New System Uses Photos to Help People Remember Passwords

Dec 25, 2013

Do you have trouble keeping track of your passwords without writing them down or using the same one for all your logins?

Carnegie Mellon researchers have created a new system that combines photos and memory techniques to help people remember their passwords.

The system, which is now being turned into a mobile app, was created by Jeremiah Blocki, a Ph.D. student at CMU, Manuel Blum, a professor, and Anupam Datta, an associate professor.

Blocki said the idea comes from the book “Moonwalking with Einstein” by Joshua Foer. In the book the author stumbles on the world of memory competitions where he witnessed people flipping through a deck of cards and memorizing their order in under one minute.

“He thought initially, ‘They must be savants. They must have super memories,'” said Blocki. “And so he started talking to the competitors and they all told him, ‘No, we’re not savants. In fact, we’ve been afraid that someone’s going to come in with photographic memory and blow us all away.'”

In the book, Foer describes two memory practices that the CMU scheme combines. In the “memory palace technique” people create an imaginary place in their mind and "place items in it."  So, if someone wants to remember their grocery list, they might create an image of their house in their mind.

“You might imagine yourself standing outside the front door of your house and you might imagine a huge tub filled with cottage cheese,” said Blocki. “And that’s your cue to remember cottage cheese.”

Putting the cottage cheese in a tub, instead of in the refrigerator, makes it stand out more in your memory and allows you to move from room to room picturing different objects.

In the second memory technique, a person creates a story using a person, action and object.

Blocki said the app will use this system so that, when signing up, a user will select a photo of a person and a photo of a scene, and then construct a story from those.

“For example, I might show you that photo of the Grand Canyon and ask you to imagine LeBron James standing somewhere in that photo kicking a penguin,” Blocki said. “And I’m not going to ask you to remember that photo, but what I’m going to ask you to do is associate that photo with the story Lebron James kicking a penguin.”

When it comes time to log into a website like Amazon, a user will see four photos. Two will be scenes placed next to people or objects. So, if you see a picture of the Grand Canyon next to LeBron James and a photo of a tent and George Bush, you should remember two stories like “Lebron James kicking a penguin, and George Bush tackling a tiger.” From those you can input a password like kickpentactiger using pieces of the story that are not shown in the photos.

“If I only ask you to remember nine stories, already we can get very high levels of security,” said Blocki.

Those nine stories can have photos that are then mixed into a total of 126 separate passwords, although people would only have a single password for each sight they log into.

Blocki said there are a few sites where the system hits trouble—those that require people to use numbers or special characters. He said, in those cases, people should just include a simple 1 or ! at the end of their password and write down on a note card that they did it for specific sites.