âSpaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwordsâ, 2014-10-06 (; backlinks)â :
We report on a user study that provides evidence that spaced repetition and a specific mnemonic technique enable users to successfully recall multiple strong passwords over time.
Remote research participants were asked to memorize 4 Person-Action-Object (PAO) stories where they chose a famous person from a drop-down list and were given machine-generated random action-object pairs. Users were also shown a photo of a scene and asked to imagine the PAO story taking place in the scene (eg. Bill Gatesâswallowingâbike on a beach). Subsequently, they were asked to recall the action-object pairs when prompted with the associated scene-person pairs following a spaced repetition schedule over a period of 127+ days.
While we evaluated several spaced repetition schedules, the best results were obtained when users initially returned after 12 hours and then in 1.5Ă increasing intervals: 77% of the participants successfully recalled all 4 stories in 10 tests over a period of 158 days. Much of the forgetting happened in the first test period (12 hours): 89% of participants who remembered their stories during the first test period successfully remembered them in every subsequent round.
These findings, coupled with recent results on naturally rehearsing password schemes, suggest that 4 PAO stories could be used to create usable and strong passwords for 14 sensitive accounts following this spaced repetition schedule, possibly with a few extra upfront rehearsals. In addition, we find that there is an interference effect across multiple PAO stories: the recall rate of 100% (respectively, 90%) for participants who were asked to memorize 1 PAO story (respectively, 2 PAO stories) is better than the recall rate for participants who were asked to memorize 4 PAO stories.
These findings yield concrete advice for improving constructions of password management schemes and future user studies.