Cool stuff and UX resources

< Back to newsletters

What do YOU remember from high school?

"King Peter came over from Germany streaking."

Do you remember that one from high school biology? It is the memory aid (or "mnemonic device") that students use to remember the levels and order of the phylogenic chain:

 

King

>

Kingdom

 

Peter

>

phylum

 

came

>

class

 

over

>

order

 

from

>

family

 

Germany

>

genus

 

streaking

>

species

Sure, it takes a little effort to map from the word string to the levels. In my mind it sounds something like this:

"King Peter came over from Germany streaking...
kingdom, phylum... ummm...
King Peter came over...
kingdom, phylum, class, order... ummm...
King Peter came over from Germany...".

However, despite the extra effort, the sentence makes it possible to accurately recall the string even many years later. It improves remembering by providing mental triggers for both the words (based on the first letters), and their order (based on the sentence itself).

There is substantial literature demonstrating that memorizing a string of words that makes up complete concepts or ideas (what Peter was doing) is easier to remember than an unrelated list of words. Further, the more vivid the sentence (The King is streaking!), the easier it is to remember.

Toyota Prius

Xena01 Bess99

Keeping track of passwords is a challenge that we all face. Ideally, the passwords that we use should be both secure and memorable. But there is a constant tension between the security and the usability of the passwords in password selection.

When users select their own passwords, they choose strings that are easy to remember. "Password" is the most common password. Self-selected passwords are typically words, names, or very familiar numbers. They are predictable: kid's names, pet names (Xena & Bess are my dogs). When the systems administrator insists we add a number, we typically append this year or the birth year (Xena is 3 years old, Bess is 5). When forced to change passwords monthly, users often use the number of the month, to maintain the hope that they will remember the password. It doesn't help that we all have a dozen or more separate passwords. And it's not surprising that these self-generated passwords are easy to crack.

Secure and memorable. Pick 1.

Frustrated systems administrators attempt to sidestep this security problem by generating passwords for users. To the sysadmin the highest ranked constraint for good passwords is security, not memorability. Sysadmin generated passwords are usually:

  • the longest string they think they can get away with,
  • consisting of non-redundant strings of random alphanumeric characters,
  • and include special characters.

These passwords are secure, but they're impossible to remember. They are difficult to remember because there are limits to human memory. Humans are better at remembering shorter, nonrandom strings that are meaningful. We do better with redundancy.

Despite their best efforts, the "secure" passwords aren't really secure because of how users end up coping with these impossible strings. We write them down. We store them in a file on the computer. Or – worst of all – we let Microsoft memorize them. Kind of defeats the goal of the random string.

Yes, Toto, there can be secure AND memorable passwords...

Yan, Blackwell, Anderson, and Grant (2000) report a set of pilot experiments suggesting that secure and memorable passwords do not have to be painful. Their passwords, or "passphrases", leverage on the same memory device as the King Peter sentence.

In their study, they explored both the memorability and crackability of passwords. They started by randomly dividing 288 incoming college freshmen to one of three password groups:

Control Group: Students selected their own password based on the instructions "Your password should be at least seven characters long and contain at least one non-letter".

Random String Group: Students created random 8 character alphanumeric passwords.

Passphrase Group: Students were instructed to create a 7- or 8-character password by thinking up a "simple sentence of 8 words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and/or special character should be inserted as well."

One month after students selected their passwords, the researchers captured the password files of the participating students and evaluated them for crackability. They used four separate algorithms to crack the passwords that were 7 letters and longer:

  • Simple Dictionary Attack – try all words in multiple dictionary files
  • Permutations – try all 1, 2, and 3 alphanumeric digit permutation of words in dictionary files
  • Simple Letter-Number Replacements – try replacing letters with similar looking numbers (e.g., S with 5 or L with 1)
  • Brute Force Attack – test all permutations of strings 6 characters or less

All passwords 6 characters or less were cracked with brute force attacks.

