Can You “Spot” The Password?

I've suggested that pattern recognition is the key to developing secure passwords that are easy to remember (See my post,  Would You Give Me Your Password For A Candy?). I still like the idea of a series of images on standard themes (eg. fruit, mountain scenes, animals, etc) that represent a password. But others are still taking a different approach.

Password authentication and identity management wonks are plugging the latest idea for password management (New York Times) that seems to work well, at least amongst college students (if not the general population, which may have problems with it):

While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test.

According to a research study of 423 college students, the system worked remarkably well:

…the group honed their questions and determined that the probability that an attacker can answer all the questions accurately was less than one percent. The chances of a legitimate user failing their own personality test was close to zero.

Sounds promising. But maybe this concept isn’t so new – or valuable – as the study makes out. One of the first comments on the article from a J. Greene is less than hospitable:

There are a few sites that are also starting to use these questions as a verification device–you log in with your user name and password, and it then asks you to answer two questions. I absolutely hate it, and if I didn’t have to go to the site to conduct business, I would never go back.

Ouch. But even more interesting were the comments on the article where contributors added their own tips for managing passwords. First, Karyn:

Call me foolish, but I usually use different passwords with the many accounts I open (probably too many). I often forget them although I remember my pet, my mom’s maiden name, etc…
Sounds typical… but isn’t that already the default “solution” for password management with a large number of accounts? Next up, Richard Miller of Evanston, IL:

There is a much easier way to manage this — simply choose one answer, and only one answer that you can remember and put it everywhere, whatever the question, e.g., Question “Name your favorite pet?”, Answer “spot”. Question “Name your 3rd grade teacher”, answer “spot”. Question “On what street did you first live”, Answer “spot”.

But what if the one answer is not so contextually neutral as you think, or a hacker gets hold of the one password that rules them all?

I'm still keen on the idea of pattern-based passwords. In the meantime, at least easy password reset is available for those of us who don’t possess the keen memories of caffeine-addled college students.