A good password is hard to find, and even tougher to remember.
The critical balance between security and memorability is famously illusive. Passwords tough enough to withstand an attack are impossible to memorize. The words and short phrases that agree to stay in our brains can be cracked in a matter of hours, if not minutes. From brilliant mathematicians to colorful cartoonists, some of our best minds have tried their hands at solving the persistent password problem.
Where they came up short, USC computational linguists may have succeeded. Harnessing a time-honored method of memorization, Marjan Ghazvininejad and Kevin Knight from the USC Information Sciences Institute applied poetry to the problem. The result is memorable passwords that, they said, take more than 11 years to break. Such passwords promise to make online browsing, banking and shopping more secure, once people start using them.
Here’s how what Knight and Ghazvininejad call the “Poetry Method” works. Their program starts with a 32,000-word dictionary. Each entry is assigned a unique 15-bit code: 0s and 1s that represent it. The computer program then randomly creates a string of 60 0s and 1s and fits the words to it like a jigsaw puzzle. It chooses two words that rhyme and places them at the end of two very short sentences. The end product is a 16-syllable password that looks like this:
Because they are randomly generated, these passwords can withstand modern hackers. Meter and rhyme make the randomness memorable.
“Poetry has rhythm and rhyme that can help people memorize the password better,” said Ghazvininejad.
It may seem far-fetched that with a few words someone could memorize 60 random digits, but rhythm, rhyme and meter allow ordinary women and men to memorize epic poems like The Odyssey, with its 12,000 lines. Poetry has been a preferred form of memorization since before recorded time.
“All the [other] efforts people go through to generate random passwords, they fail,” Knight said. Where they fall short, this “mix of a highly technical topic and a highly humanities product,” as he put it, succeeds.
In two recent tests conducted by Ghazvininejad and Knight, the password Poetry Method beat four other password generation programs for security, likeability and memorability. Weeks after being given a randomly generated 16-syllable poem password, 61 percent of study participants correctly recalled it.
The only other password program that came close was the one suggested by cartoonist Russell Munroe in the Web comic XKCD. In the XKCD method, four random words are strung together, representing a 44-bit string. The words themselves make sense — horse, house, battery, footbridge — but their order is meaningless and non-rhythmic.
According to Ghazvininejad, short phrase methods like the XKCD can be hacked in a matter of months, which is how long it takes to check 244 word combinations. In the Poetry Method, the number of passwords that the hacking computer has to check is 260.
“Based on modern computer speeds, and how many comparisons they can do,” Ghazvininejad said, “it would take at least 11.3 years to go through half of them.”
While the Poetry Method is superior to many password-generating schemes, it is by no means perfect. Nearly 40 percent of the participants could not recall their passwords, the USC scholars’ study found. This may be because many password poems, at least on the surface, aren’t very salient, or meaningful, to the consumer. A typical example would be:
Joanna kissing verified
soprano finally reside.
To address this problem, Ghazvininejad and Knight will add psychology into the mix. They are seeking ways to keep the passwords secure while making them more personal, more emotionally salient, and therefore even more memorable.
“The big picture is people like them,” Knight said. “And they are more memorable than any other method we tried.”
While the Poetry Method has yet to reach 100 percent memorability, the method used by the ancient oral storytellers continues to allow our computer-focused brains to hang on to incredible amounts of information. Is that somehow … poetic?