New Study Shows Passwords Can, In Fact, be Remembered

We see a lot of password-bashing these days, and some people have lost faith in them as a security measure. But, unfortunately, a lot of the blame for this lies in human memory. We just don’t pick passwords that are strong enough. In fact, a mind-numbing one in 20 people still use “password” to keep their information safe.

Thankfully, all hope is not yet lost for those who have trouble remembering a password and don’t want to use a password manager. A new study from two researchers at Microsoft and Princeton University proves that a string of random characters can be fairly simple to remember if approached at the right angle. Stuart Schechter and Joseph Bonneau have devised a method that can enable people to remember very strong, random passwords; ones that would require well over a million dollars worth of computing power, and countless attempts to crack within a year.

Schecter and Bonneau brought hundreds of test subjects on board for what they thought was a series of attention span tests, but in reality they were being taught long and complex passwords that were practically impossible for hackers to steal. They say that their test worked around what they called “spaced repetition.”

The Spaced Repetition Process
Spaced repetition works by providing users with periodic quizzing and testing, along with the addition of new information, to work on improving memory. This process is similar to those used in foreign language classes. The tests were set up like so:

  • The process only took a meager 12 minutes of users’ time on average.
  • The actual test was keeping track of the login screen for the attention span tests.
  • The login screen prompted users to enter a string of characters (i.e. the password), and each consecutive time, the string of characters would take longer and longer to appear.
  • Additionally, the string of characters would grow longer and longer, maxing out at either 12 random letters or a six-word phrase.
  • Subjects were able to enter their password without any sort of prompts by an average of 36 entries.
  • The test required 90 login attempts.
  • By the end of the test, 94 percent of all users could type their password by memory, and only 21 percent had written it down.
  • Three days after completion of the test, 88 percent still remembered their password.

It goes without saying that this tactic worked remarkably well for the purpose of improving password recollection, but it’s not a very practical method that can be used by anyone. It’s better suited for an enterprise login system, or a password manager. This allows you to benefit from the long, secure password without having to memorize multiple login credentials.

What are your thoughts on this new way of password memorization? Will it help you deviate from the normal, insecure password process, or does it sound too complicated? Let us know in the comments.

Leave a Comment