Let Your Fingers Do the Remembering

Maybe I’ve missed something, but why isn’t more work dedicated to understanding the link between passwords and memory? Given that we’re supposed to remember our passwords (as opposed to writing them down on Post-it notes and sticking them somewhere prominent) why don’t we look more closely at the process whereby we remember stuff — and forget it?

Danah of apophenia wrote recently about the somewhat lame password recovery system some websites use whereby “you have to choose three questions and answer them. The problem is that they are all “What is your favorite n” where n is restaurant, band, movie, song, actor, book, drink, food, place, past-time…” As she points out, favorites tend to change over time, and if they were stable, such information is likely to be available “all over the web on their profiles for dating and social network sites.”

One commenter says Bruce Schneier has written that such password recovery systems are less secure than your password, so advises against using them. Here’s the original link, I believe: Bruce concludes that “The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.”

This is all a roundabout way of writing about a recent experience: one password I have to enter is actually a four digit PIN as part of a SecurID token (one of those readouts that give a different number every few minutes). Four digits I’ve used since 2000, and yet, after two weeks off, I couldn’t remember. It was only when I stopped trying to remember, that I remembered, if you know what I mean. It’s not that I had forgotten the number, it’s that I could retrieve the number from my memory. (This is getting way to existential – Ed). The way I “remembered” the PIN was to stop thinking and just type it. My fingers, if you will, remembered it better than my memory did.

I haven’t looked hard, and perhaps there’s data on this kind of thing. But this kind of memory must be way more useful than favorite colors and books and all that kind of thing, which requires thought, which in turn is vulnerable to forgetfulness, or changing habits.

18. August 2006 by jeremy
Categories: Scams, Security | Tags: , , , , , , , , , | 2 comments

Comments (2)

  1. Hey Jeremy,

    You can get RSA SecurIDs which have a 30-second cycle on special order, but almost all SecurIDs — the 128-bit AES tokens, as well as the classic 64-bit tokens — have a 60-second rollover to a new pseudo-random number: the 6 or 8 digit SecurID “token-code.” It’s practically a trademarked rhythm. AFAIK, there are no SecurIDs which rollover “every few minutes.” That said, there is a lot of fascinating research on passwords and pass phrases, but most I recall explores the relative security of these “shared secret” techniques, rather than the question of why we remember and why we forget. That’s probably a lively topic in brain research or neuropsychiatry, both hot fields with the revelations of the new bioscanning techs. Muscle patterns surely have their own memory and recall cycles. For 20 years, you might recall, there have been attempts to sell “biometric” authentication products which identify a person by his or her typing pattern. None have proven dependable or trustworthy enough to crack the corporate market, but as security gets pushed down into home PCs, maybe they will have their day in the sun. (Personally, I’d bet on voice-based authentication instead — and neither as more than a complementary “second factor” to a memorized password.) Your synaptic retrieval of a password or PIN can rely on either your “conscious memory” or your “muscle memory,” whereas any authentication or authorization system which relied on only one would inevitably be less dependable. I hope your experience will make you sympathetic to all us corporate drones who endure Draconian security policies which routinely force wholesale changes in passwords, invariably accompanied by dire warnings that no one should write these (suitably complex) passwords down anywhere. I’m a spear-carrier for 2FA and tokens, so I’m biased, but I suspect this sort of institutionalized silliness contributes greatly to the scorn many working stiffs have for IT Security and its minions.

    _Uno

  2. Pingback: Forever Geek