back to article Human memory, or the lack of it, is the biggest security bug on the 'net

The life of the security IT professional would be a lot easier if people were capable of remembering enough passwords so that they didn't need to reuse them. That was the considered opinion of Facebook’s head of security Alex Stamos and Google’s security princess (her actual Chocolate Factory job title) and Enigma 2017 …

  1. Oh Homer
    Paris Hilton

    Alternatively...

    Just use a password manager.

    Now, what was the question again?

    1. Charles 9

      Re: Alternatively...

      Using a password manager requires a trusted computer. What if the only available computer is communal or the person travels a lot without benefit of a laptop?

      1. Oh Homer
        Facepalm

        Re: "the only available computer is communal"

        Your smartphone is "communal"?

        Also, password managers tend to use encryption and a master password, and at least in the case of KeePass also support multiple databases (each strongly encrypted with a unique master password), so questions of trust and sharing are moot.

        These databases can also be accessed directly by KeePass over the network via SFTP and other protocols, so they're available to all your devices running KeePass (every major OS is supported) in every location, whether at home, on the road or at work.

        Personally I run it on the (Linux and Windows) desktop at home, and on Android when I'm out, and all three systems share the same encrypted database on the same FTP server.

        Even if I forget my smartphone or it runs out of juice, I can always run the portable version of KeePass on whatever system I have available at my destination.

        It certainly beats writing hundreds of passwords down on Post-It notes.

        1. Tom Chiverton 1

          Re: "the only available computer is communal"

          Or use a deterministic password manager... then all you need is something you can run JavaScript on

        2. Vector

          Re: "the only available computer is communal"

          Your smartphone is "communal"?

          No...

          But your smartphone is connected to that great community in the sky known as the internet. As soon as someone can sneak a key logger on to it, all your password are belong to them. Not just for the sites you use from that phone, every password in your safe!

          1. Doctor Syntax Silver badge

            Re: "the only available computer is communal"

            "As soon as someone can sneak a key logger on to it, all your password are belong to them."

            In that case you have a problem irrespective of how you store your passwords.

          2. Oh Homer
            Headmaster

            Re: "sneak a key logger"

            Well, let's examine the options.

            Option #1 is reuse the same password for hundreds of services, from banking to email, thus losing everything in the event that this one password is compromised once on any one of those services, such as that dodgy phpBB forum you visited last week.

            Option #2 is access an encrypted database of passwords over an encrypted connection behind a firewall on a system running antivirus and other security software, with the remote possibility that all of those security measures might simultaneously fail and you'll become the only person in history to be compromised by a keylogger that defeats the KeePass "Two-Channel Auto-Type Obfuscation" anti-keylogger technology.

            I punched those numbers into my probability calculator and it says ... "1" is more likely.

            1. LaeMing

              Re: "sneak a key logger"

              I use option 1.5 - A small number of hard+unique passwords for important stuff (Financials, home computer, message boards I frequent often, etc). A few hard+shared passwords for non-critical things I trust, but also wouldn't be mortified by a compromise on (message boards I don't care about so much, work PC - mainly due to their crappy password rules!), mentally-generated-on-the-fly soft passwords for all those crappy sites that insist you have an account do do things that shouldn't actually need one for (usually linked to likewise-generated throw-away email accounts).

            2. Vector

              Re: "sneak a key logger"

              "Option #2 is access an encrypted database of passwords over an encrypted connection behind a firewall on a system running antivirus and other security software, with the remote possibility that all of those security measures might simultaneously fail"

              We were talking about using a password safe on a smartphone which fails many of the above conditions. I looked at the obfuscation system you referenced and it looks like a fine way to guard passwords in the safe but it does nothing to protect the password to access Keypass itself. That is the real issue.

        3. Dave 15

          Re: "the only available computer is communal"

          My smartphone is sometimes lent to wife, kids, even on occasion colleagues who need to make a call when their battery is dead (mine is an ancient Nokia so lasts longer than all of theirs added together).

        4. HieronymusBloggs

          Re: "the only available computer is communal"

          "Your smartphone is "communal"?"

          Smartphone? What smartphone? Even in 2017 not all of us carry a permanently-on surveillance device everywhere.

      2. Paul Crawford Silver badge

        Re: Trusted computer

        A trusted computer/device for a password manager is the key problem. While my home PC/laptop might be fairly trustworthy, I would not put them up there as unhackable. As for my Android phone - please, just don't go there!

