If it works once... "Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords", Blocki et al 2014:
"We report on a user study that provides evidence that spaced repetition and a specific mnemonic technique enable users to successfully recall multiple strong passwords over time. Remote research participants were asked to memorize 4 PersonAction-Object (PAO) stories where they chose a famous person from a drop-down list and were given machine-generated random action-object pairs. Users were also shown a photo of a scene and asked to imagine the PAO story taking place in the scene (e.g., Bill Gates—swallowing—bike on a beach). Subsequently, they were asked to recall the action-object pairs when prompted with the associated scene-person pairs following a spaced repetition schedule over a period of 100+ days. While we evaluated several spaced repetition schedules, the best results were obtained when users initially returned after 12 hours and then in 1.5× increasing intervals: 77.1% of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days. Much of the forgetting happened in the first test period (12 hours): on average 94.9% of the participants who had remembered the stories in earlier rounds successfully remembered them in subsequent rounds. These findings, coupled with recent results on naturally rehearsing password schemes, suggest that 4 PAO stories could be used to create usable and strong passwords for 14 sensitive accounts following this spaced repetition schedule, possibly with a few extra upfront rehearsals. In addition, we find statistically significant evidence that initially (8 tests over 64 days) users who were asked to memorize 4 PAO stories outperform users who are given 4 random action-object pairs, but eventually (9 tests over 128 days) the advantage is not significant. Furthermore, there is an interference effect across multiple PAO stories: the recall rate of 100% for participants who were asked to memorize 1 or 2 PAO stories is significantly better than that for 4 PAO stories. These findings yield concrete advice for improving constructions of password management schemes and future user studies.
We report on a user study that provides evidence that spaced repetition and mnemonics enable users to successfully recall multiple strong passwords over time. The study is inspired by a recent result on naturally rehearshing password schemes [12] that rely on spaced repetition and a specific Person-ActionObject (PAO) mnemonic technique to design a scheme to create and maintain multiple strong passwords. As a core component of the study, remote research participants were asked to memorize 4 Person-Action-Object (PAO) stories where they chose a famous person from a drop-down list and were given machine-generated random action-object pairs. Users were also shown a photo of a scene and asked to imagine the PAO story taking place in the scene (e.g., Bill Gates— swallowing—bike on a beach). Subsequently, they were asked to recall the action-object pairs (e.g., swallowing—bike) when prompted with the associated scene-person pairs (e.g., Bill Gates—beach) following a spaced repetition schedule over a period of 100+ days. We designed the study to seek answers to the following questions:
- Do users who follow spaced repetition schedules successfully recall multiple PAO stories and, if so, which schedules work best?
- Does the PAO mnemonic technique improve recall over random action-object pairs?
- Is there an interference effect when users are asked to memorize multiple PAO stories?
First, while we evaluated several spaced repetition schedules, the best results were obtained under the schedule in which users initially returned after 12 hours and then in 1.5× increasing intervals: 77.1% of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days. Much of the forgetting happened in the first test period (the first 12 hours): on average 94.9% of the participants who had remembered the stories in earlier rounds successfully remembered them in subsequent rounds. These findings, coupled with the results of Blocki et al. [12], suggest that 4 PAO stories could be used to create and maintain usable and strong passwords for up to 14 accounts following this spaced repetition schedule, possibly with a few extra upfront rehearsals. The finding that much of the forgetting happens in the first test period robustly held in all the spaced repetition schedules that we experimented with. Another implication of this finding is that password expiration policies [13] negatively impact usability by forcing users to return to the highest rehearsal effort region of memorizing a password. Furthermore, they are unnecessary for strong passwords (see Section II).
Second, we find statistically significant evidence that initially (8 tests over 64 days) users who were asked to memorize 4 PAO stories outperform users who are given 4 random action-object pairs, but eventually (9 tests over 128 days) the advantage is not significant. This finding is consistent with the previous finding in that much of the forgetting happens in the early rounds and in those rounds the PAO mnemonic technique helps significantly with recall.
