I Think That I Shall Never See / A Password As Secure As ... Poetry?
We all know "password" is no good, and "1234567" is asking for trouble.
But the more we try to strengthen our passwords, the harder we make them to remember.
It's a thoroughly modern problem — but researchers at the University of Southern California have found a very old solution. Instead of passwords, consider the passpoem:
The tiny villagers explore
a speaker company rapport
Turning random strings of characters into rhymed, metered verse was the brainchild of Kevin Knight, a senior research scientist at USC's Information Sciences Institute and a professor in their Computer Science Department, and Marjan Ghazvininejad, a Ph.D. student at the institute.
They were inspired by an XKCD comic on the trouble with passwords:
Yes, correcthorsebatterystaple is both easier to remember and harder to crack than Tr0ub4dor&3. But Knight and Ghazvininejad set out to use natural language processing to make passwords even more secure andeven more memorable.
First, the security: Each password begins as a random 60-bit string (a series of 60 ones or zeros).
"You want to choose your password from a large number of possible passwords," Knight explains. "The larger the number of possibilities it is, the longer it will take an opponent to guess your password."
Their 60-bit string gives them a pool of 2^60 possible combinations, that's well over 1 quintillion. That means it would require "billions and billions and billions and billions of guesses" for a brute-force attacker to crack the password, Knight says — which would take more than a decade.
Second, the question of memory: Knight and Ghazvininejad built a system that maps each initial string onto a poem that strictly follows iambic pentameter and has perfect rhyme.
Knight, who specializes in machine translation, had done a previous project on translating poetry from Italian into English.
"One of our famous researchers in the field said computers are eventually going to be able to translate very well, but they won't be able to translate poetry," he says. "So I kind of took that as a personal challenge."
After all, he notes, "computers might even be better than humans at, say, trying to come up with a five-syllable word that rhymes with ballistics."
The work on that project helped build the poem generator. And to avoid truly terrible poems, for each initial string, their system builds a millionpoems — each of which which wouldn't appear for any other string. (There are 2^79 possible poems under their system, so they have a lot of extras to work with).
Then, using natural language processing, only the very best poem — the one that most resembles actual English — is picked as the password.
Of course, that doesn't mean it's deathless verse, but it's easy to learn. For instance, 001110001011000001110100011001101110111010111011110001000100 becomes "Defense intestinal portrays / and started after nowadays."
That result is exactly as secure as the original 60-bit string — even to an attacker who knows the password's general format.
Knight and Ghazvininejad also tested sentences as passwords, but found that while their test subjects liked the idea of using sentences, they struggled to remember them. They could recall the general meaning, but not exact phrasing.
The poems were far more memorable: in a small test they ran, more than 60 percent of their test subjects could remember a poem correctly two days later.
Knight acknowledges that not all password-protected sites would accept a password like this: character limits or requirements for numbers or symbols can interfere. "But I think the more these longer passwords become accepted and people realize they're quite good and memorable and secure, sites with password protection will start allowing more," he says.
And on sites that wouldallow it, Knight and Ghazvininejad caution against anyone picking an existing poem as their password. It might be long and memorable, but it won't be truly random.
In fact, they initially considered drawing from the corpus of existing poetry for the project. But the poems available online number in the millions, not the billions: not nearly high enough for a secure password.
Looking forward, Ghazvininejad thinks there might be room to make their computer-generated poems even easier to memorize. "For example, maybe it's hard for people to memorize abstract words, but it's easier for people to memorize not-abstract words," she suggests. "So we can add psychology to this project and come up with poems that are easier for people to memorize."
Not that any password could be guaranteed to stick in our memories. After all, the human tendency is to forget. Thomas Hardy had a few words to say on that ...
But what has been will be —
First memory, then oblivion's swallowing sea
It's a good couplet. But, Knight and Ghazvininejad would note, it's not a good password.
Copyright 2020 NPR. To see more, visit https://www.npr.org.