        A possible solution is something like the old RSA key-fob that could be used to salt+hash some account detail to provide a complex password. As it is off-line it is practically impossible to hack without an agent physically compromising it, and it is small enough to be carried with your house/car keys, etc, where ever you go. Many UK banks use card reader things to the same ends, but a more general purpose one would be good.

        USB style devices are all very well, but need the PC to be cooperative (so no play on corporate locked-down machine) and your fscked if you bought a new Macbook and forgot your fist full of dongles.

      3. Truckle The Uncivil

        Re: Alternatively...

        @Charles 9

        Would you consider your phone (or other portable device) a trusted computer?

        1. Charles 9

          Re: Alternatively...

          NO. It has to operate on untrusted airwaves and is MUCH easier to nick or hack.

    2. BillG
      FAIL

      Re: Alternatively...

      For pity’s sake, stop reusing passwords

      Tell that to Podesta. According to Assange, Podesta's password was "password".

    3. no-one in particular

      Re: Alternatively...

      Or a deterministic password generator, like - a plastic card in your wallet

      https://www.tindie.com/products/Russtopia/crd-password-generatorrecall-card/

  2. Player One
    WTF?

    Try blaming the correct people next time.

    So these overpaid asswipes reckon its the fault of the user and not the fault of the other overpaid asswipes who keep losing all the passwords from badly secured websites.

    1. Infernoz Bronze badge
      Facepalm

      Re: Try blaming the correct people next time.

      No; users must accept some responsible for their own security and use strong unique passwords, via a separate strong encrypted password store (not just in an OS user account), because however good a site's security is, some may eventually suffer a compromise, including by side attacks and staff, especially from/via lower paid outsource staff!

      Security is a process and never absolute, because there is an arms race between the defenders and the attackers, and there can be unexpected bugs in security.

      1. Neil Barnes Silver badge

        Re: Try blaming the correct people next time.

        Except...

        How many sites that require passwords actually *need* them? How many shops require a login for what is in all likelihood a single transaction? Do they really need to keep details of my name and address and credit card?

        1. ecofeco Silver badge

          Re: Try blaming the correct people next time.

          I'm starting to see some shops not require a login and password to make the one time or occasional purchase.

        2. veti Silver badge

          Re: Try blaming the correct people next time.

          Fine. If you don't want to revisit the shop and reuse the account, just give it a random string for a password. (Mash some keys into a text editor until it looks suitably gibberish, then copy and paste it into the password and confirmation boxes. Remember to close the text file without saving.)

          More importantly, though: always, always make sure to untick the "record my card information for future purchases" option. That way, if anyone does crack your account, they're still no closer to being able to spend your money.

          What annoys me more is sites - like El Reg, for instance - that require a password that does need to be reused, and does need to be remembered, for a transaction that has close-to-zero impact if compromised. If someone cracks my El Reg password, about all they can do is make some silly and/or offensive comments in my username. I make those myself already, so I'm willing to accept that risk.

          1. Charles 9

            Re: Try blaming the correct people next time.

            "If someone cracks my El Reg password, about all they can do is make some silly and/or offensive comments in my username. I make those myself already, so I'm willing to accept that risk."

            Or they could use it to post politically incorrect stuff and stain your reputation. Or worse, post CP links and get the attention of the law on you.

  3. amanfromMars 1 Silver badge

    Oh please .... let's be serious with zero bullshitting.

    The lack of human intelligence is the problem ...... everywhere. And aint that the gospel?

    In humans though, may that be default and normal.

  4. Adrian 4
    Facepalm

    Bad humans ?

    Or maybe remembering a bunch of things that are intentionally hard to guess just isn't a very good way for humans to authenticate themselves ?

    It's often a good idea to match the solution to the problem : if you need to do a thing often, choose something that you're good at.

    What are humans good at remembering? Probably something involving patterns. Shapes, music, phrases. The problem there is that to enter a reasonably complex pattern, you need an interface that's good at it. Maybe that's easier to solve than trying to make your passwords rememberable but obscure.

    1. Charles 9

      Re: Bad humans ?

      Maybe it's better to learn whether or not the problem at hand is even tractable.

      Consider the First Contact problem. How can Alice and Bob prove their identities to each other if they've never net before? This is essentially the problem we face every time we register to a new site. We don't really know who runs the site, and the site doesn't know a thing about us.

