Nation & World

The perfect password that’s also easy to remember

By Ana Swanson

The Washington Post

The first thing you learn when you try to create a good password is that your memory is pretty terrible. The second thing you might learn is that you’re really bad at being random.

True randomness is hard to predict; humans aren’t. Even if you’re not one of the millions of people who use passwords like “12345678” or “password,” you might still be making some amateur mistakes. For example, using a common phrase as your password, but then replacing the “i” with a “1,” or the “a” with a “@,” and so on.

Or using common words and phrases, and putting the characters and numerals at the end of the password, instead of spaced randomly throughout. Or re-using passwords across sites, or not changing them often enough.

In short, basically any technique that would allow a human being to actually remember a password.

OK, you say, but how do you possibly get around this? Any password that is going to be reasonably secure is also going to be impossible to remember. And any password you can possibly remember is probably going to be terrible. That’s just the law of passwords, right?

As The Washington Post’s Alexandra Petri writes, “The perfectly secure, perfectly memorable password is absolutely pure and rarer than the unicorn. … That is to say, no one has ever found it, and some doubt whether it exists at all.”

But two researchers at the University of Southern California may have finally come up with the perfect solution. Marjan Ghazvininejad and Kevin Knight of the University of Southern California have published a paper with a novel solution for creating with passwords that are both extremely hard to crack and relatively easy to remember: randomly-generated poems.

The inspiration for Ghazvininejad and Knight’s study was actually a cartoon, created by Randall Munroe of Xkcd, which showed how a password made up of four random words — like “correct horse battery staple” — is far more secure and a lot easier for people to remember than the typical jumble of random letters, numbers and symbols that most security experts recommend.

Munroe’s point is that, even if you pick a fairly uncommon word, like “Troubadour,” and replace some of the letters with other symbols, this combination might only take a computer seconds, minutes or hours to guess. But a combination of four totally random words is both hard for a hacker to crack and easy for a person to remember — you can make up some weird little story about a horse correctly identifying a battery staple that will stick with you forever, unlike your coworkers’ spouses’ names, or the date of your anniversary.

The secret here is that those four random words are actually generated based on one very large random number. That random number is then broken up into segments, each of which corresponds with a word in the dictionary. It’s basically a form of cryptography. To guess the full random number, a computer might have to test billions and billions and billions of possibilities before it hits on the right one, says Knight.

But while Munroe suggested using this large number to pick four random words, Ghazvininejad and Knight hit on the idea of using it to create a little poem.

In their paper, Ghazvininejad and Knight look at a few different methods for generating random passwords — the Xkcd method of using four random words, as well as a method of generating a random sentence — but they find that by far the most secure and the most memorable method is creating a short rhyming poem of random words.

As the researchers point out, humans have been using poetry as a way to remember information for thousands of years. It’s no accident that long epics, like the 12,000-line “Odyssey,” or the 17,000-line “Canterbury Tales,” were written using meter or rhyme.

Most people today can’t recite the “Canterbury Tales,” but they’ve still had certain sing-songy rhymes permanently burned into their memory — like “Thirty days hath September,” or the weather beacon rhymes that people once learned before weather apps came along.

Ghazvininejad and Knight create their poems by assigning every word in a 327,868-word dictionary a distinct code. They then use a computer program to generate a very long random number, break that number up into pieces, and then translate those pieces into two short phrases. The computer program they use ensures that the two lines end in words that rhyme, and that the whole phrase is in iambic tetrameter, like so:

Receiver Mathew Halloween deliver cousin magazine

These passwords might seem a little odd, but they’re actually very secure — at current speeds, they would take a computer programs many decades to crack. And they’re much easier to remember than any string of characters that would be comparably secure.

If you read too many of these, they will make you feel a little crazy. But some of them are really fun to say:

The reigning Hagen journeyman believers mini minivan

And teaches scripture bungalow or celebrate or Idaho

Ghazvininejad and Knight developed an online generator for these little poems: www.isi.edu/natural-language/people/poem/poem.php They caution that this site is just for demonstration — hackers could potentially download all of these and try them out, so don’t use them for your password.

If you want your own little poem password, you can enter your e-mail here, and their program will send you a secure one, which will then be deleted from their server: http://52.24.230.241/bc/password–generation.php

Unfortunately, many sites these days limit the number of characters that you can use in your passwords, so most of these poems are probably too long. But perhaps one day soon you’ll be able to use these — more and more sites are considering dropping the character limit, since shorter passwords are a lot less secure.

  Comments