Bill Gates swallowing a bicycle is the key to a novel password system

Summary:CMU researchers have tested the idea of visualising Person-Action-Object (PAO) stories as an easy way of remembering passwords that are hard to crack

People find it hard to remember secure passwords, but researchers at Carnegie Mellon University have come up with the PAO system to help them. PAO stands for Person-Action-Object, with the quoted example being Bill Gates swallowing a bicycle. Users who visualise the idea should find easy to remember.

Bill Gates
Not swallowing a bicycle.... Photo: Microsoft

Users can devise their own PAO stories featuring people they know and objects that mean something to them, though the researchers used an algorithm to generate random stories. The basic idea is to have uncommon combinations of words that fit the common syntactic pattern.

Final passwords are derived using some combinations of letters from the story, and CMU graduate student Jeremiah Blocki argues that users can derive a number of different passwords by remembering only two stories. Further, people can use "public cues" (eg a photo of Bill Gates) to help them to remember their passwords without writing them down in plain text. These cues could be stored in an app on a smartphone.

People can re-use a range of PAO stories across multiple websites, and this provides a usable password management system. This is a more difficult challenge than creating a single password for a single purpose.

The research paper, Naturally Rehearsing Passwords (PDF), also raises the possibility that users can start with comparatively weak passwords and then add further elements once they have become familiar with them.

Most passwords are insecure because people use the same password most or all of the time, or because they use words or numbers that are memorable because they are personal -- date of birth, pet's name, favourite band etc -- but can be found by would-be attackers. PAO passwords avoid both problems.

While it would be more secure to have long random passwords for every application or website, users who need to remember dozens of passwords are rarely able to remember them without writing them down. PAO may be an acceptable compromise.

Topics: Security


Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first webs... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.