Bill Gates swallowing a bicycle is the key to a novel password system

CMU researchers have tested the idea of visualising Person-Action-Object (PAO) stories as an easy way of remembering passwords that are hard to crack
Written by Jack Schofield, Contributor

People find it hard to remember secure passwords, but researchers at Carnegie Mellon University have come up with the PAO system to help them. PAO stands for Person-Action-Object, with the quoted example being Bill Gates swallowing a bicycle. Users who visualise the idea should find easy to remember.

Bill Gates
Not swallowing a bicycle.... Photo: Microsoft

Users can devise their own PAO stories featuring people they know and objects that mean something to them, though the researchers used an algorithm to generate random stories. The basic idea is to have uncommon combinations of words that fit the common syntactic pattern.

Final passwords are derived using some combinations of letters from the story, and CMU graduate student Jeremiah Blocki argues that users can derive a number of different passwords by remembering only two stories. Further, people can use "public cues" (eg a photo of Bill Gates) to help them to remember their passwords without writing them down in plain text. These cues could be stored in an app on a smartphone.

People can re-use a range of PAO stories across multiple websites, and this provides a usable password management system. This is a more difficult challenge than creating a single password for a single purpose.

The research paper, Naturally Rehearsing Passwords (PDF), also raises the possibility that users can start with comparatively weak passwords and then add further elements once they have become familiar with them.

Most passwords are insecure because people use the same password most or all of the time, or because they use words or numbers that are memorable because they are personal -- date of birth, pet's name, favourite band etc -- but can be found by would-be attackers. PAO passwords avoid both problems.

While it would be more secure to have long random passwords for every application or website, users who need to remember dozens of passwords are rarely able to remember them without writing them down. PAO may be an acceptable compromise.

Editorial standards