Can we use our understanding of the Forgetting Curve to help users not only remember passwords but also make them stronger?
Incremental strengthening of passwords
Suppose a user creates an 8 character password and uses this until he knows it very well (for a single login, of course!). After one month, the user lengthens this password by a single character. This can be a voluntary act, or enforced by a password policy, Active Directory, IDM... By repeating this process over several months, the password becomes incrementally stronger over time with a lower risk of forgetting.
How much of an improvement can this yield? An 8 character password composed of upper and lower case alphanumerics, numbers, and symbols can be recovered in fewer than 57 days (the benchmark date in this post), but recovery speed is dramatically affected by each character you add. For example, and again using upper and lower case alphanumerics, numbers, and symbols, here are 2010 estimates of how long it would take to recover a:
- 9 character password - 12 years
- 10 character password - 528 years
- 11 character password - 71,000 years
- 12 character password - 5 million years
- 13 character password - 423 million years
- 14+ character passwords - 5 billion years and beyond
This is a feasible strategy for a single or perhaps a few passwords at best. It's also feasible if users complement this strategy by using a password manager (and begin by strengthening the password for the manager). However, left without reinforcement, users may not implement this strategy. This is where the reinforcement techniques that Lance suggests in his article about security awareness may be effective for an organization (or even an ISP).
To re-purpose the suggestions for reinforcing key points that Lance shares in his post from security awareness to strengthening passwords, consider some method to:
- Present the concept of "incremental strengthen your password" to your users.
- Reinforce within 48 hours using as Lance suggests, a follow up survey that asks users what they remember about the concept and what actions they have taken; for example, have they installed a password manager, strengthened a password, etc.
- Reinforce within two weeks. Advise your users that password policy is changed, and raise the minimum password length by one character. You may reinforce this by central desktop administration, IDM, or whatever is appropriate for the login you are trying to protect.
- Raise the bar by increasing minimum password length quarterly (or more gradually) until you reach a target strength.
- If your organization hasn't implemented single sign-on, repeate 1-4 for another login.
For residential users, adopting a password strengthening strategy will be more like dieting or training: you have to want to protect against password-based attacks badly enough to make the effort. But you get more immediate benefits than dieting or training even if you only increase your online bank password from your current 6, 7, 8 characters to 10.
This strategy is not a panacea for all the password-related issues we face. But passwords aren't going away and experimentation of this kind may reduce some aspect of password problem space for you or your organization.