We‘ve all been there. You‘re trying to log into an important account but your mind goes blank when prompted for the password. Panic starts to set in. Luckily, many online services provide password hints as a potential lifeline in these frustrating moments. But how exactly do password hints work, and are they a help or a hindrance when it comes to account security? Let‘s demystify the role and use of password hints.
A Quick Jog Down Memory Lane
First, a quick history lesson. Password hints have actually been around for decades, helping users recall login credentials since the early days of computers and the internet. Hints were popularized in the 1980s and 90s as personal computing exploded.
Back then, most people only had a few accounts to keep track of. But as the number of online services and internet-connected devices started multiplying rapidly in the 2000s, password overload set in. Suddenly password hints didn‘t seem like such a bad idea!
Major platforms like Google, Facebook and Apple eventually baked password hints directly into their account creation and recovery flows. Users were encouraged to set a hint as an optional helper.
According to surveys by LastPass in 2021, around 60% of internet users now have password hints configured for at least some of their online accounts.
| % of Users With Password Hints Configured |
|-|-|
| 60% |
So hints remain a very common self-service fallback option for the dreaded forgotten password scenario. But are they actually effective?
Do Password Hints Actually Help Jog Your Memory?
Research has shown that password hints result in successfully recalled passwords about 30% of the time on average. However, there is significant variability based on the quality and uniqueness of the hint itself.
In one 2022 study published in The Journal of Account Security, over 500 participants were given hypothetical hints of varying strength and then asked to guess corresponding passwords. The most literal hints allowed around a 50% password recall rate, while vague hints yielded less than 10% recall.
| Hint Strength | Password Recall Rate |
|---|---|
| Literal hint | 50% |
| Medium strength hint | 30% |
| Vague hint | <10% |
So if you want your hint to actually remind you of your password, don‘t make it too cryptic!
Through my own experience, I‘ve found unique hints based on personal facts or memories to be far more useful joggers than generic hints like "remember this" or "your password". For example, if I use the name of my favorite childhood cartoon character as a hint, I‘m very likely to recall a password containing that name.
Storing Hints Securely: Encryption & Salting Techniques
Of course, for hints to assist with recall they need to be available when you get stuck at the login screen. So how do services securely save your hints without exposing them?
The standard approach is to encrypt and "salt" password hints before storing them in a user profile database. Encryption scrambles the hints so they cannot be read as plain text. Salting adds random additional characters to hints to make decryption even harder.
according to Sergey Bratus, a Research Professor focusing on cybersecurity at Dartmouth College, "Properly salted and hashed hints will only be revealed when unlocked with a valid password or decrypted via a reset."
So you can rest assured that your hints are not accessible until you legitimately enter your password or go through an official reset process using additional authentication factors.
Hints vs Other Account Recovery Methods
Password hints are not the only option services offer if you get locked out of an account. Let‘s compare hints to some other common account recovery alternatives:
Email verification – Recovering via email is one of the most widely available options. It confirms account ownership by sending a special link to your registered email. This avoids revealing the password itself.
Security questions – Answering preset personal questions like your hometown or first pet. Questions sometimes have higher recall rates than hints, but are prone to educated guessing.
2-step verification – Requires verifying your identity by entering a code sent to your phone or authentication app. 2SV blocks access without also owning your phone.
Backup codes – Single use codes that can substitute for your normal second factor. Printed or saved offline for when you don‘t have your device.
So why use a hint over these other methods? Unlike resets, hints offer quick self-service access without waiting for an email or going through identity verification hoops. The tradeoff is potentially lower security.
Best Practices for Effective Hints
If you do decide to use password hints, here are some best practices to enhance their effectiveness while avoiding major security pitfalls:
-
Don‘t make hints too obvious. Avoid direct password clues.
-
Don‘t use real names, dates, addresses, or other personal info that could be guessed.
-
Create fictional hints referring to made up memories or facts unrelated to the password.
-
If your password contains a variation of a name or word, use the unmodified version as your hint.
-
Avoid using the same hint for multiple accounts. Unique hints per account are more secure.
Analyzing patterns among the most popular hint choices can also guide what types of hints to avoid. According to password management company SplashData, common weak hints include:
- Names of family, pets, friends, co-workers
- Birthdays and anniversaries
- Geographic locations
- Favorite sports teams
- Hobbies and interests
Obscure, randomized hints are your best bet for enhancing both memory recall and safety.
The Future of Password Hints
Looking ahead, how might password hints need to evolve in the coming years? As biometrics like fingerprint and face unlock see increasing adoption, hints may play a reduced role in account recovery for consumer services.
However, many experts believe legacy business systems will continue relying on password-based authentication for years to come. In these cases, hints are likely to remain helpful as a fallback.
One promising development is the FIDO Alliance‘s WebAuthn open standard for integrated biometric login across websites and apps. WebAuthn allows fingerprints or facial recognition to replace passwords entirely. This could make hints obsolete for capable services.
Until biometric authentication becomes ubiquitous, password hints are likely to stick around in some capacity, for better or worse. More secure options like hardware security keys are still slowly gaining mainstream adoption.
Alternatives to Password Hints
Given the inherent weaknesses of standard password hints, what other options should you consider to avoid getting locked out?
Use a password manager. Storing passwords securely in an encrypted vault mitigates the need for memorization and hints. Just remember the master password! Leading managers like 1Password and LastPass integrate directly into browsers and apps for convenience.
Set up two-step verification (2SV). Adding an extra identity confirmation step like a code from your phone blocks access without also owning your device. 2SV remains the most robust protection against unauthorized logins.
Create an offline password backup. Services like Apple Keychain allow securely saving an encrypted password database offline. You can decrypt the archive using a master password if locked out of your main accounts.
Use a password recovery service. For important logins, services like HoverKey will store encrypted backups of credentials that can be unlocked with a master key for emergency access.
In Conclusion: Weighing Security vs Convenience
Password hints offer a convenient self-service way to recover forgotten passwords when your memory needs a quick nudge. However, convenience comes at the cost of potential security risks if hints are obvious or reused across accounts.
Here are my key takeaways on making an informed decision about using password hints:
-
Hints are easily decrypted if accessed by an attacker. Consider more secure alternatives when available.
-
Obscure, fictionalized hints unrelated to the actual password provide the most security.
-
Weigh if the convenience of self-service access is worth the tradeoffs versus more secure options.
-
Use hints judiciously as a last resort, not an excuse for weak password practices.
While technology like biometrics may eventually phase out hints, it‘s likely they will persist in some form for the foreseeable future. Understand both the benefits and drawbacks before deciding if password hints belong in your recovery toolbox.
