Towards reliable storage of 56-bit secrets in human memory (extended version)

Joseph Bonneau, Stuart Schechter

MSR-TR-2014-95 |

Challenging the conventional wisdom that users cannot
remember cryptographically-strong secrets, we test the
hypothesis that users can learn randomly-assigned 56-
bit codes (encoded as either 6 words or 12 characters)
through spaced repetition. We asked remote research
participants to perform a distractor task that required logging
into a website 90 times, over up to two weeks, with
a password of their choosing. After they entered their
chosen password correctly we displayed a short code (4
letters or 2 words, 18.8 bits) that we required them to
type. For subsequent logins we added an increasing delay
prior to displaying the code, which participants could
avoid by typing the code from memory. As participants
learned, we added two more codes to comprise a 56.4-
bit secret. Overall, 94% of participants eventually typed
their entire secret from memory, learning it after a median
of 36 logins. The learning component of our system
added a median delay of just 6.9 s per login and a total
of less than 12 minutes over an average of ten days.
88% were able to recall their codes exactly when asked
at least three days later, with only 21% reporting having
written their secret down. As one participant wrote with
surprise, “the words are branded into my brain.” While
our study is preliminary in nature, we believe it debunks
the myth that users are inherently incapable of remembering
cryptographically-strong secrets for a select few
high-stakes scenarios, such as a password for enterprise
login or as a master key to protect other credentials (e.g.,
in a password manager).