Creating a Password: The user first selects a picture that is interesting to him. The user then randomly selects 16 words from a dictionary (I strongly recommend using a computer program to help with this random selection). The user may select 4 of these 16 words to form a password. The user should store the picture publically in a convenient location (file on the computer, public web site, printed photo carried in wallet etc…). The user does not need to worry about hiding the picture. He should also publically note which account the picture is being linked to.
Memorize Password: The user creates a story involving these four words inside the picture. The user can create any story he wants, but we would recommend stories that are unusual or surprising.
Rehearse Password: Rehearse the password after 1 day, then after 4 days, then after 8 days, 16 days ….(logging in to the site counts as a rehearsal.)
Recall Password: The user looks at the picture, remembers the corresponding words and enters his password.
Example Password Creation: I selected a photo of the Russell Glacier as my cue, and used a computer program to select 16 random words from my dictionary. Four of the sixteen words were: march, boats, brie, and swim.
Recommendations: I always sort the words so that you don’t have to remember the order. I use a separate picture and story for each account. The same picture should not be reused for multiple stories. I use a smaller dictionary (~20,000 common words) so that I am familiar with most of the words in the dictionary. Once again I strongly recommend using a computer program to select truly random words. If you select random words yourself then you might subconsciously select words that are correlated with the picture, which could make it easier for an adversary to guess your password.
Pick Interesting Photos: Interesting photos are better cues. They provide a richer context under which associations can be formed. I would recommend that you pick a photograph with some open space so that you have places to store the words in your story. If you don’t want to find your own photos then you could use one of my photos. You can look at the pictures I use here (warning the page will take a long time to load!). If you want to look at the pictures individually you can find them in this folder.
Pick Surprising Stories: Making a surprising story requires some creativity and effort. Surprising stories grab our attention. Surprising stories are easier to remember.
Boats Swim (Michael Phelps)
To avoid confusion I always use the words in alphabetical order. In this case my password would be: boatsbriemarchswim.
Looking at the rules below I see that I need to modify my password: B04tbr13m4rcsw1m
Common Restrictions: Some web sites have annoying restrictions on the passwords (e.g., maximum length is sixteen characters, must include an uppercase letter, must include a number, and/or must include a special symbol). If the maximum length is 16 then I use the first four letters of each word. If the password needs to include a uppercase letter then I always capitalize the first letter. If the password must include a number then I substitute vowels with numbers (e.g., I use e = 3, i=1, o = 0, a = 4, u = 8. These substitutions are not private so I can safely write them down and even publish them). If the password requires a special symbol then I add and exclamation mark (!) to the end of the password. I make a note of the rules that I had to use to use to overcome the restrictions. You do not have to hide this note as it does not affect the security of the password.