How to remember complex passwords

How to remember complex passwords: Scientists create 10-day repetition test to teach people long, random sequences

• Test aimed to see if people could quickly recall a 56-bit random password
• Based on spaced repetition using increasing intervals of time to revise
• After 10 days, test subjects could type their password with 94% accuracy
• After three days, 88% of people still remembered the string or passphrase

By Ellie Zolfagharifard

Published: 22:44 GMT, 15 June 2015 | Updated: 23:06 GMT, 15 June 2015

 

We are usually terrible at choosing passwords.

One in 20 times, most of us still opt for the word 'password' out of fear we'll forget anything more complicated.

But remembering long, random combinations of phrases and numbers may not be as difficult as you might think, with a little mind training.

One in 20 times, most of us still opt for the word 'password' out of fear we'll forget anything more complicated. Remembering long, random combinations of phrases and numbers may not be as difficult as you might think - with a little mind training

Microsoft Research's Stuart Schechter and Princeton University's Joseph Bonneau wanted to see how easy it would be for people to memorise very strong 56-bit random passwords.

They used a simple technique known as 'spaced repetition', which uses increasing intervals of time to revise previously learned material.

The researchers recruited participants from Amazon's Mechanical Turk crowdsourcing platform to take a fake series of attention tests.

But without the users knowing, they were in reality, studying how users logged in to the tests.

The program would prompt a user to type in a series of words or letters each time the login screen appeared. 

Over 10 days, the string of letters and words grew longer, until, the user had to type in 12 random letters or six random words to start the test. Incredibly, the test subjects managed to type their password or passphrase without prompting after an average of 36 tries, with a success rate of 94 per cent

How to choose a strong and safe password (related)

And each time the screen showed up, it took an increasingly long time to sequence of characters. 

This caused the users to begin entering in the string from memory. 

Over 10 days, the string of letters and words grew longer, until, the user had to type in 12 random letters or six random words to start the test.

Incredibly, the test subjects managed to type their password or passphrase without prompting after an average of 36 tries, with a success rate of 94 per cent.

 

HOW TO CHOOSE A PASSWORD 

Avoid favourite sports. ‘Baseball’ and ‘football’ were both in the top 10 worst password list.

Birthdays and years of birth are easy to guess with the help of personal information.

Common names such as Michael and Jennifer are insecure, with many making SplashData’s Top 50 list, too.

Experts suggest using eight mixed types of characters, with seemingly random combinations if possible.

They say that passphrases – short words with spaces or other characters separating them – are easy to recall and are relatively secure if seemingly random words are used.

Experts also advise having different passwords for different sites, instead of relying on one, which if hacked, could prove particularly serious.

After three days, 88 per cent still remembered the string or passphrase.

“There’s a big dimension of human memory that hasn’t been explored with passwords,” Joseph Bonneau, one of the two researchers who created the study, said at the time. 

“Human memory will surprise you.

But remembering long, complex passwords may not be enough to prevent hackers from stealing your information. 

A study earlier this year found passwords such as ‘mnbvcxz’, ‘qaz2wsx’ and ‘adgjmptw’ can be cracked in seconds - and adding numbers to your codes does little to boost its strength.

The analysis was made by hosting firm WP Engine using 10 million passwords recently released by security consultant Mark Burnett.

In 2013, a team of hackers managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website.

The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90 per cent of hashed passwords did so in less than an hour using a computer cluster.

The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'.