Third, we find a statistically significant interference effect across multiple PAO stories. Specifically, the recall rate of 100% for participants who were asked to memorize 1 or 2 PAO stories is significantly better than the rate for participants who were asked to memorize 4 PAO stories. The interference effect is strong: it continues to be statistically significant even if we only count a participant with 4 PAO stories as failing if they forgot their first (or first two) action-object pair(s). This finding has several implications for password management. Further studies are needed to discover whether the interference effect is alleviated if users memorize multiple PAO stories following a staggered schedule in which they memorize 2 stories at a time. To accomodate this user model, we also need new constructions for naturally rehearsing password schemes in which passwords can be constructed even when not all PAO stories are memorized upfront (see Section VI for a concrete open problem)." #spacedrepetition
"We report on a user study that provides evidence that spaced repetition and a specific mnemonic technique enable users to successfully recall multiple strong passwords over time. Remote research participants were asked to memorize 4 PersonAction-Object (PAO) stories where they chose a famous person from a drop-down list and were given machine-generated random action-object pairs. Users were also shown a photo of a scene and asked to imagine the PAO story taking place in the scene (e.g., Bill Gates—swallowing—bike on a beach). Subsequently, they were asked to recall the action-object pairs when prompted with the associated scene-person pairs following a spaced repetition schedule over a period of 100+ days. While we evaluated several spaced repetition schedules, the best results were obtained when users initially returned after 12 hours and then in 1.5× increasing intervals: 77.1% of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days. Much of the forgetting happened in the first test period (12 hours): on average 94.9% of the participants who had remembered the stories in earlier rounds successfully remembered them in subsequent rounds. These findings, coupled with recent results on naturally rehearsing password schemes, suggest that 4 PAO stories could be used to create usable and strong passwords for 14 sensitive accounts following this spaced repetition schedule, possibly with a few extra upfront rehearsals. In addition, we find statistically significant evidence that initially (8 tests over 64 days) users who were asked to memorize 4 PAO stories outperform users who are given 4 random action-object pairs, but eventually (9 tests over 128 days) the advantage is not significant. Furthermore, there is an interference effect across multiple PAO stories: the recall rate of 100% for participants who were asked to memorize 1 or 2 PAO stories is significantly better than that for 4 PAO stories. These findings yield concrete advice for improving constructions of password management schemes and future user studies.
We report on a user study that provides evidence that spaced repetition and mnemonics enable users to successfully recall multiple strong passwords over time. The study is inspired by a recent result on naturally rehearshing password schemes [12] that rely on spaced repetition and a specific Person-ActionObject (PAO) mnemonic technique to design a scheme to create and maintain multiple strong passwords. As a core component of the study, remote research participants were asked to memorize 4 Person-Action-Object (PAO) stories where they chose a famous person from a drop-down list and were given machine-generated random action-object pairs. Users were also shown a photo of a scene and asked to imagine the PAO story taking place in the scene (e.g., Bill Gates— swallowing—bike on a beach). Subsequently, they were asked to recall the action-object pairs (e.g., swallowing—bike) when prompted with the associated scene-person pairs (e.g., Bill Gates—beach) following a spaced repetition schedule over a period of 100+ days. We designed the study to seek answers to the following questions:
- Do users who follow spaced repetition schedules successfully recall multiple PAO stories and, if so, which schedules work best?
- Does the PAO mnemonic technique improve recall over random action-object pairs?
- Is there an interference effect when users are asked to memorize multiple PAO stories?
First, while we evaluated several spaced repetition schedules, the best results were obtained under the schedule in which users initially returned after 12 hours and then in 1.5× increasing intervals: 77.1% of the participants successfully recalled all 4 stories in 9 tests over a period of 102 days. Much of the forgetting happened in the first test period (the first 12 hours): on average 94.9% of the participants who had remembered the stories in earlier rounds successfully remembered them in subsequent rounds. These findings, coupled with the results of Blocki et al. [12], suggest that 4 PAO stories could be used to create and maintain usable and strong passwords for up to 14 accounts following this spaced repetition schedule, possibly with a few extra upfront rehearsals. The finding that much of the forgetting happens in the first test period robustly held in all the spaced repetition schedules that we experimented with. Another implication of this finding is that password expiration policies [13] negatively impact usability by forcing users to return to the highest rehearsal effort region of memorizing a password. Furthermore, they are unnecessary for strong passwords (see Section II).
Second, we find statistically significant evidence that initially (8 tests over 64 days) users who were asked to memorize 4 PAO stories outperform users who are given 4 random action-object pairs, but eventually (9 tests over 128 days) the advantage is not significant. This finding is consistent with the previous finding in that much of the forgetting happens in the early rounds and in those rounds the PAO mnemonic technique helps significantly with recall.
Third, we find a statistically significant interference effect across multiple PAO stories. Specifically, the recall rate of 100% for participants who were asked to memorize 1 or 2 PAO stories is significantly better than the rate for participants who were asked to memorize 4 PAO stories. The interference effect is strong: it continues to be statistically significant even if we only count a participant with 4 PAO stories as failing if they forgot their first (or first two) action-object pair(s). This finding has several implications for password management. Further studies are needed to discover whether the interference effect is alleviated if users memorize multiple PAO stories following a staggered schedule in which they memorize 2 stories at a time. To accomodate this user model, we also need new constructions for naturally rehearsing password schemes in which passwords can be constructed even when not all PAO stories are memorized upfront (see Section VI for a concrete open problem)." #spacedrepetition