For longer strings, both the random string group and the passphrase group were significantly harder to crack than the control group. (In reality the passwords in the random character and passphrase groups that were cracked were neither random words nor passphrases. They were actually words or permutations of words. Participants had simply not complied with the experimental instructions.)

Noncompliance aside, the passphrases seemed to be as secure as the randomly selected strings. But were they memorable?

Cognitive Psychology to the rescue

Yan and colleagues also conducted a brief post hoc survey in which they asked participants how easy it was to memorize their password on a scale of Trivial (1) to Impossible (5).

Participants in the Random String group rated their passwords significantly harder than either the Passphrase group or the Control group. There was no reliable difference between the memorability of the Passphrase passwords and the Control Group passwords.

So the passphrases were as easy to remember as well.

Yan and colleagues reported challenges in getting all users to really follow the instructions. But the improvement overall is clear. Perhaps creating simple usable instructions with clear examples could increase compliance.

This study is important for several reasons. In the ruthlessly pragmatic sense, it demonstrates that passwords don't have to be impossible to remember to be secure. In fact, the passphrase instructions used in this experiment could be improved even more. Users could be guided to select a sentence that naturally contains both numbers and mixed case. For example, the sentence, "The area code for Mumbai is +91" > TacfMi+91. Painless alphanumeric mixed case including special characters.

In the larger sense, this study demonstrates that understanding the subtleties of what is easy and hard for humans – how the mind works – is key to designing things that are easy to use.


References

J. Yan, A. Blackwell, R. Anderson and A. Grant. The Memorability and Security of Passwords – Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge, 2000.

Message from the CEO, Dr. Eric Schaffer — The Pragmatic Ergonomist

Leave a comment here

Reader comments

Jim Lutterbach,
PE RW Armstrong

A lot of money will go to the persons who can solve this problem.

Patricia Lareau
Real User Corporation

No matter how clever the suggestions for creating passwords, most people can't do it successfully. They either write them down or forget them!

Here is an alternative that understands usability. Rather than relying on the user to memorize (which he is bad at), it uses the fact that the strongest form of memory is recognition – in particular, recognition of a human face, once it is familiar. I have attached a paper on the science behind this technology and would love to hear your reaction.

Best way to see for yourself is to try it. The demo takes 5 minutes and shows how intuitive this new idea is. Users love it. Nothing to recall, nothing to write down. All around its more reliable and secure than passwords. The help desk calls fall to near zero. www.realuser.com.

Jack Grimes
GimesOnline.com

"Secure and memorable. Pick 1." is not right....

There is a better and secure way to create a password. It depends not just upon your ability to remember strings, but rather depends on the ability to construct a string.

Take a date, like your birthdate 2-16-62
And a name, like your mom's name - mary

The secure, constructible password is the alternation of characters from these two strings.

2m1a6r6y2

It can't be guessed and is not subject to a dictionary attack.

I learned this from some security folks in a long forgotten article.

Subscribe

Sign up to get our Newsletter delivered straight to your inbox

Follow us

Privacy policy

Reviewed: 18 Mar 2014

This Privacy Policy governs the manner in which Human Factors International, Inc., an Iowa corporation (“HFI”) collects, uses, maintains and discloses information collected from users (each, a “User”) of its humanfactors.com website and any derivative or affiliated websites on which this Privacy Policy is posted (collectively, the “Website”). HFI reserves the right, at its discretion, to change, modify, add or remove portions of this Privacy Policy at any time by posting such changes to this page. You understand that you have the affirmative obligation to check this Privacy Policy periodically for changes, and you hereby agree to periodically review this Privacy Policy for such changes. The continued use of the Website following the posting of changes to this Privacy Policy constitutes an acceptance of those changes.

Cookies

HFI may use “cookies” or “web beacons” to track how Users use the Website. A cookie is a piece of software that a web server can store on Users’ PCs and use to identify Users should they visit the Website again. Users may adjust their web browser software if they do not wish to accept cookies. To withdraw your consent after accepting a cookie, delete the cookie from your computer.

