Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords

We report on a user study that provides evidence that spaced repetition and a specific mnemonic technique enable users to successfully recall multiple strong passwords over time. Remote research participants were asked to memorize 4 PersonAction-Object (PAO) stories where they chose a famous person from a drop-down list and were given machine-generated random action-object pairs. Users were also shown a photo of a scene and asked to imagine the PAO story taking place in the scene (e.g., Bill Gates—swallowing—bike on a beach). Subsequently, they were asked to recall the action-object pairs when prompted with the associated scene-person pairs following a spaced repetition schedule over a period of 100+ days. While we evaluated several spaced repetition schedules, the best results were obtained when users initially returned after 12 hours and then in 1.5× increasing intervals: 77.1% of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days. Much of the forgetting happened in the first test period (12 hours): on average 94.9% of the participants who had remembered the stories in earlier rounds successfully remembered them in subsequent rounds. These findings, coupled with recent results on naturally rehearsing password schemes, suggest that 4 PAO stories could be used to create usable and strong passwords for 14 sensitive accounts following this spaced repetition schedule, possibly with a few extra upfront rehearsals. In addition, we find statistically significant evidence that initially (8 tests over 64 days) users who were asked to memorize 4 PAO stories outperform users who are given 4 random action-object pairs, but eventually (9 tests over 128 days) the advantage is not significant. Furthermore, there is an interference effect across multiple PAO stories: the recall rate of 100% for participants who were asked to memorize 1 or 2 PAO stories is significantly better than that for 4 PAO stories. These findings yield concrete advice for improving constructions of password management schemes and future user studies.