What is a 3D password, anyway?

tl;dr: Passwords based on a 3D, visual cued recall are not only more easily remembered, encouraging user compliance, but also significantly more secure.

In accomplishing its purpose of providing maximum security, the ideal password must have maximum entropy. As length and randomization of the sequence increase, so does security (Yan, et al., 2004).

And thus: the era of XvbU#%t13p0 was born…

While passwords were useful for a while and are still used by every enterprise company in the world, Yan, et al. may have left out one important detail.

WE. ARE. HUMANS.

Classic Authentication

There are three basic approaches at authentication. These approaches may be applied in groups of 1’s, 2’s or 3’s (i.e. 2FA, 3FA) depending on the level of security required.

1. Something you know. (Such as a password or a “3D password”.)
2. Something you have. (Such as a hardware key)
3. Something you are. (Fingerprints, etc.)

For this article we will focus on the “Something you know” paradigm of authentication, as it has been found to be the most feasible option of password replacement due to its high levels of security, deployability, and usability as opposed to other methods, according to the experts who wrote “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” (Bonneau, et al. 2012).

Passwords must be memorable to be useful. Our passwords are only as strong as our ability to remember them. When remembering sequences, humans are temporally limited and can only remember on average seven characters at once (Miller, 1957). According to NIST Special Publication 800–63, 7 characters from your keyboard doesn’t get you anywhere close to an acceptable level of security.

This is where your typical IT expert chimes in with an authoritative quip about randomly generated passwords being more than sufficiently entropic and uncrackable for up to “yada-yada” eons. As usual, they are technically correct… and as usual, there is a piece of the puzzle missing. Randomly generated passwords are a viable option with regards to entropic strength (See NIST Special Publication 800–63, Table A.1), but humans simply can’t remember them. As demonstrated by Yan, et al., 2004, users who are assigned a completely random password reliably continue to carry a paper copy of the password weeks after initial learning, proving limited ability to remember sequences of this type.

Thus the CRUX of alpha numeric passwords… In general, there is an inverse relationship between password strength and memorability (Yan, et al., 2004).

3D Authentication

So, we know that “Something you know” based security is extremely deployable and convenient, but the security is limited by our limited ability to remember increasingly complicated memorized secrets. If only we could come up with another way to do this. A way that still meets all the criteria of “Something you know” authentication, yet reflects us as humans. Spoiler: We can! Instead of starting with computers and coming up with a johnny-on-the-spot solution for authentication that turns into another 58 year long problem (seriously, 1961), we’ll start with humans this time.

Human memory cognitively operates by encoding information in previously recognizable ways, typically itemizing sequences into familiar pieces in a process known as chunking (Miller, 1957). Additionally, humans are much better at remembering information which can be encoded redundantly (Paivio, 1983). A variety of research generally supports the notion that human memory is sufficiently “chunked” or “redundantly encoded” when information is introduced visually rather than alphanumerically. While many long-term memories have previously been thought to include only the gist of the object, it is now known that relatively detailed visual representations of objects in scenes can be stored over extended periods of time. For example, subjects can discriminate between similar objects even after studying 400 other objects between initial learning and test (Hollingworth, 2004).

This supports the notion that humans are able to remember extremely detailed visual information about objects in contrast to previously mentioned difficulties with alphanumeric sequences. Furthermore, while full images are recognized with up to 98% accuracy after a two-hour delay, subjects experience significantly lower accuracy with words and sentences (Shepard, 1968).

This visual dominance is specifically relevant to passwords, and the addition of a third dimension to any graphic environment only multiplies its entropy and possible password space, further increasing security. When compared to graphic or 2D environments, a 3D environment also results in significant improvements in spatial memory performance (Tavanati and Lind, 2001). The 3D environment essentially creates a virtual memory palace for users, which has been shown to be equally as effective as traditional memory palace (See “Moonwalking with Einstein”, Foer, 2011) learning techniques (Legge, et al., 2012).

In summary, a memory palace made virtual for the purpose of authentication capitalizes on our natural talents of memory by facilitating redundant memory encoding, chunking and other benefits associated with memory palace techniques to users on the fly.

And now, without further ado, the succinct answer to the question:

A 3D Password is a memorized secret based on 3D, visual cued recall that provides more easy to remember “something you know” based authentication, encouraging user compliance, and significantly more security when compared to passwords.

Mindpass is already offering this easy to implement patent pending 3D authentication approach for business and enterprise to protect websites, intranet portals, applications and directories. You can sign up or ask questions about the service here.