Privacy

HFI believes that every User should know how it utilizes the information collected from Users. The Website is not directed at children under 13 years of age, and HFI does not knowingly collect personally identifiable information from children under 13 years of age online. Please note that the Website may contain links to other websites. These linked sites may not be operated or controlled by HFI. HFI is not responsible for the privacy practices of these or any other websites, and you access these websites entirely at your own risk. HFI recommends that you review the privacy practices of any other websites that you choose to visit.

HFI is based, and this website is hosted, in the United States of America. If User is from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law and User is registering an account on the Website, visiting the Website, purchasing products or services from HFI or the Website, or otherwise using the Website, please note that any personally identifiable information that User provides to HFI will be transferred to the United States. Any such personally identifiable information provided will be processed and stored in the United States by HFI or a service provider acting on its behalf. By providing your personally identifiable information, User hereby specifically and expressly consents to such transfer and processing and the uses and disclosures set forth herein.

In the course of its business, HFI may perform expert reviews, usability testing, and other consulting work where personal privacy is a concern. HFI believes in the importance of protecting personal information, and may use measures to provide this protection, including, but not limited to, using consent forms for participants or “dummy” test data.

The Information HFI Collects

Users browsing the Website without registering an account or affirmatively providing personally identifiable information to HFI do so anonymously. Otherwise, HFI may collect personally identifiable information from Users in a variety of ways. Personally identifiable information may include, without limitation, (i)contact data (such as a User’s name, mailing and e-mail addresses, and phone number); (ii)demographic data (such as a User’s zip code, age and income); (iii) financial information collected to process purchases made from HFI via the Website or otherwise (such as credit card, debit card or other payment information); (iv) other information requested during the account registration process; and (v) other information requested by our service vendors in order to provide their services. If a User communicates with HFI by e-mail or otherwise, posts messages to any forums, completes online forms, surveys or entries or otherwise interacts with or uses the features on the Website, any information provided in such communications may be collected by HFI. HFI may also collect information about how Users use the Website, for example, by tracking the number of unique views received by the pages of the Website, or the domains and IP addresses from which Users originate. While not all of the information that HFI collects from Users is personally identifiable, it may be associated with personally identifiable information that Users provide HFI through the Website or otherwise. HFI may provide ways that the User can opt out of receiving certain information from HFI. If the User opts out of certain services, User information may still be collected for those services to which the User elects to subscribe. For those elected services, this Privacy Policy will apply.

How HFI Uses Information

HFI may use personally identifiable information collected through the Website for the specific purposes for which the information was collected, to process purchases and sales of products or services offered via the Website if any, to contact Users regarding products and services offered by HFI, its parent, subsidiary and other related companies in order to otherwise to enhance Users’ experience with HFI. HFI may also use information collected through the Website for research regarding the effectiveness of the Website and the business planning, marketing, advertising and sales efforts of HFI. HFI does not sell any User information under any circumstances.

Disclosure of Information

HFI may disclose personally identifiable information collected from Users to its parent, subsidiary and other related companies to use the information for the purposes outlined above, as necessary to provide the services offered by HFI and to provide the Website itself, and for the specific purposes for which the information was collected. HFI may disclose personally identifiable information at the request of law enforcement or governmental agencies or in response to subpoenas, court orders or other legal process, to establish, protect or exercise HFI’s legal or other rights or to defend against a legal claim or as otherwise required or allowed by law. HFI may disclose personally identifiable information in order to protect the rights, property or safety of a User or any other person. HFI may disclose personally identifiable information to investigate or prevent a violation by User of any contractual or other relationship with HFI or the perpetration of any illegal or harmful activity. HFI may also disclose aggregate, anonymous data based on information collected from Users to investors and potential partners. Finally, HFI may disclose or transfer personally identifiable information collected from Users in connection with or in contemplation of a sale of its assets or business or a merger, consolidation or other reorganization of its business.

