Passwords and the Limits of Imagination

We're often asked to think of "good" passwords. How good are we?

Posted Dec 11, 2013

art by Vlatko Vasic

Text-based passwords seem to be a necessity for having any kind of use of information technology. The benefits are multiple: they are easy and cheap to implement, familiar to virtually everyone, they avoid the privacy issues associated with biometric identification (such as fingerprints), and do not require physical objects. Unfortunately, there are some downsides too. If you’ve had trouble remembering your online passwords, you’re not alone.

The average user has to keep track of 25 password-protected accounts. The so-called “strong” passwords, being long strings of meaningless symbols (such as kk$%d83^), are nearly impossible to remember. To combat this massive memory overload, people resort to tricks, such as using the same password for multiple accounts, or writing them down, or  using “meaningful” passwords that are easy to reconstruct in one’s mind—for example, the name of one’s daughter or pet.

Unfortunately, these tricks are at cross-purposes with the whole point of passwords, which is to prevent other people (and bots) from figuring them out. So-called “weak” passwords are commonly used, but are also more crackable by hackers and their software. If people are allowed to choose their own password, they often will choose something like “password,” making those accounts very easy to hack. 

New authentication methods are being used now, such as graphical passwords (pointing at particular parts of an image), but the research done so far on this particular method is inconsistent.  Unfortunately, for text-based passwords, there appears to be a trade-off between usability and memory with security: increasing one seems to decrease the other. As of today, there is no simple solution to the problem. The limitations of our memory and imagination make it difficult. With hope, technologies and ideas of tomorrow might make our online lives less of a headache than it is today. 

Pictured: "Enter Password" by Vlatko Vasic. From Wikimedia Commons.  

Further reading:

Robert Biddle, Sonia Chiasson, and P.C. Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Comput. Surv., 44(4):19:1{19:41, September 2012.

D. Florencio and C. Herley. A large-scale study of web password habits. In WWW’07, Banff, Canada.

D. Floencio, C. Herley, and B. Coskun. Do strong web passwords accomplish anything? In USENIX HotSec’07.