Making Passwords Easier to Remember and More Secure

Related Articles

• Retain Emails Or Risk Fines
• Mobile Worker Population Continues Boom, Cherry on Top for Ice Cream Sandwich Android
• Mobile Device Usage Continues to Accelerate - Along for the Ride: SMS Spam

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

I had the privilege of attending a couple of sessions at the MAAWG (Messaging Anti-Abuse Working Group) conference in San Francisco yesterday. The keynote was given by Dr. Marcus Jakobsson, principal scientist at PayPal, whose primary theme was improving Internet security and how we might be able to accomplish that.

A particularly interesting part of Dr. Jakobsson’s talk focused on improving authentication for mobile phone users. The use of PINs for authentication is a pain, particularly on mobile devices, and they are relatively easy to guess because about one-quarter of PINs are a spouse’s birthday date. Still, PINs are preferable to passwords, largely because mobile devices use auto correction when entering text, making their entry tedious and time-consuming (about 20-30 seconds for the typical password on a mobile device). Adding to the problem is that good, secure passwords are difficult to remember simply because they are weird—the more secure the password, the weirder it is.

As an alternative, Dr. Jakobsson suggested the use of “fastwords”—simple words from everyday vocabulary that reflect individuals’ experiences. While dictionary words by themselves are not a particularly secure solution for authentication because there are only about 64,000 of them (at least in English), a fastword would consist of three words that would tell a story. For example, if you had had a car accident when coming home from your high school prom, you could distill that story into “accident dad yelled” and employ that phrase as your fastword.

Dr. Jakobsson’s testing of fastwords versus passwords for mobile phone users has yielded some interesting results:

• Fastwords are much quicker to enter: 8 seconds versus 20-30 seconds.
• Fastwords are much more difficult for a hacker to guess:  a probability of 2-43 versus 2-18 for normal passwords. Even if you give away the first word of a three-word fastword as a hint, the average probability of guessing a fastword is 2-21/.
• Fastwords have a higher recall rate than passwords: in one experiment, fastwords had a 36% recall rate after three weeks (48% after a hint) compared to 14% for simple passwords, 6% for strong passwords, 2% for very strong passwords, 26% for a four-digit PIN, and 29% for a six-digit PIN.