UI Design Newsletter – June, 2004

What do YOU remember from high school?

"King Peter came over from Germany streaking."

Do you remember that one from high school biology? It is the memory aid (or "mnemonic device") that students use to remember the levels and order of the phylogenic chain:

Sure, it takes a little effort to map from the word string to the levels. In my mind it sounds something like this:

"King Peter came over from Germany streaking...
kingdom, phylum... ummm...
King Peter came over...
kingdom, phylum, class, order... ummm...
King Peter came over from Germany...".

However, despite the extra effort, the sentence makes it possible to accurately recall the string even many years later. It improves remembering by providing mental triggers for both the words (based on the first letters), and their order (based on the sentence itself).

There is substantial literature demonstrating that memorizing a string of words that makes up complete concepts or ideas (what Peter was doing) is easier to remember than an unrelated list of words. Further, the more vivid the sentence (The King is streaking!), the easier it is to remember.

Xena01 Bess99

Keeping track of passwords is a challenge that we all face. Ideally, the passwords that we use should be both secure and memorable. But there is a constant tension between the security and the usability of the passwords in password selection.

When users select their own passwords, they choose strings that are easy to remember. "Password" is the most common password. Self-selected passwords are typically words, names, or very familiar numbers. They are predictable: kid's names, pet names (Xena & Bess are my dogs). When the systems administrator insists we add a number, we typically append this year or the birth year (Xena is 3 years old, Bess is 5). When forced to change passwords monthly, users often use the number of the month, to maintain the hope that they will remember the password. It doesn't help that we all have a dozen or more separate passwords. And it's not surprising that these self-generated passwords are easy to crack.

Secure and memorable. Pick 1.

Frustrated systems administrators attempt to sidestep this security problem by generating passwords for users. To the sysadmin the highest ranked constraint for good passwords is security, not memorability. Sysadmin generated passwords are usually:

• the longest string they think they can get away with,
• consisting of non-redundant strings of random alphanumeric characters,
• and include special characters.

These passwords are secure, but they're impossible to remember. They are difficult to remember because there are limits to human memory. Humans are better at remembering shorter, nonrandom strings that are meaningful. We do better with redundancy.

Despite their best efforts, the "secure" passwords aren't really secure because of how users end up coping with these impossible strings. We write them down. We store them in a file on the computer. Or – worst of all – we let Microsoft memorize them. Kind of defeats the goal of the random string.

Yes, Toto, there can be secure AND memorable passwords...

Yan, Blackwell, Anderson, and Grant (2000) report a set of pilot experiments suggesting that secure and memorable passwords do not have to be painful. Their passwords, or "passphrases", leverage on the same memory device as the King Peter sentence.

In their study, they explored both the memorability and crackability of passwords. They started by randomly dividing 288 incoming college freshmen to one of three password groups:

Control Group: Students selected their own password based on the instructions "Your password should be at least seven characters long and contain at least one non-letter".

Random String Group: Students created random 8 character alphanumeric passwords.

Passphrase Group: Students were instructed to create a 7- or 8-character password by thinking up a "simple sentence of 8 words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and/or special character should be inserted as well."

One month after students selected their passwords, the researchers captured the password files of the participating students and evaluated them for crackability. They used four separate algorithms to crack the passwords that were 7 letters and longer:

• Simple Dictionary Attack – try all words in multiple dictionary files
• Permutations – try all 1, 2, and 3 alphanumeric digit permutation of words in dictionary files
• Simple Letter-Number Replacements – try replacing letters with similar looking numbers (e.g., S with 5 or L with 1)
• Brute Force Attack – test all permutations of strings 6 characters or less

All passwords 6 characters or less were cracked with brute force attacks.

For longer strings, both the random string group and the passphrase group were significantly harder to crack than the control group. (In reality the passwords in the random character and passphrase groups that were cracked were neither random words nor passphrases. They were actually words or permutations of words. Participants had simply not complied with the experimental instructions.)

Noncompliance aside, the passphrases seemed to be as secure as the randomly selected strings. But were they memorable?

Cognitive Psychology to the rescue

Yan and colleagues also conducted a brief post hoc survey in which they asked participants how easy it was to memorize their password on a scale of Trivial (1) to Impossible (5).

Participants in the Random String group rated their passwords significantly harder than either the Passphrase group or the Control group. There was no reliable difference between the memorability of the Passphrase passwords and the Control Group passwords.

So the passphrases were as easy to remember as well.

Yan and colleagues reported challenges in getting all users to really follow the instructions. But the improvement overall is clear. Perhaps creating simple usable instructions with clear examples could increase compliance.

This study is important for several reasons. In the ruthlessly pragmatic sense, it demonstrates that passwords don't have to be impossible to remember to be secure. In fact, the passphrase instructions used in this experiment could be improved even more. Users could be guided to select a sentence that naturally contains both numbers and mixed case. For example, the sentence, "The area code for Mumbai is +91" > TacfMi+91. Painless alphanumeric mixed case including special characters.

In the larger sense, this study demonstrates that understanding the subtleties of what is easy and hard for humans – how the mind works – is key to designing things that are easy to use.

Reference

J. Yan, A. Blackwell, R. Anderson and A. Grant. The Memorability and Security of Passwords – Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge, 2000.

This is a nice way to prompt users to create memorable and secure passwords. But I have two concerns.
First, I can't forget observing at a banking call center and noticing fully 70% of the calls were about passwords that did not work. Almost ALL of these were because the Caps Lock was set. Making passwords case sensitive is expensive. Don't do that again.

Second, the password problem is no longer an issue of a single password. I suspect a single user may need passwords for many dozens of sites, applications, and facilities. A single bank account can require up to 3 different passwords! (ATM Pin, Voice Response PIN, and Web Password). Do they use the same password throughout? (A huge security risk.) I think we need to look at this problem more globally.