Security | News

CMU Research Helps Users Create and Recall 100 Passwords

A small team at Carnegie Mellon is taking a new look at the on-going challenge of enabling people to memorize multiple passwords without recording them in a file or on paper. In this project, visual cues are allowing users to create and remember a hundred or more passwords, according to the researchers. The secret of success is to pair up photos with a bit of rehearsal to keep memories fresh in users' minds. The scheme relies on what the researchers call "human hardware."

"If you can memorize nine 'stories,' our system can generate distinct passwords for 126 accounts," said Jeremiah Blocki, a Ph.D. student in Carnegie Mellon's Computer Science Department. According to Blocki, memorizing more stories enables users to create more passwords or make their existing passwords more secure. The reuse and recombination of the stories reinforces the more complex passwords, making them easier to remember.

Blocki collaborated with Manuel Blum, a professor of computer science, and Anupam Datta, an associate professor of computer science and electrical and computer engineering at the university. He recently presented their findings at AsiaCrypt 2013, a conference on cryptology in Bangalore, India.

The system outlined by the researchers allows the user to specify a photo of a person or a scene, which is paired with a photo of an object and a photo of an action offered by the program. Using those images, the person concocts a story about what's in the pictures and generates the password from those scenes or by taking the first letters or something similar. When the user logs in later, the program displays the pictures as a memory prompt.

The system requires the user to rehearse the pairing of images with passwords; the more frequent the rehearsal, the more hardwired the pairing becomes in the user's memory. If the pattern isn't rehearsed at a given frequency, the researchers suggested, a program based on the scheme might prompt the user to rehearse it.

The inspiration for the project had two sources: cognitive research that tied memory retention to the frequency with which the memories have been "rehearsed" and the concept of the power memorization, in which long sequences of numbers or letters are memorized by associating them with images.

Of course, some sites that require passwords also place restrictions on the format of the password, such as forcing it to include an upper and lower case combination or numbers. When that's needed, said Blocki, "I just make a note to, for instance, add a '1' to the password."

The research is being continued in an undergraduate research project through development of a mobile app.

The research was funded by grants from the National Science Foundation and the Air Force Office of Scientific Research.

About the Author

Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at dian@dischaffhauser.com.

comments powered by Disqus