      The thing is, the First Contact problem is logically intractable. With no common point of reference, there's no way for Alice to prove she is Alice and not someone else posing as Alice. Not even Trent can help since Trent can be a double agent and has to be vetted himself, creating a Turtles All The Way Down conundrum. It's a Catch-22. You need common ground to create trust, but you need trust to create common ground.

      That's why we can't seem to find a simple solution: because there's no solution full stop. We're just trying to make impersonation as hard as possible, but unfortunately we're stuck for the ride. Making things harder for the imposter makes things harder for US, and there's no way to unlink the two since the imposter's job is to BE us, essentially: right down to the DNA if they gotta. And inversely, easier for us is easier for the imposter. Worst yet, it seems the medium is UNhappy: not easy enough for us but not hard enough to thwart the imposter. So, basically, what now, especially when the public demands unicorn solutions?

      1. Adrian 4

        Re: Bad humans ?

        I don't think we care that we can't identify someone we've never met before.

        All we normally want to do is identify that it's the same person that set up the account, or the same person that a bank knows about, or the same person that lives at a certain address. Who that person actually is can't ever be proven : what matters is that the second and subsequent contacts match the first.

        A password (retained secret) is fine for this, as are other tokens such as certificates. In some cases, that certificate needs to be verified by another party such as a bank.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bad humans ?

        That's why we can't seem to find a simple solution: because there's no solution full stop

        Eh? You're talking about trying to solve a different problem here....

    2. Anonymous Coward
      Anonymous Coward

      Re: Bad humans ?

      Or maybe remembering a bunch of things that are intentionally hard to guess just isn't a very good way for humans to authenticate themselves ?

      Bingo! see https://xkcd.com/936/ for how it SHOULD be done.

      1. Commswonk

        Re: Bad humans ?

        Human memory, or the lack of it, is the biggest security bug on the 'net

        I suggest that it's much, much wider than that. Humans ignore simple laws like "don't use your mobile phone whilst driving"; perhaps they think that they won't get caught (unfortunately quite likely true) but in any event accidents happen to other people, not them.

        Human stupidity, more like, as per Einstein's well known thought on the subject. The vulnerabilities of IT systems are publicised ad nauseam so there has to be something more than "memory" to account for people failing to take simple basic steps to protect themselves.

      2. ecofeco Silver badge

        Re: Bad humans ?

        https://xkcd.com/936/

        Phrases do seem to be the easiest to remember.

        1. Charles 9

          Re: Bad humans ?

          But what happens when your memory is SO bad that your recall instead produces "donkeyenginepaperclipwrong"?

      3. VinceH

        Re: Bad humans ?

        "Bingo! see https://xkcd.com/936/ for an opinion on how it SHOULD be done.

        Fixed that for you.

        And the reason I made that fix because it's an opinion I do not share.

        For a start, the end panel's claim that "You've already remembered it" was wrong for me the first time I read it - it was a couple of years of seeing references to (and re-reading) that strip before the example password finally committed itself to my memory.

        Then there's the problem that it's just one password, and it's seemingly just a random string of things with no context - so if someone goes to a particular website they use and needs to log in, how do they remember if their password was correcthorsebatterystaple, versus typicalzeusapplemarch which they used on another site, or walletbottlemonksplatter from another, and so on.

        IMO, it only potentially solves the problem if we only ever need one password - and people using just one password is a part of the problem under discussion.

        Edit: Lest I forget (see the problem?) my own solution is to use KeePass. Can't recommend it enough.

  5. Duncan Macdonald

    Reuse of passwords

    Like many people I have a number of accounts - but many of them are for sites like the register where the consequences of a hack are insignificent. For such sites I often reuse simple passwords - for other sites with financial data (eg PayPal) I use strong passwords that are unique to each site.

    An easy way to generate fairly strong memorable passwords - concatenate a car registration number, a friends name and the name on a bit of equipment.

    eq XNO123SWendyHUDL2 (not a password that I have ever used!!!)

    1. Grifter

      Re: Reuse of passwords

      That's funny, I've got the same combination on my luggage.

