Filed in: Writing.PasswordDance · Modified on : Mon, 06 Feb 12
"What makes a password memorable?" I asked myself. I realized that once I've memorized a password, I can touch-type it, even when it contains the number row that I can't usually touch-type... It's not the characters of the password that I remember, it's their physical position on the keyboard. The same thing happens when I play music on guitar, or solving a Rubik's Cube: I'm not thinking about playing individual notes or moving individual sides, but rather phrases that are programmed into my muscle memory. For passwords I use every day and are well-programmed into my muscle memory, when I have to input them on something that's not a standard keyboard (like a phone), I often have to refer to a standard keyboard to figure it out: I've forgotten the characters, and really only know the pattern that causes them on the keyboard.
So why not skip the middleman? Instead of starting with a random password, writing it down, and eventually committing it to muscle memory through simple repetition, start with something that's easier to program into muscle memory, and reduce that "commit" time.
I don't have citations to back this up, but I suspect and vaguely recall that humans are better at remembering a 2D route than a 1D string of characters, probably because Savannah man would have no use for a string of characters.
Currently, we tend to think of a password as a string of characters, and by typing those characters in the correct sequence on they keyboard, we can generate the password: the memory requirement is the whole string. For the password dance, I think of the password in terms of the keys' physical position on the keyboard instead of the characters they produce.
The best password is completely random and as long as possible. However, remembering a long string of pure randomness is next to impossible for non-savants, so, given the ability to choose a password, a user, in order to make it memorable, will choose a password with flaws:
These all yield a fairly limited password space. However, if we consider the keyboard as a 3D matrix (position + shift), and use the characters only as reference points, we can get a lot more variation (to beat dictionary attacks), with greater memorability, and greater length (to combat brute force attacks).
I posit that a musical phrase is more memorable than a symbol phrase. If we cause each key to generate a note (as is common with chiptune trackers), and the Shift key to pitch shift 2 octaves, or change the timbre, then the user can memorize a musical phrase.