Last year, two researchers asked a group of volunteers to log into a website 90 times over the span of ten days, using whatever password the volunteers chose.After entering their password, the website showed the volunteers a short security code, made of either four random letters or two random words, and asked them to type it. Throughout the ten-day experiment, the site added more letters and words to the code—up to 12 random letters or six random words—and the security code would take just a little longer to be displayed, prompting the participants to remember it themselves before it appeared.At the end of the experiment, and three days after the last login, a whopping 94 percent of the test subjects were able to remember from memory their random code word or phrase, which were seemingly nonsensical strings of characters like "zljndjjgjana" or meaningless phrases like "gaze sloth laugh grace relic born."Without the volunteers knowing, the researchers had tricked their minds."The words are branded into my brain," one participant said, according to the researchers.
With this experiment, the two researchers proved that our brains are actually not that bad at remembering random, complicated passwords, despite common assumptions to the contrary."There's a big dimension of human memory that hasn't been explored with passwords," Joseph Bonneau, one of the two researchers who created the study, said at the time. "Human memory will surprise you."That's good news because in 2015, people still choose crappy passwords such as "123456," "qwerty" or, yes, "password," which makes the lives of malicious hackers and spies very easy.Those are obviously trivial to guess, but even more complex passwords (think of words with some special characters or numbers, or phrases from famous lyrics or quotes) are relatively insecure. Thanks to password cracking software, which automates guessing passwords using dictionaries of words and common patterns, even novices turn into good crackers.As it turns out, the key to cracking passwords is a flaw in our brains, according to password expert and cracker Jeremi Gosney. Our minds are not good at creating random combinations of words or letters, but tend to be influenced by memories, or pop culture tastes, which lead to non-random, and thus vulnerable, passwords.
"The words are branded into my brain."
"If your password is not random, we will crack it," said Gosney, who once deciphered 90 percent of a sample of more than 16,000 passwords downloaded from the internet in 20 hours as part of a contest. "Password crackers already know about every trick you think you have for making a password stronger."With today's computing power, crackers can take billions of guesses per second, perhaps even one trillion, if you believe Edward Snowden.This means your password better be random and long. Ideally it should be seven words long if you're worried about the NSA or Chinese spies, according to Micah Lee, a technologist at The Intercept. Thanks to a method that uses an actual physical dice and list of 7,776 words, Lee recently wrote, you too can create practically impossible to crack passphrases that would take a hacker an average of 27 million years to guess.In the experiment devised by Bonneau and Stuart Schechter, the test subjects were able to remember random combinations of six words, which they estimated would cost an attacker a million dollars worth of computing power to crack in a year. An example of such a passphrase would be "Gang Neon Ridge Blame Adobe Pulse."All it takes is training through repetition, just like the test subjects in the experiment."When you type the same thing over and over again, it gets easier, it gets faster, and at one point your brain doesn't even remember it anymore, you just type it. Your fingers are moving the same patterns every time—it's very easy to remember," Per Thorsheim, the founder of the Passwords conference, told Motherboard.
"If your password is not random, we will crack it."
Thorsheim, unlike Bonneau and Lee, thinks it's OK if the passwords are not truly random. Remembering passwords is hard because "there's nothing fun about it, nothing that makes your brain want to remember," he told Motherboard.That's why he suggests using long passphrases that make some sense to you, are personal (no famous quotes or lyrics, sorry) and create a positive association. For example, he said, a phrase from a lullaby song that your mother sang to you when you were a kid could be a pretty good passphrase.For his most important passwords, Bonneau uses practically the same method he devised in the experiment. He creates a random passphrase with a script he himself coded, writes it down on a post-it that he keeps in his wallet and then trains his brain to remember it."After a few days I type it and not take it out of my wallet anymore," he told Motherboard.
An example of a secure passphrase would be "Gang Neon Ridge Blame Adobe Pulse."
In real life, there's another challenge though, repeating this method for all the websites or services we use passwords for is a daunting, if not impossible, task.That's where you can give your brain a little help and use a password manager, which will create, store, and remember strong random passwords for you. As password expert Troy Hunt told me, "remembering one thing is not the problem, remembering dozens of things is the problem."That's why all the experts I talked to recommend the use of a password manager such as LastPass, 1Password, KeePassX, or Dashlane. With those, you just need to remember one password or passphrase, the one that unlocks all the others. That one should be the long, ideally random password that you can train your brain to remember.At that point, all you need is a dice, a post-it, and some patience—your brain will do the rest.Jacked In is a series about brains and technology. Follow along here.
"Remembering one thing is not the problem, remembering dozens of things is the problem."