Can you name the most annoying things on the internet? I could remember at least three: spam, CAPTCHA and passwords. It's possible to fight or just to get used to the first and second ones. But what about the third one?
Every day more and more people create more and more accounts. As a result, keeping own passwords in mind can turn into a real headache. Fortunately, there are a lot of password managers on the market, which make people’s lives much easier in this regard. Using different techniques: encrypted storage, clouds or cryptographic derivation functions, these tools can reduce the number of passwords, which you need to remember, down to just one – the master-password. Moreover, the best of these managers can offer some measures to produce strong passwords for your accounts. Nowadays, it’s becoming essential.
Nonetheless, the core problem remains unsolved: how to remember a strong password? Due to the fact, that all strong passwords should be as much unpredictable as possible, their “complexity” (specifically: how difficult it is to remember a password) will obviously be high as well. The only thing we can do about it is to try to represent the required amount of entropy in such a form, that we could remember it with less effort. In fact, by replacing symbols with words, the well-known XKCD scheme does exactly what has been mentioned. Similarly, DAS ("Draw-a-Secret") systems try to utilize human ability to memorize information in some other way – more effective than the usual one.
Here, I'd like to introduce you to another method, which develops this idea. To some extent it reminds of DAS systems. On the other hand, it may resemble smartphones’ lock screen patterns. Indeed, what you see here is an attempt to combine the best sides of both methods. It gathers gestures, formed by a sequence of discrete graphic segments; although neither gaps nor absolute coordinates have any meaning here. As you can notice, it also supports arcs. And though this detail may seem to be not so important, it’s crucial: while arcs, as an additional kind of segments, obviously boost the entropy, they significantly … reduce the difficulty. Too vague though it may sound, the trick is that our mind remembers shapes much better if they have enough of certain peculiarities. Simply stated, arcs provide a shape with an extra set of different angles there; as a result, the shape of this kind becomes much more special, and thus, memorable. However, using only visual memory is still not enough for an average human brain to solve the task. For complex gestures, it could be a problem to memorize them securely without the need of periodic recalls. Fortunately, people are able to remember by using not only eyes: the method provides quite handy and natural input technique - it engages kinesthetic memory in such a way, that it becomes possible to recall any awkward, tangled gesture with ease.
At this point, foreseeing obvious questions and critical comments, I'd like to give several clarifications. Firstly, you need to understand: there is no magic. If you draw simple things like “hearts” – the strength will be comparable. Needless to say, the best solution here is to get some reliable RNG in order to obtain true random gestures. For “handmade” I can only suggest drawing some weird, awkward, incomprehensible gestures there. Never close the curve. Try to avoid all kinds of symmetry (except some amount of local). Don’t avoid laying new segments over the existing ones.
Secondly, for possible entropy-related questions there is a simple calculation: each segment holds four bits of entropy; if your gesture is 24-segment long, there will be 96 bits of entropy in total – more than any strong 14-character password can provide. Concerning the size of a grid: please, don’t forget, that you can start drawing from any lattice point, stop when you like, and then continue from the same or any other point on the grid wherever you want. Anyway, at the end, all your drawings will be joined together into a single contiguous one, which can be far larger than the grid – in fact, your freedom is limitless here. While the complete gesture can’t be shorter, than its minimal length (18 segments), it’s not a good idea to choose only those gestures, which can be drawn there at once. It’s certainly possible, though the strength of gestures, which are generated or made up in these constraints, will be obviously lower.
In conclusion, there is this last thing I have to mention. Frankly speaking, I haven’t tested the method’s difficulty on living human beings for long enough. However, I don’t see any problem here: your responses (positive or negative) will tell me everything about it. Being an ordinary person, I’ve been able to memorize three randomly generated 27-segment (108 bits of entropy!) gestures without a significant effort (first three gestures were taken). Actually, there is no need for you to remember so much – you may just need one. Anyway, by no means I think this method could be suitable for everybody: for instance, several people with Asperger syndrome have already claimed that the method is useless for them. I can assume it’s useless for visually impaired people as well. Nevertheless, if it can help at least several people secure their privacy better – I’ll be glad, of’ course. Although, I believe this method might as well prove, that people can still trust their minds. By and large, it would be a great reward to me for this work.