Can poetry make your passwords more secure?

The first thing you learn when you try to create a good password is that your memory is pretty terrible. The second thing you might learn is that you’re really bad at being random.

True randomness is hard to predict; humans aren’t. Even if you’re not one of the millions of people who use passwords like “12345678” or “password,” you might still be making some amateur mistakes. For example, using a common phrase as your password, but then replacing the “i” with a “1,” or the “a” with a “@,” and so on. Or using common words and phrases, and putting the characters and numerals at the end of the password, instead of spaced randomly throughout. Or re-using passwords across sites, or not changing them often enough.

In short, basically any technique that would allow a human being to actually remember a password.

Okay, you say, but how do you possibly get around this? Any password that is going to be reasonably secure is also going to be impossible to remember. And any password you can possibly remember is probably going to be terrible. That’s just the law of passwords, right?

As the Post’s Alexandra Petri writes, “The perfectly secure, perfectly memorable password is absolutely pure and rarer than the unicorn…. That is to say, no one has ever found it, and some doubt whether it exists at all.”

But two researchers at the University of Southern California may have finally come up with the perfect solution. Marjan Ghazvininejad and Kevin Knight of the University of Southern California have published a paper with a novel solution for creating with passwords that are both extremely hard to crack and relatively easy to remember: randomly-generated poems.

The inspiration for Ghazvininejad and Knight’s study was actually a cartoon, created by Randall Munroe of Xkcd, which showed how a password made up of four random words – like “correct horse battery staple” – is far more secure and a lot easier for people to remember than the typical jumble of random letters, numbers and symbols that most people think of as a secure password.

Munroe’s point is that, even if you pick a fairly uncommon word, like “Troubadour,” and replace some of the letters with other symbols, this combination might only take a computer seconds, minutes or hours to guess. But a combination of four totally random words is both hard for a hacker to crack and easy for a person to remember — you can make up some weird little story about a horse correctly identifying a battery staple that will stick with you forever, unlike your coworkers’ spouses’ names, or the date of your anniversary. (If you want to know more about the method behind this, check out this reddit thread.)

The secret here is that those four random words are actually generated based on one very large random number. That random number is then broken up into segments, each of which corresponds with a word in the dictionary. It’s basically a form of cryptography. To guess the full random number, a computer might have to test billions of billions of billions of possibilities before it hits on the right one, says Knight.

But while Munroe suggested using this large number to pick four random words, Ghazvininejad and Knight hit on the idea of using it to create a little poem.

In their paper, Ghazvininejad and Knight look at a few different methods for generating random passwords – the Xkcd method of using four random words, as well as a method of generating a random sentence – but they find that by far the most secure and the most memorable method is creating a short rhyming poem of random words.

As the researchers point out, humans have been using poetry as a way to remember information for thousands of years. It’s no accident that long epics, like the 12,000-line Odyssey, or the 17,000-line Canterbury Tales, were written using meter or rhyme. Most people today can’t recite the Canterbury Tales, but they’ve still had certain sing-songy rhymes permanently burned into their memory – like “Thirty days hath September,” or the weather beacon rhymes that people once learned before weather apps came along.

Ghazvininejad and Knight create their poems by assigning every word in a 327,868-word dictionary a distinct code. They then use a computer program to generate a very long random number, break that number up into pieces, and then translate those pieces into two short phrases. The computer program they use ensures that the two lines end in words that rhyme, and that the whole phrase is in iambic tetrameter, like so:

Receiver Mathew Halloween 
deliver cousin magazine

These passwords might seem a little odd, but they’re actually very, very secure. At current speeds, Knight estimates that cracking these passwords would take around 5 million years. By which point, we probably won’t be using Facebook anymore.

If you read too many of these, they will make you feel a little crazy. But some of them are really fun to say:

The reigning Hagen journeyman 
believers mini minivan

And teaches scripture bungalow 
or celebrate or Idaho

Others are weird and evocative, hinting at wild stories just waiting to be made up as memory devices:

And British fiction engineer 
Travolta captured bombardier

Australia juggernaut employed 
the Daniel Lincoln asteroid

Enrique Hasbro Japanese 
revealed aggressive amputees

Competing holy Hemingway 
complies American ballet

A peanut never classified 
expected branches citywide

The latest Union Rodeo 
amounts of aiding dynamo

Ghazvininejad and Knight developed an online generator for these little poems, which you can try out here. They caution that this site is just for demonstration — hackers could potentially download all of these and try them out, so don’t use them for your password.

If you want your own little poem password, you can enter your e-mail here, and their program will send you a secure one, which will then be deleted from their server.

Obviously, remembering a little poem for every password you have might be difficult, but the researchers suggest you could use one or two of these poem passwords for your most important accounts, or use one for your password manager, which will keep all your other information secure. Many sites will ask you to add a special character or number to your password, but that shouldn’t be too hard — you could just add some punctuation, or maybe replaces spaces with special characters.

The biggest drawback is that many sites these days limit the number of characters that you can use in your passwords, so these poems are probably too long for many of your accounts. But perhaps that will change someday soon. More and more sites are considering dropping the character limit, since shorter passwords are a lot less secure.

This article is published in collaboration with The Washington Post. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: Ana Swanson is a writer at The Washington Post.

Image: A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin. REUTERS/Pawel Kopczynski.