    2. Infernoz Bronze badge
      Meh

      Re: Reuse of passwords

      It must become a habit to never reuse passwords for any public resources, and even most private resources, otherwise you may accidentally reuse a password for something security critical or later discover that an insignificant resource suddenly becomes significant, with significant costs e.g. compromise causing loss of reputation, social costs, slander costs, or unintended leakage of critical information. Using different user identifiers can also be a good idea to make compromise even harder and to block other security risks including cross-site profiling/spamming.

      Passwords should never be derived from any publicly discoverable information associated with a person, because this information could be automatically looked up and used by automated cracker scanners; long, secure-random-generated passwords are generally much more secure.

      Everyone should be using a secure (local or remote end-to-end encrypted) password store to keep most user/password details safer than human memory or insecure external storage like unencrypted files or written/printed notes.

    3. Anonymous Coward
      Anonymous Coward

      Re: Reuse of passwords

      I re-use the core part of several passwords, but salt them with certain characteristics of the sites they are used on. This means if one of them is leaked, it can't be used anywhere else. The flaw in the scheme is if the plain text is leaked, a human could work out the salting scheme I use.

    4. Orv Silver badge

      Re: Reuse of passwords

      "Like many people I have a number of accounts - but many of them are for sites like the register where the consequences of a hack are insignificent. For such sites I often reuse simple passwords"

      I used to use that scheme -- until one of those sites had their password database stolen. The sheer annoyance of having to change dozens of passwords all over the web made me switch to using a password manager for "low value" sites. For some very critical things I still use a memorized password.

  6. Ken Moorhouse Silver badge

    Humans are not wired for passwords...

    Visual and spatial challenges are far easier on the brain than letters and numbers that adhere to artificial rules. Some people visualise PIN's by their "shape" on a keypad. A London black cab driver would be able to recite every street and every landmark between any two streets in London, this is probably because of the way human memory "leads into" each step of a journey. We all do this to a greater or lesser extent, but not to the extent of annotating the images of the journey with street names, which is part of a cabbies' training. How many of us can recite whole chunks of Alice In Wonderland or a Tennyson poem? But what password protected sites give us this as a choice? Coupled with this is the need for more lenience in the occasional slip of the word, which may be due to forgetfulness on our part when dreaming something up. For instance it might be possible for a user to be excused forgetting the exact case and punctuation used in elements of Break, break, break et al, but to use gray instead of grey would be a grave error.

    1. Swiss Anton

      Re: Humans are not wired for passwords...

      Humans aren't wired for passwords like HJ78#2hhj*2 that many IT policies force on their users, but we are quite good at remembering things that can be visualised.

      For Example, what if my Amazon password was "99 ice cream loving honey badgers ate my hamster!" I reckon that's a lot easier to remember than HJ78#2hhj*2, and it has plenty of entropy. This is not my Amazon password, but if it was it would be easy to remember. Amazon now do Top Gear. Top Gear has a thing about honey badgers. The hamster, well that's obvious, and if there hasn't been a race between Mr Whippy and a kebab van*, well there ought to have been. It all goes together to make a memorable password.

      What is really needed are systems that can take longish passwords and some training to get people to be creative.

      (*British readers will know exactly what My Whippy and a kebab van are. I suspect the rest of the world has no idea, which is probably why Top Gear haven't done this race.)

      1. Ken Moorhouse Silver badge

        Re: British readers will know exactly what My Whippy and a kebab van are

        ...and this "cultural enclosure" makes them more secure*.

        (Not sure about My Whippy though - I remember Mr Whippy - you must have gone to a school where they had more -er- exclusive tuition lol).

        *I went to a seminar once where some American company launched some software or other. The screenshots had these weird first names and surnames in them. The presenter felt he needed to apologise for them. He did so by explaining that the people responsible for the Powerpoint were asked to pitch it to us Brits, and they were trying to come up with authentic English names (e.g., Archibald, Enid, etc.).

      2. Swiss Anton

        Re: Humans are not wired for passwords...

        "... My Whippy ...", er, sorry folks. I meant "... Mr Whippy ..." but that also sounds so wrong.

    2. Charles 9

      Re: Humans are not wired for passwords...

      What about DISABLED people, though? Visual puzzled are lost on the blind, audio puzzles lost on the deaf, yet sites are legally obligated to accommodate them.

      1. Ken Moorhouse Silver badge

        Re: What about DISABLED people, though?

