A group of researchers from Carnegie Mellon University’s School of Computer Science believe they might have solved the problem of choosing and, above all, remembering complex and diverse passwords that are simultaneously difficult to crack by attackers.
The researchers have developed Shared Cues, a password management scheme that takes advantage of human memory’s tendency towards association and introduces mnemonic techniques to trigger it.
Shared Cues uses a generator and mandates a rehearsal schedule dependent on different types of internet users. “The key idea is to strategically share cues to make sure that each cue is rehearsed frequently while preserving strong security goals,” they shared.
The cues are used to create random person-action-object (PAO) stories that will form the basis for the password.
For example, in the image displayed above the story can be “Bill Gates swallows a bike”. But, depending on the creativity of the user, it can be another unexpected “version” of the story.
The public clues (delivered via an app) allow users to remember the story and the chosen password combination. An initial rehearsal schedule has to be implemented, and will depend on the memory capabilities of the user and how often he or she uses a particular password.
But the best thing is that even if an attacker knows the clues, chances are good that it would take him forever to guess the right “story” and the way in which it was used to create the password.
According to Jeremiah Blocki, a Ph.D. student in Carnegie Mellon’s Computer Science Department and one of the authors of the research, users could use as few as nine “stories” to create complex passwords for over 100 accounts, but he personally uses has 43 to improve his password security.
“The most annoying thing about using the system isn’t remembering the stories, but the password restrictions of some sites,” Blocki pointed out, referring to the often required use of numbers, figures or capital letters in passwords.
“In those cases, I just make a note to, for instance, add a “1′ to the password,” he says. Writing down things like this would usually affect the security of a password, but in this case it can’t, as the basis (the story) is not written down, and is still difficult to guess.