If you’re like most people, your passwords are terrible. You might have just one insecure password that you use for everything.
A pair of computational linguists at the University of Southern California have a possible answer to your easy-to-hack habits. They set out (pdf) to automatically generate unique passwords that are both easy for humans to remember and very difficult for computers to crack. They found inspiration from, of all things, poetry.
“But my password is great!” you protest. “It has a capital letter, and I used a ‘zero’ instead of an ‘o’!” That’s not nearly good enough.
To make a “strong” password that they won’t forget, people fall back on common behaviors. Take a normal and uncommon word, like ”lighthouse.” Capitalize the first letter. Replace letters with similar-looking numbers. Put a symbol at the end. That might give you
Lighth0us3!. This will pass all of those “password strength” tests that you see when signing up for a new service.
Problem is, a short word with such predictable alterations is trivial to crack. A hacker can easily check for common words but with a zero instead of ”o” and a three instead of ”e.” As a classic xkcd comic suggests, you’re better off just selecting four common words—like “correct horse battery staple”—and creating a mnemonic around them.
The USC linguists experimented with three different solutions to this problem. All aimed to turn a list of 60 random 1s and 0s—representing “60 bits of entropy” in the jargon—into memorable English.
First they tried the ”All letter method,” mapping a 1 to certain letters and a 0 to others, then created sentences of meaningful English. Second, the ”Frequency method” was basically the same idea, but allowed rare words to represent several 1s and 0s per letter, meaning the resulting sentences could be shorter. Finally, they created poems of two eight-syllable lines, in iambic pentameter, complete with rhymes. Here’s some example output:
|Parking and utilities have been searching for a third straight road win|
|It was the same girl and now a law professor in the former east german town|
|The review found a silver tree through documents and artifacts|
|These big questions are bothering me a bit stronger|
|Joanna kissing verified / soprano finally reside|
|Surprise celebrity without / the dragging allison throughout|
The researchers then tested these results on a small group of subjects, seeing which passwords people remembered most readily and which they preferred. Poetry passwords were among the easiest to memorize. Subjects tended to prefer the sentences, but they weren’t actually that good at remembering them. They would recall the gist of the sentence, but mis-remember the exact wording.
The rhyming and rhythm of poetry could be what makes poem-passwords easier to remember. After all, as the authors point out, this helped ancient bards memorize epic poems so long that people today are reluctant to even read them.
You can try the poem-password generator yourself. Here’s some sample output:
Received rotations certified / affects the Yorkshire countryside The former trainer organized / a windy belting neutralized Restrictive Dominic decry / supporting artists specify The Moscow clearly illustrates / the fluent drummer demonstrates The giants running scholarship / and Matthew cater fellowship Supports a single fertilized / surveyed impose a polarized
These long poems and sentences might run afoul of some services’ maximum-character limits on passwords, but such restrictions are generally considered bad practice. And passwords themselves may be on the way out as a means of protecting your information regardless. But way back in 2004 Bill Gates predicted the death of the password, so don’t hold your breath.