How to Make Identity Management as a Service Work in Your Organization: A Second Look
Dorkbot: Malware That Uses Your Contacts to Spam, Infect Your PC, Steal Your Personal Data

Overcoming the "Forgetting Curve": How to Improve Passwords

Colleague Lance Spitzner wrote an interesting post at Securing The Human titled, The Forgetting Curve - The Importance of Reinforcement.   In the post, Lance discusses the Forgetting Curve research by Herman Ebbinghausin in 1885. Many of us have come into contact with this research, which postulates that humans tend to forget half of newly aquired knowledge in a matter of days if they don't make an effort to review what they'd been taught or presented. In his post, Lance discusses ways to reinforce security awareness messages in the days and weeks following training. After reading this post, I came up with the following question:

Can we use our understanding of the Forgetting Curve to help users not only remember passwords but also make them stronger?

Let's accept Herman Ebbinghaugsin's thesis. Lance aptly describes this as, "humans quickly forget what they learn unless that information is reinforced". Now, in the context of password management, let's postulate that humans are most likely to remember passwords that they use frequently because they reinforce that memory through repeated use. Another popular way this notion is describe is, repetition is the key to learning.

On the basis of this premise, let's speculate that humans are able to remember passwords of 10, 12, even 20 characters - if they use them often enough. What improvements to password quality could we realize if we were to build from this and introduce a concept of incremental strengthening of passwords?

Incremental strengthening of passwords

Suppose a user creates an 8 character password and uses this until he knows it very well (for a single login, of course!). After one month, the user lengthens this password by a single character. This can be a voluntary act, or enforced by a password policy, Active Directory, IDM... By repeating this process over several months, the password becomes incrementally stronger over time with a lower risk of forgetting.

How much of an improvement can this yield? An 8 character password composed of upper and lower case alphanumerics, numbers, and symbols can be recovered in fewer than 57 days (the benchmark date in this post), but recovery speed is dramatically affected by each character you add. For example, and again using upper and lower case alphanumerics, numbers, and symbols, here are 2010 estimates of how long it would take to recover a:

  • 9 character password - 12 years
  • 10 character password - 528 years
  • 11 character password - 71,000 years
  • 12 character password - 5 million years
  • 13 character password - 423 million years
  • 14+ character passwords - 5 billion years and beyond
Note that incremental password strengthening has the additional benefit of reinforcing users to change passwords with some frequency.

The Catch

This is a feasible strategy for a single or perhaps a few passwords at best. It's also feasible if users complement this strategy by using a password manager (and begin by strengthening the password for the manager). However, left without reinforcement, users may not implement this strategy. This is where the reinforcement techniques that Lance suggests in his article about security awareness may be effective for an organization (or even an ISP). 

To re-purpose the suggestions for reinforcing key points that Lance shares in his post from security awareness to strengthening passwords, consider some method to:

  1. Present the concept of "incremental strengthen your password" to your users.
  2. Reinforce within 48 hours using as Lance suggests, a follow up survey that asks users what they remember about the concept and what actions they have taken; for example, have they installed a password manager, strengthened a password, etc.
  3. Reinforce within two weeks. Advise your users that password policy is changed, and raise the minimum password length by one character. You may reinforce this by central desktop administration, IDM, or whatever is appropriate for the login you are trying to protect. 
  4. Raise the bar by increasing minimum password length quarterly (or more gradually) until you reach a target strength.
  5. If your organization hasn't implemented single sign-on, repeate 1-4 for another login.

For residential users, adopting a password strengthening strategy will be more like dieting or training: you have to want to protect against password-based attacks badly enough to make the effort. But you get more immediate benefits than dieting or training even if you only increase your online bank password from your current 6, 7, 8 characters to 10. 

This strategy is not a panacea for all the password-related issues we face. But passwords aren't going away and experimentation of this kind may reduce some aspect of password problem space for you or your organization.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Stephanie, hello!

You are absolutely right about optimistic estimations and that I didn't consider the highly motivated, highly proficient attacker scenario. My objective though, was to encourage adoption of longer passwords by easing folks into using them. Given this, I chose a convenient way to illustrate strength. As you point out, if you are one or among a set of chosen targets, it's quite possible that your attacker could use parallel methods; hopefully, other brute force detection or countermeasures will intercede.

The time to crack for various lengths is an overly optimistic estimation of the time needed. Resistance to brute force should always considered against the worst case, rather than the "ideal" conditions displayed here.

For example, - under some operating systems (XP/2003), apparently, arbitrary 14 character passwords fall in *minutes* rather than the billions of years the estimates you cited.

At this point, it's safe to assume that anyone seriously cracking passwords is going to be using paralel methods, and they may have access to GPUs, and in this case, better to assume the worst, because the worst might just happen.

Hi Scott,

I like pass phrases but I'd be cautious to use something too familiar in pop culture. Rather than impossible to remember strings of characters, I'd suggest you consider borrowing a page from a one time password generator and string together several words that you'd remember, or something more obscure from a book you'd recall but are pretty convinced no one else would associate with you, for example:


Cool idea, Dave! It's great to realize how much power users can get simply by adding ; or ~ to a password.

Do you agree with the advice of using quotations as pass phrases? For example, "The Force is strong with this 1." is a very long, easily remembered password that, according to your chart above, should stand against 5 billion years of cracking... but will dictionary attacks undermine its theoretical resistance to the point where 9 nonsense characters would make a stronger password?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)