Passwords are constantly on my mind. Here's yet another way to make wide and deep passwords memorable: the password dance.

Eureka

"What makes a password memorable?" I asked myself. I realized that once I've memorized a password, I can touch-type it, even when it contains the number row that I can't usually touch-type... It's not the characters of the password that I remember, it's their physical position on the keyboard. The same thing happens when I play music on guitar, or solving a Rubik's Cube: I'm not thinking about playing individual notes or moving individual sides, but rather phrases that are programmed into my muscle memory. For passwords I use every day and are well-programmed into my muscle memory, when I have to input them on something that's not a standard keyboard (like a phone), I often have to refer to a standard keyboard to figure it out: I've forgotten the characters, and really only know the pattern that causes them on the keyboard.

So why not skip the middleman? Instead of starting with a random password, writing it down, and eventually committing it to muscle memory through simple repetition, start with something that's easier to program into muscle memory, and reduce that "commit" time.

It always comes back to Savannah man

I don't have citations to back this up, but I suspect and vaguely recall that humans are better at remembering a 2D route than a 1D string of characters, probably because Savannah man would have no use for a string of characters.

What's wrong with strings

Currently, we tend to think of a password as a string of characters, and by typing those characters in the correct sequence on they keyboard, we can generate the password: the memory requirement is the whole string. For the password dance, I think of the password in terms of the keys' physical position on the keyboard instead of the characters they produce.

The best password is completely random and as long as possible. However, remembering a long string of pure randomness is next to impossible for non-savants, so, given the ability to choose a password, a user, in order to make it memorable, will choose a password with flaws:

• Short enough to memorize, probably somewhere between 4 and 7 characters; susceptible to brute force attacks.
• Containing dictionary words, or other information they already know; susceptible to dictionary attacks.
• Start with a dictionary word then use a simple cipher (0 for o, capitalization, etc.) to harden it; better, but still susceptible to dictionary attacks.

These all yield a fairly limited password space. However, if we consider the keyboard as a 3D matrix (position + shift), and use the characters only as reference points, we can get a lot more variation (to beat dictionary attacks), with greater memorability, and greater length (to combat brute force attacks).

Example

Variation: Password tune

I posit that a musical phrase is more memorable than a symbol phrase. If we cause each key to generate a note (as is common with chiptune trackers), and the Shift key to pitch shift 2 octaves, or change the timbre, then the user can memorize a musical phrase.