Does poetry hold the key to highly secure passwords?

Two USC Viterbi computational linguists use a method that takes more than 11 years to break

October 19, 2015 Sheyna Gifford

A good password is hard to find, and even tougher to remember.

The critical balance between security and memorability is famously elusive. Passwords tough enough to withstand an attack are impossible to memorize. The words and short phrases that agree to stay in our brains can be cracked in a matter of hours, if not minutes. From brilliant mathematicians to colorful cartoonists, some of our best minds have tried their hands at solving the persistent password problem.

Where they came up short, USC computational linguists may have succeeded. Harnessing a time-honored method of memorization, Marjan Ghazvininejad and Kevin Knight from the USC Information Sciences Institute applied poetry to the problem. The result is memorable passwords that take more than 11 years to break. Such passwords promise to make online browsing, banking and shopping more secure, once people start using them.

How it works

Here’s how what Knight and Ghazvininejad call the “Poetry Method” works. Their program starts with a 32,000-word dictionary. Each entry is assigned a unique 15-bit code represented by 0s and 1s. The computer program then randomly creates a string of 60 0s and 1s and fits the words to it like a jigsaw puzzle. It chooses two words that rhyme and places them at the end of two very short sentences. The end product is a 16-syllable password that looks like this:

Sophisticated potentates
misrepresenting Emirates.

Or this:

The supervisor notified
the transportation nationwide.

Because they are randomly generated, these passwords can withstand modern hackers. Meter and rhyme make the randomness memorable.

Poetry has rhythm and rhyme that can help people memorize the password better.

Marjan Ghazvininejad

“Poetry has rhythm and rhyme that can help people memorize the password better,” Ghazvininejad said. “I think people prefer to memorize passwords in poetry form, compared to some phrases.”

It may seem farfetched that with a few words, someone could memorize 60 random digits, but think about it for a millisecond. Rhythm, rhyme and meter allow ordinary women and men to memorize epic poems like “The Odyssey,” with its 12,000 lines. Poetry has been a preferred form of memorization since before recorded time.

“All the [other] efforts people go through to generate random passwords, they fail,” said Knight, a professor in the USC Viterbi computer science department. Where they fall short, this “mix of a highly technical topic and a highly humanities product,” as he put it, succeeds.

In two recent tests conducted by Ghazvininejad and Knight, the password Poetry Method beat four other password generation programs for security, likeability and memorability. Weeks after being given a randomly generated 16-syllable poem password, 61 percent of study participants correctly recalled it.

Alternate method

The only other password program that came close was the one suggested by cartoonist Russell Munroe in the Web comic XKCD. In that method, four random words are strung together, representing a 44-bit string. The words themselves make sense — horse, house, battery, footbridge — but their order is meaningless and non-rhythmic. Because of that lack of musicality, presumably, even though the XKCD method only requires the user to remember four words, only 58 percent of the participants could recall them weeks later.

According to Ghazvininejad, short phrase methods like the XKCD can be hacked in a matter of months, which is how long it takes to check 244 word combinations. In the Poetry Method, the number of passwords that the hacking computer has to check is 260.

“Based on modern computer speeds, and how many comparisons they can do,” Ghazvininejad said, “it would take at least 11.3 years to go through half of them.”

While the Poetry Method is superior to many password-generating schemes, it is by no means perfect. Nearly 40 percent of the participants could not recall their passwords, the USC scholars’ study found. This may be because many password poems, at least on the surface, aren’t very salient, or meaningful, to the consumer. A typical example would be:

Joanna kissing verified
soprano finally reside.

To address this problem, Ghazvininejad and Knight will add psychology into the mix. They are seeking ways to keep the passwords secure while making them more personal, more emotionally salient, and therefore even more memorable.

While the Poetry Method has yet to reach 100 percent memorability, the method used by the ancient oral storytellers continues to allow our computer-focused brains to hang on to incredible amounts of information. Is that somehow … poetic?