Personal Information as Provided by User

If a User includes such User’s personally identifiable information as part of the User posting to the Website, such information may be made available to any parties using the Website. HFI does not edit or otherwise remove such information from User information before it is posted on the Website. If a User does not wish to have such User’s personally identifiable information made available in this manner, such User must remove any such information before posting. HFI is not liable for any damages caused or incurred due to personally identifiable information made available in the foregoing manners. For example, a User posts on an HFI-administered forum would be considered Personal Information as provided by User and subject to the terms of this section.

Security of Information

Information about Users that is maintained on HFI’s systems or those of its service providers is protected using industry standard security measures. However, no security measures are perfect or impenetrable, and HFI cannot guarantee that the information submitted to, maintained on or transmitted from its systems will be completely secure. HFI is not responsible for the circumvention of any privacy settings or security measures relating to the Website by any Users or third parties.

Correcting, Updating, Accessing or Removing Personal Information

If a User’s personally identifiable information changes, or if a User no longer desires to receive non-account specific information from HFI, HFI will endeavor to provide a way to correct, update and/or remove that User’s previously-provided personal data. This can be done by emailing a request to HFI at hfi@humanfactors.com. Additionally, you may request access to the personally identifiable information as collected by HFI by sending a request to HFI as set forth above. Please note that in certain circumstances, HFI may not be able to completely remove a User’s information from its systems. For example, HFI may retain a User’s personal information for legitimate business purposes, if it may be necessary to prevent fraud or future abuse, for account recovery purposes, if required by law or as retained in HFI’s data backup systems or cached or archived pages. All retained personally identifiable information will continue to be subject to the terms of the Privacy Policy to which the User has previously agreed.

Contacting HFI

If you have any questions or comments about this Privacy Policy, you may contact HFI via any of the following methods:
Human Factors International, Inc.
PO Box 2020
1680 highway 1, STE 3600
Fairfield IA 52556
hfi@humanfactors.com
(800) 242-4480

Terms and Conditions for Public Training Courses

Reviewed: 18 Mar 2014

Cancellation of Course by HFI

HFI reserves the right to cancel any course up to 14 (fourteen) days prior to the first day of the course. Registrants will be promptly notified and will receive a full refund or be transferred to the equivalent class of their choice within a 12-month period. HFI is not responsible for travel expenses or any costs that may be incurred as a result of cancellations.

Cancellation of Course by Participants (All regions except India)

$100 processing fee if cancelling within two weeks of course start date.

Cancellation / Transfer by Participants (India)

4 Pack + Exam registration: Rs. 10,000 per participant processing fee (to be paid by the participant) if cancelling or transferring the course (4 Pack-CUA/CXA) registration before three weeks from the course start date. No refund or carry forward of the course fees if cancelling or transferring the course registration within three weeks before the course start date.

Individual Modules: Rs. 3,000 per participant ‘per module’ processing fee (to be paid by the participant) if cancelling or transferring the course (any Individual HFI course) registration before three weeks from the course start date. No refund or carry forward of the course fees if cancelling or transferring the course registration within three weeks before the course start date.

Exam: Rs. 3,000 per participant processing fee (to be paid by the participant) if cancelling or transferring the pre agreed CUA/CXA exam date before three weeks from the examination date. No refund or carry forward of the exam fees if requesting/cancelling or transferring the CUA/CXA exam within three weeks before the examination date.

No Recording Permitted

There will be no audio or video recording allowed in class. Students who have any disability that might affect their performance in this class are encouraged to speak with the instructor at the beginning of the class.

Course Materials Copyright

The course and training materials and all other handouts provided by HFI during the course are published, copyrighted works proprietary and owned exclusively by HFI. The course participant does not acquire title nor ownership rights in any of these materials. Further the course participant agrees not to reproduce, modify, and/or convert to electronic format (i.e., softcopy) any of the materials received from or provided by HFI. The materials provided in the class are for the sole use of the class participant. HFI does not provide the materials in electronic format to the participants in public or onsite courses.