Human is often the weakest link within a security program. One thing that a security program would rely on human is creating and remembering strong passwords.

Sam's story on password

Here is a story about Sam. Sam works in a large company and is required to create a login password for the assigned computer.

Sam was never very good at remembering passwords, so Sam created a password to be the one thing that Sam would never forget:

"samforgets"

New password policy - password must be at least 12 characters long:

"samforgetsalot"

New password policy - password must have upper and lower case letters:

"Samforgetsalot"

New password policy - password must have letters and numbers:

"Samforgetsalot1"

New password policy - password must have special characters (e.g. !, @, #, or $):

"Samforgetsalot1!"

New password policy - password must be at least 16 characters long:

"Samforgetsalot1!"

Password policy enforcement may have mixed results in the goal of achieving strong passwords.

This password may be extremely strong

"hn8$&jmv.2$5Fa!9*Mr7T"

but it is also extremely difficult for Sam to remember.

Memorable strong passwords?

Could Sam create a password that is strong and also easy for Sam to remember?

Sam could leverage daily events or past memories.

Sam takes the bus to work everyday. The bus driver looks like Drew, who is Sam's friend since childhood. Drew's parent used to make cookies that Sam liked very much. When Sam and Drew had cookies at Drew's home, the big table where the cookies were served always had a bowl with 5 apples piled on it like a pyramid.

Sam had a dog called Teacup. Teacup liked to run in circles at the park, and Teacup's best friend at the park was another dog called Pizza. Pizza had a feature that its tail can curled into two complete loops.

"Bowl5ApplesPyramidPizzaTail2Loops"

The password above does not have any special characters. So Sam decides for every repeating character, Sam will make use of one special character.

"Bowl5Ap!lesPyramidPiz@aTail2Lo#ps"

Sam still worries about forgetting the password, so Sam writes down the password hints:

Hints #1: "bus driver lookalike parent home table green and red structure"

Hints #2: "old dog friend in park feature on the back"

Sam then puts the two hints at two separate secured locations.

Bottom Line

A security program could be more successful if it is compatible with human nature - Human is usually better at remembering stories than arbitrary data.