintain greater security.
“The most annoying thing about using the system isn’t remembering the stories, but the password restrictions of some sites,” said Blocki, referring to sites which require numbers or special characters as part of passwords.
“In those cases, I just make a note to, for instance, add a ’1′ to the password,” he said. “The security is inherent in the passwords themselves and the notes don’t affect that.”
Writing down such notes is often considered bad practice, but Blocki claims that as the story links are known only to the user, his system is secure even if some photos are compromised, or if a number, for instance, is known.
ESET Senior Research Fellow David Harley says that the system offers the “germ of an idea”, but that the patterns generated may not be sufficiently random to beat advanced password-cracking software.
Harley says, “The story building approach is a standard mnemonic technique – in fact, there’s a related XKCD cartoon http://xkcd.com/936/ - but I remember stumbling across something slightly similar in a psychology experiment at university in the early 70s.
“Essentially, I found myself able to remember a long string of essentially unconnected words by inventing a story. It was surprisingly effective: I could still bring it to mind many months afterwards without rehearsing it, and I’m not even a particularly visual thinker, so my ‘story’ was less reliant on visual elements. These days, though, I’m happy if I can finish the day remembering which day it is…”
“One problem that tends to come up with solutions that focus on memorization techniques rather than maximizing entropy is that they tend to make assumptions about the randomness of the resulting passphrase and the equivalence of randomness and entropy that aren’t necessarily true. In this case, the idea seems to me to be that the user chooses a pattern for selecting fragments, but the sort of pattern envisaged (first letter of each word, first three letters of the first two words) is not random, even if it doesn’t make a ‘real’ word. ‘Cracking’ software is rather good at detecting patterns that may not be obvious to a human reader, and if I’m reading this correctly, entropy is further reduced by using case-insensitive alphabetical characters only.”
“Blocki is actually flagging some of the techniques used to make a password harder to guess as, and recommending a ‘add a number’ strategy that a security expert probably wouldn’t suggest, knowing that one technique cracking software is likely to use is to substitute numbers for the final one or two characters of a password. That’s because not only are users known to add numbers to a password to pad it out to a required minimum, as he suggests, but they also append numbers to save them from having to change an expired password to something completely different.”
“There’s the germ of a good idea here, but the researchers need to think a bit more about how passwords are actually cracked. The technique described here sounds more like an attempt to defeat a human trying to guess – like they always do it in the movies – than a serious attempt to circumvent automated password cracking. Perhaps a little less psychology and a little more computer science in the mix would improve the recipe. Entropy-boosting restrictions do tend to annoy end users, but I’m not convinced that this approach is adding more entropy than it’s removing.”
Author Rob Waugh, We Live Security