        Unless you are the pinball wizard there are still choices, just as there can be with traditional password entry. Having written software for a provider of IT equipment for the visually impaired I can say this segment of the population is not without facilities to visualise password cues. Deaf people can see images and use a keyboard, so not sure what the problem is there.

        1. Charles 9

          Re: What about DISABLED people, though?

          BLIND people CAN'T. That's why image-based CAPTCHAs get sites in trouble. The best systems kind of require full sensual acuity to work, but of course not all of us have that, so the law requires fallback methods...which miscreants can exploit by simply claiming to be blind and so on to get simpler puzzles.

          1. This post has been deleted by its author

  7. Doctor Syntax Silver badge

    with the aid of a very nice bottle of Ardbeg scotch.

    “Passhword reushe, it’s the worsh proble on the inter in thing”

  8. SImon Hobson Bronze badge

    Actually, lets blame the sites ...

    Yes, those sites that insist on a password length longer than you normally use - so you have to remember a "non-standard" pattern.

    Or those that impose a short maximum length - same problem.

    Or those that insist on stupid combinations - so you have to remember that this site has a % (or whatever). Or those that impose restrictions the other way.

    I have a system that allows me to use a different password for each site - by using something that's common to most things, combined with something that's different for each site. Yes, if someone got hold of a number of passwords then they'd be able to figure out the system - but if that happens that I've almost certainly got far worse problems. But there's no way that given a single password hacked from a single site you'd be able to log into any other site.

    But, this system is blown apart by the above mentioned, well meaning, idiots who for various reasons stop me using something that my system deals with.

  9. jake Silver badge

    But users ARE the problem!

    It might not be politically correct, but that's a fact nonetheless. If there is one thing that I've learned over the last 40+ years of working with computers & networks, it would be that humans, as a group, are ineducable when it comes to personal security.

    I think it was Einstein who said “Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

    1. djnapkin

      Re: But users ARE the problem!

      Indeed. For example my wife has KeePass with AutoType at her fingertips, and uses Firefox to remember her passwords for sites. Despite this she uses the same two passwords everywhere. Until I notice, anyway.

      Was it Gary Clail who sang, "There's something wrong with human nature" ?

  10. adam 40 Silver badge

    All websites are fundamentally insecure

    As soon as you realise that all these sites are insecure, as you can just log in with a username and password anytime and from anywhere in the world, then the problem goes away.

    Just don't keep any private data on them and use the same password everywhere - job done.

    1. Orv Silver badge

      Re: All websites are fundamentally insecure

      The problem comes in when someone takes over your accounts and starts using them to impersonate you. While YOU may be aware the site is insecure and shouldn't be trusted, others who read "your" posts may not.

      1. Charles 9

        Re: All websites are fundamentally insecure

        Plus what if the miscreant decides to sully your image? They could post controversial materials, or worse, NSFW or even illegal stuff. Images are difficult to keep clean and very easy to tarnish.

        1. I am the liquor

          Re: All websites are fundamentally insecure

          "what if the miscreant decides to sully your image?"

          That's why when you signed up, you didn't use your real identity, Mr 9.

          1. adam 40 Silver badge

            Re: All websites are fundamentally insecure

            Quite.

            My "image" in In Real Life.

            All the rest is imaginary - it's in your mind, not mine.

          2. Charles 9

            Re: All websites are fundamentally insecure

            They can still trace you by your IP, then trace you from that to your ISP. And there's no guarantee LEOs don't have ways to track you through relay chains. Remember that the Feds found a way to take down the owner of Silk Road, a TOR Onion site, so we know it's possible.

  11. Big_Boomer Silver badge

    Layered security

    I, like many here, use a password manager and I use layered security. Yes, I reuse a comparatively simple password for sites where I really don't care about the security as the damage that can be caused by someone else knowing that password is minimal. For other sites I use a more complex password and change it moderately frequently where I care more about my data. For sites that need better security I use one off passwords and also change these fairly frequently. I have over 200 different passwords (for over 500 different logins), many of which change at least once per year and there is no way in hell anyone is going to remember them all.

    Too many sites insist that you create an account to interact with that site when that interaction is minimal or else very low risk. There has also recently been a proliferation of sites where you can login with your Facebook/Google account which simplifies things somewhat, until someone hacks their databases at which point you are screwed. I am not sure what the solution is, but asking us to remember more complex passwords it NOT the answer, and neither is centralised ID databases.

