Inkblot passwords

Security freaks tell you that you should always pick a complex, non-intuitive password — a string of gibberish like “xyk95woi”. Most people don’t do this. One day, I asked everyone I knew how they’d developed their email passwords. Sure enough, more than half were just using their own last name — or their birthdate or their cat’s name, or something equally as guessable. This is because of a simple human fact: People have trouble remembering long strings of gibberish. They need some sort of mnemonic.

So a couple of Microsoft researchers figured out a funky new technique for generating — and remembering — complex, weird passwords. They present you with a string of inkblots, like the one above. You figure out what each one looks like to you; then you use the first and last letter of each to generate a password — one that is very gibberish-like indeed. For example, if you saw inkblots that looked like a “fly”, a “helicopter”, a “lung” and a “fish”, you’d have “fyhrlgfh” as your password. When you want to log into your email but you’ve forgotten your password, the software simply shows you the exact same bunch of inkblots — and you remember the words you thought of.

The thing is, this system is almost completely uncrackable. Why? Because of a another quirk of human cognition: No two people ever think an inkblot looks like the same thing. As a Microsoft report on this notes:

Stubblefield and Simon found out that once we’ve identified the inkblot we see it the same way every time. And even though people sometimes see similar things in inkblots, they describe it in different ways. For instance, almost all the users in their study identified the inkblot below as some type of flying person. But the users described their flying person differently, such as ‘evil flying henchman’ or ‘flying gardener.’

Mind you, this is also an insanely complicated system — and as security people will tell you, any security system that’s too complex will be abandoned by its users. They’ll go back to using their cat’s name as a password.

But no, in case you’re wondering — my email isn’t “Smokey”.

(NOTE: There is a totally killer discussion of the psychology of passwords taking place in the discussion thread on this topic. Go read it now!)

(Thanks to Slashdot for this one!)

blog comments powered by Disqus

Search This Site


I'm Clive Thompson, the author of Smarter Than You Think: How Technology is Changing Our Minds for the Better (Penguin Press). You can order the book now at Amazon, Barnes and Noble, Powells, Indiebound, or through your local bookstore! I'm also a contributing writer for the New York Times Magazine and a columnist for Wired magazine. Email is here or ping me via the antiquated form of AOL IM (pomeranian99).

More of Me


Recent Comments

Collision Detection: A Blog by Clive Thompson