The usability of passwords is broken. This project is a minimum viable prototype of a mnemonic device to memorize strong passwords effortlessly.
It generates simple 'stories' of the format [person1] [action] [person2]'s [object]. The resulting stories are intended to provoke mental images that are funny or absurd, because humor is well known to be helpful for learning.
- Bruce Schneier: Changes in Password Best Practices
- Bruce Schneier: Choosing Secure Passwords
- Kaspersky: Remember Strong Passwords
- Naturally Rehearsing Passwords
- Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords
Ideally the generated stories provoke simple and catchy mental images (similar to the lyrics of pop songs). Therefore the word lists must consist of concise and emotionally loaded words. Also: the more common the words, the easier they are to picture and memorize.
- Persons
- Lists of persons or fictional characters that are known to most people (in the western world).
- Actions
- Objects
Informal results of the evaluation of this prototype:
- Users perceived the random stories to be funny.
- Users liked to generate stories.
- Users had individual emotional attachment to different stories.
- Users memorized the story 'well' when picking it by themselves.
This prototype is not secure. It is limited to only 10656188312 different stories which is way too easy to bruteforce. It is equivalent to a password consisting of 7 random lowercase chars in the range of a-z. Further prototypes and experiments with multiple or longer stories are necessary before using this approach in production.
- Optimize word lists for 'catchyness'
- Provoke clear mental images with emotional content.
- Increase entropy exponentially
- Increase number of words in the story.
- Idea: Generate a story consiting of multiple sentences.
Mnemonics potentially solve the usability problem of passwords. For the average user it becomes easy to memorize randomly generated passwords. Though this prototype lacks entropy and therefore it is not secure yet. This issue is probably solvable by a more sophisticated generation of stories.