Bill Gates swallowing a bicycle is the key to a novel password system

Bill Gates swallowing a bicycle is the key to a novel password system

Summary: CMU researchers have tested the idea of visualising Person-Action-Object (PAO) stories as an easy way of remembering passwords that are hard to crack

TOPICS: Security

People find it hard to remember secure passwords, but researchers at Carnegie Mellon University have come up with the PAO system to help them. PAO stands for Person-Action-Object, with the quoted example being Bill Gates swallowing a bicycle. Users who visualise the idea should find easy to remember.

Bill Gates
Not swallowing a bicycle.... Photo: Microsoft

Users can devise their own PAO stories featuring people they know and objects that mean something to them, though the researchers used an algorithm to generate random stories. The basic idea is to have uncommon combinations of words that fit the common syntactic pattern.

Final passwords are derived using some combinations of letters from the story, and CMU graduate student Jeremiah Blocki argues that users can derive a number of different passwords by remembering only two stories. Further, people can use "public cues" (eg a photo of Bill Gates) to help them to remember their passwords without writing them down in plain text. These cues could be stored in an app on a smartphone.

People can re-use a range of PAO stories across multiple websites, and this provides a usable password management system. This is a more difficult challenge than creating a single password for a single purpose.

The research paper, Naturally Rehearsing Passwords (PDF), also raises the possibility that users can start with comparatively weak passwords and then add further elements once they have become familiar with them.

Most passwords are insecure because people use the same password most or all of the time, or because they use words or numbers that are memorable because they are personal -- date of birth, pet's name, favourite band etc -- but can be found by would-be attackers. PAO passwords avoid both problems.

While it would be more secure to have long random passwords for every application or website, users who need to remember dozens of passwords are rarely able to remember them without writing them down. PAO may be an acceptable compromise.

Topic: Security

Jack Schofield

About Jack Schofield

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first website and, in 2001, its first real blog. When the printed section was dropped after 25 years and a couple of reincarnations, he felt it was a time for a change....

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Similar to the "correct horse battery staple"

    in the xkcd comic
    Though, the comic version is probably better as the words are not in particular ordering.
    • Yup, I posted xkcd 936 before...

      On another password thread.

      Also, that paper was published on my birthday (Sept 11), though you don't need to know or care about that.
    • Diceware

      A great method to generate passwords like that is with Diceware, which ensures they are random enough to be unpredictable.

      Just get some dice and use the PDF with a word list from here:

      8-9 words are strong enough to be practically unbreakable. 7776 ^ 8 = 13 367 494 538 843 734 067 838 845 976 576 possible passwords. Nobody ain't got time for cracking that. Quite literally so, that's 31 zeroes after that first 1, or in simpler words way over a billion billion billion. Not even all the world's fastest password cracking rigs together can crack that. If you're paranoid, just add a few more words (15 or so is at a 1 followed by 58 zeroes).
  • I use full sentences

    the way a normal person would type a sentence. For instance "I use full sentences the way a normal person would type a sentence." could be a password I use. I don't use that one of course, but it's a good example. It's something easy to remember, quick to type, and hard to crack.
    Michael Kelly
    • I do this too...

      I also use the PAO method, have for years... What's frustrating is when you go through all the trouble of creating a truly strong password(s), but then you can't use it with some foolish company that enforces password policies that are less secure than what you normally use and don't support your creative password at all.
      • Like limitations on password length

        Since when is 16 characters a useful length, 32 would be more useful at least phrases, but full sentences would need more.
  • Policies on password don't allow users to use this form of password

    The problem is that the majority of companies enforce a password policy that restricts you to passwords that must have an uppercase letter, a number, no spaces and sometimes no two repeating letters and at least one non-alphanumeric character.

    Trying to use a pass phrase is fine but when you have to change it into something like Bi1lgatesSwal1owing@Bicycle you then lose the advantage of using a pass-phrase, as you're can't remember which letters you switched out for numbers, case and non-alpha.

    And then people just write it down.
  • I use open cues

    I have a spreadsheet on Drive with over 30 street addresses I have been associated with over the years. They are represented by first and in some cases last letters only, I know them all well but just need a reminder. Each has a letter to index it. I use a combination of any two letters, to indicate the two of these that make up that password. The site names these two refer to are cryptic as well - ie B1 B2 and B3 for the Banks - in alphabetic order. I know who they are and there are no login IDs/customer numbers in the sheet. I keep them separate - but mainly in my head. a case could be a = 123SmithSt and b = 456BrownsRd - password ab would be 123SmithST456BrownsRd. many are Maori words so an overseas hacker wouldn't have a clue. I can access the spreadsheet anytime i need to, and not necessarily on the computer I am loggin in on.
  • Graphics

    Use the keyboard to draw a graphic. It must be much more than straight lines. Throw in a caps lock or shift once in a while to color the picture. After all a picture is worth a thousand words.
  • Not so fast

    If as suggested users must remember more than one password (or PAO story), then they might well forget which specific password to use on a given site. If Mark Zuckerberg happens to manage that site, then the incorrect password will be archived and could potentially be used on another account where it works to break in.
  • Password

    Try finding the molecular weight of a compound I happened to use in graduate school with a mixture of initials from the family. Good luck guessing that.
    • Are you reusing the password?

      A great password becomes a bad password when a site you used it on is compromised.

      I never use a password more than once.
  • The idea's been around for at least 20 years...

    You said, "Most passwords are insecure because..." and you largely blamed reuse.

    Reuse is a problem, but IMO, the real culprit is that we have too many systems and too many different PW requirements.

    Peeps have wanted to reuse their passwords for as long as I can remember because they are lazy.

    The solution lies in some sort of "what you are" technology combined with a "something you know" secret managed through a single log-on authentication service.
    • I use a cloud based password manager

      I really only know my a few of my passwords: Apple Store, Google, and password manager.

      All the rest of my passwords are stored in my password manager. And I never reuse passwords.
  • Best password remembering strategy

    I think the best way that I am using to remember 100’s of password are very simple, just do your self
    1. Write two char of your spouse/mother/father name example “Ma".
    2. Write first char of web address on which you are going to register example “h”
    3. Than write birth month number of your beloved example "08"
    4. Than write your home/office address with @, #, $ sign example “@b72”
    5. Now write anything easy to remember with first char capital about your life example “Colddrink”
    6. Write last two char of web address on which you are going to register example “l”
    So your full pass word for Hotmail will be “Mah08@b72Colddrinkil” and for
    Facebook “Maf08@b72Colddrinkok”
    now it is complex for first time but you find it easy when you familiar.
  • Why no punctuation???

    I am repeatedly baffled by organisations that only allow alphanumeric characters for passwords to access their sites. Are they stupid or careless - they must be one or the other as anyone with 2 brain cells to work together knows that the more characters you can choose from to make a password, the stronger the password.
    I have my own system for passwords. It's very personal and I'm not going to mention it here as that would reduce its efficacy, other than that it's neither word nor number based so any crook trying words or numbers associated with my life won't stand a chance.