We need passwords for so many accounts these days—for everything from banking to shopping and working. It’s tricky to come up with an original one for every new site we visit, so it’s no surprise we often resort to reusing the same password over and over again. We think that we’ll never be able to remember a new one, but research shows we may be selling ourselves short.
Dr. Naomi Woods, an assistant professor from the Faculty of Information Technology at the University of Jyväskylä (JYU) in Finland, certainly thinks so. “People are much better at recalling passwords and have better memories than they think they do,” she says. Naomi’s background is in cognitive science, and she’s interested in understanding what drives people’s behaviour when creating and recalling passwords. She and a colleague have recently focused on memory anxiety and how it leads to insecure password behaviour. Their experiments found that, “users who were more anxious about remembering their passwords were more likely to reuse passwords, even though they were no better or worse at remembering their passwords than anyone else.”
In addition to reusing passwords, users sometimes just modify an existing password (changing a number here and there) thinking that will be easier to remember. Naomi and her colleague’s research has shown that this method doesn’t work. She devised an experiment where people had to create unique passwords, reuse passwords, or modify passwords. She found that participants who reused or modified their passwords got muddled about which password belonged to which account, whereas those who created unique passwords didn’t. She explains, “We had a much more successful recall from unique passwords. Most people would think this is crazy, but it’s what we found. It's supported by memory theory too. Plus, the great thing is unique passwords are actually more secure because reusing passwords is insecure behaviour.”
It’s not just user behaviors that can increase password memorability. Tweaks to system designs can also help. In another experiment, Naomi and her colleagues found that if users had to verify passwords for new accounts two or three times, they were more likely to remember them and didn’t feel inconvenienced by the extra input. Associating colours with passwords also increases their memorability.
Users can also use memory techniques, such as mnemonics, to make unique passwords that are more memorable. One of Naomi’s favourite tricks is to create a password using a quote from a shark-based B-movie like “My mother’s a shark, not a robot!” from Sharknado 4. The resulting mnemonic random password (SN4:mm'sas,nar!) is not only memorable, it’s also strong. She explains, “There are so many things out there that we can use to help users. They don’t need a better memory; they just need to know how to make better passwords.”
But watch this space; Naomi has reimagined the whole password problem and is looking to patent a radical new alternative that’s secure, adaptable and user-friendly. The project is based around Seamless Authentication for Everyone (SAFETech) and will be used in existing and emerging technologies. While she can’t divulge the details yet, she’s full of praise for JYU’s research and innovation service who helped her get the project off the ground. They encouraged her to build a business network and provided information about patenting and research funding she could apply for. She says, “I now have a consortium of Finnish companies and research institutions and also international institutions who want to work on this whole thing.”
Using interdisciplinary research to solve real-world problems is so important at JYU that it has established information technology and the human in the knowledge society as a core field of research. Naomi mentions that “it’s very rare to actually have an information technology faculty. Normally, it’s just a small division in a business school. So they actually see it as something that needs a whole faculty and that allows us to bring in people from different disciplines.”
It was this philosophy that prompted Naomi to leave the UK and start her PhD at JYU in 2013. Her supervisor, a world-renowned information security scholar, was looking for students from different backgrounds and she had a Master’s in clinical psychology. But the welcoming atmosphere has been what’s kept her at JYU. She says that she has found her Finnish family, and the bonds she’s built have lasted throughout the COVID-19 pandemic. She has her own office with a beautiful view of the lake and paints an idyllic picture of a safe, clean city where you can bike to work in summer, skate to work in winter and go swimming at lunchtime. She says, “I love being here in Jyväskylä. And I don’t mean just the city, but also obviously the university. There are so many opportunities to progress as a researcher and develop a successful career. And on top of that, there's just such a wonderful opportunity here to have a really lovely work-life balance.”
Naomi is an assistant professor of cyber security in the Faculty of Information Technology at the University of Jyväskylä. She has a PhD in cognitive science from the University of Jyväskylä.