  12. Dave 15

    Password misery

    I HATE website that set their own arbitrary rules about password length, whether it has to have different cases, numbers, special characters and the rest. Frankly stop telling me about my passwords, if I choose something less safe it is probably because I dont care about what I have on this particular account.

    Then of course reuse, of course we reuse, how the hell else are we going to be able to access the 10, 15, 20 different password protected accounts? Most browsers even store the passwords on request so it doesn't really matter if they are different or the same because once the browser is compromised they are all lost.

    Most corporations even recognise there is a problem, I have one logon that accesses all the corporate sites etc. and is passed round by the system when I update it.

    BTW, why does the register want me to create an account with a password... frankly there is no point in it, same with the bbc, times, telegraph and all the rest. Even if you think it ties me to my comment that is not really sure, there are several dozen people with exactly my name in the world

    1. no-one in particular

      Re: Password misery

      > why does the register want me to create an account with a password..

      > Even if you think it ties me to my comment that is not really sure

      > there are several dozen people with exactly my name in the world

      It isn't tying any identifiable "you" to your comments, but it is tying all your comments together and separating them from everyone else's on each site for the public to see - even if 20 other people created accounts with the same visible handle of "Dave 15" clicking on the hyperlink that is on one of *your* comments will show *your* history, it won't mix in any of the other "Dave 15". If you change your visible handle, the trail remains.

      (note: some forums allow/encourage handle changes, some prevent it: I haven't checked what The Register does)

  13. Anonymous Coward
    Anonymous Coward

    Next fireplace chat: trsut Google and Facebook as your authentication managers!

    That's what they're aiming for. The next step is to suggest that you should use Google and Facebook as your authentication services, so you don't need to use password.

    The fact this way they will be able to track you even more efficiently (and also TLAs will have easy access to any account of yours everywhere....)

    And I'm also worried about companies who start to use titles like "princess" (BTW: would they use "price of security" for a man???). Oh well, Google cronies probably think to be the Kings of the Internet (Emperor Zuck I the Zuckerian may object, of course...)

  14. creepy gecko

    Passwords; Diceware

    GRC's Perfect Passwords is worth a look...

    https://www.grc.com/passwords.htm

    Diceware is another useful approach.

    A password manager is essential these days. How many different accounts and passwords does the average person have to keep track of? I certainly couldn't remember more than a small fraction of mine.

    1. Charles 9

      Re: Passwords; Diceware

      But if you CAN'T use a password manager, say because you don't own the computers you use everyday?

      1. Doctor Syntax Silver badge

        Re: Passwords; Diceware

        "But if you CAN'T use a password manager, say because you don't own the computers you use everyday?"

        The problem then passes to the owners of the computer. If they require you to use sites that require passwords then it's in their own interests to provide a manager. If they don't, then don't use those computers for your private business.

      2. Orv Silver badge

        Re: Passwords; Diceware

        "But if you CAN'T use a password manager, say because you don't own the computers you use everyday?"

        I use a password manager that I can access from my smartphone in that situation. Of course, that does add another attack surface.

        1. Charles 9

          Re: Passwords; Diceware

          They can pwn your smartphone. Plus what if you don't have one?

  15. EnviableOne

    Password Policy

    There is an MS white-paper on this which talks about 4 tiers of accounts

    The UK CESG (cyber security bureau) published a paper on making passwords easier for users and harder for computers, that seemed to lead towards the xkdc approach and caused quite a stir on their security platform.

    Personally, I have started running a two/three tier approach with simple passwords where the risk is minimal, and something more complex where its less so, with step up where available when needed.

    1. Charles 9

      Re: Password Policy

      The problem is identity theft can use the "low-risk" sites to glean enough information to use social engineering to get access to the higher-risk sites. Even if you use fake information, unavoidable traces like your IP address can be sufficient.

  16. Jin

    Different Memories

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Are you aware of this?

    https://youtu.be/-KEE2VdDnY0

    1. Charles 9

      Re: Different Memories

      "More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts."

      Except the BLIND can't use images, and the law requires sites accommodate the blind and other disabled.

      1. Ken Moorhouse Silver badge

        Re: Except the BLIND can't use images

        That is one of the reasons why sounds are provided as an alternative

        1. Charles 9

          Re: Except the BLIND can't use images

          And they're also easier for mules and machines to interpret, so you're making things simpler for the crackers; they just have to pretend they're blind.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon