When designing interactive systems, one of the most important human characteristics that we have to take into account is memory. Humans' memory has particular limits, and capabilities, and if we understand this from a cognitive perspective going into our design, we can build systems that take advantage of people's capabilities instead of taxing them. The part of memory that's particularly of interest when you're building a system for people is working memory. This is sometimes called short-term memory, and it's the part of our memories, where we store information that we readily need to access in a quick amount of time. George Miller, in 1956, write a paper that he called The Magical Number, where he theorized that working memory could hold 7 plus, or minus 2 pieces of information. The most capable people could remember up to 9 things at once, and those in the lower end of the spectrum could remember 5. That number has been revised. Broadbent, in 1975, suggested the range was more like four to six. LeCompte, in 1999, said that if you're designing systems for people to use, you really shouldn't ask them to remember more than three things at a time. And a common practice that we see in user interface design. Is requiring people to remember 4, plus or minus one things. So, 3 to 5. Let's look at some examples of what working memory means. And we'll do this in the context of a concept called chunking. If I give you this string of characters, and ask you to put it in your working memory. That means you'd be able to look at the screen. Look at the letters for a few seconds, and then leave the room and write them down on a piece of paper. Now this string of characters is ten long, which exceeds even Miller's plus or minus, seven plus or minus two example, its hard to remember, it doesn't make a lot of sense but its ten different characters for us to remember. And so it's unlikely that a lot of us would be able to look at this for a few seconds, turn away from the screen, and write down exactly what we saw. But we could rearrange these characters. They can be rearranged to spell old veg mi yo, or video gym lo. In this case we have the same ten characters. But we have it in four or three words. Because we can remember the word, old, as a single thing, we're not really remembering three characters in terms of our working memory. We're remembering one word. So, we've rearranged these characters into chunks, that can be remembered more easily. This concept of, chunking, explains that working memory. Can hold 7 plus or minus 2, or 4-6 things, but if you can group things into meaningful chunks, you can remember 7 plus, or minus 2 chunks, or 4-6 chunks, as opposed to individual atomic elements. So, doing old veg mi yo, is 4 words that we have to remember, which is a lot easier than 10 characters. We could take this even one step further. The same characters can be arranged to say i love my dog. Now, that's a phrase that makes sense. It's a sentence that we've all probably heard before, and it's something that we can remember almost as a single unit. We're remembering the phrase i love my dog, which is easier than remembering three or four distinct words that don't a lot of coherent meaning. But even those three, or four words are easier to remember than the ten characters. In all these cases, we're remembering the same ten characters, but they're put into different chunks that tax our working memory in different ways. So, remembering a single phrase is almost like remembering one item as opposed to remembering ten individual characters. Another example could be this. These are the digits of pi. At one point in my life I decided I needed to learn a bunch of digits of pi. And I think I has memorized about out to a hundred digits, which was pretty good. I can't remember that many anymore. This is what I can remember. So, that's still a lot more than the average person, but I'm not going to win any pi recitation contest with these characters. But if we wanted to set out to memorize this string of numbers, how would we do it? One of the first steps we can do is to break this down. So, we have 3.14, that's the estimate of pi that we all learned, like, in elementary school. And then we have everything that comes after it. So, the everything that comes after it is really the hard part, and when I was memorizing this, I would break it up into small pieces, and this is about how I have it memorized in chunks that look like this, 159 26 535 8979 and so on. If you count these there's actually eight chunks here, which fits nicely in Miller's seven plus or minus two emphasis. Now, I've got these numbers committed to my long term memory at this point, but the fact that I was able to remember about eight chunks frequently enough that I could commit it to long term memory, is a good sign of how those limits apply. I had the rest of the numbers broken into chunks as well. And at one point, I did have them memorized, but that's kind of faded away. The first 8 were the easiest to remember. So, what I'd like to do now, to get us thinking about this idea of what our own limits are of our short term memories, and how chunking works, is to have you do some exercises. Here's an example. We're going to flash a number up on the screen. It's going to stay there long enough for you to read it, and then it'll go away. When it disappears, you should have a piece of paper in front of you, and write down the number that you'd seen. We're going to do some real exercises. So, you can pause the video here. Go get yourself a piece of paper and a pencil. And don't cheat. So, let the numbers show up on the screen, and then disappear. And only after it disappears. Should you write the number down on a piece of paper. Don't pause the video, don't cheat. The point here is to test your working memory. We're going to go through a series of numbers, and I want you to write them down. There's going to be a slide in between that indicates when we're going on to the next number. Some of them will be really long numbers, and some of them will be broken up into chunks, where each chunk is shown. In series. Write them all down, and when we get to the end, I'll show the solutions, and you can see how well you did. Longer numbers will appear for a longer amount of time, so you will always have time to read the full number, sometimes even twice. And then when the screen goes blank and the number disappears. It's set up so you have plenty of time to write the number down, before the next thing appears. So, you shouldn't feel too rushed in this exercise. So, pause it here, and when you're ready, come back and hit Play, and we'll get started. Ready? Go. [MUSIC] So now let's check your answers. Here's the first set of numbers that we looked at. I've broken these up into groups of three, exactly because it's easier to compare something you have written down to something on the screen when they're in small chunks. Hopefully, you noticed that the first set of numbers are the same. But in the second example, I grouped them like a phone number, and that makes it easier to chunk them even though you're remembering exactly the same numbers. Remembering them as pieces of a whole often makes it easier so perhaps you got more right. In the second example than we did in the first. The rest of the numbers that you saw were exactly the same length. Some of them you saw as one string, some of them you saw broken up into groups of five, and others you saw broken up into groups of three. Hopefully you're able to compare your numbers here, and see that you probably did better when the numbers came up in groups of three. Here's the remaining answers. And if you notice, the last set of numbers that you went through, you probably picked up on it as you were going through. They were in more memorable groups. So the first set, you can see here,. We have 123 456 789 10 11 12. The other groups didn't follow exactly the same pattern, but they were in groups that were relatively easy to find patterns in, and that may have made it easier for you to remember them. So, the idea to take out of this exercise is that giving people small groups of things to remember as part of their tasks makes it much easier, because our working memory does not accommodate large strings, whether it's numbers, texts, or other things to remember. Smaller bits are easier for people to work with, and that's a lesson that will carry forward as we talk about designing usable systems. So, how do we use chunking when making usable security decisions? Well, let's consider passwords for an example. This is a list of the top ten most popular passwords that are used. And anyone who has spent time learning about secure passwords, and. Even people who haven't know that these are not secure passwords. But they're easy passwords to remember. Some of them actually look like the numbers I had you doing in the experiment that we just finished. Other ones are words, and there's a couple combination of words in there, but all of these are really easy to remember. That's not how most password systems advise us to create them. There's big, long, complicated rules of how many characters and what kinds of characters can go in a password, what characters can't, how often you can repeat it. There's rules about changing your password every few months that drive me crazy, there's recommendations that you don't repeat your passwords across sites, and so what this means is, if you have 200 sites with passwords, which you might, I certainly do, and you're supposed to change those passwords every six months. And you can't repeat passwords across sites, plus you have this big list of rules. It means that people either pick insecure passwords, or if they try to follow these rules, they have a post-it or something with the passwords written down. This isn't a secure system, but it's because the rules for creating password where you need eight characters with an upper or lower case, and number a special character and so on, doesn't rely on people's cognitive abilities. Those sorts of passwords are hard to remember. But research has shown that you can create passwords that take advantage of chunking in human's memory capabilities. You create a password with chunks. So, for example, people were advised to pick two meaning dates and two meaningful initials to them, to pick a character that separate parts of the date, and create a password. So, here is an example of one of those. The first part of this, 8 11 71. Is a date, as is 12-11-81. The first one is followed by the initials LG, and the second is followed by the initials KD. This is a super secure password, it meets all of the rules that most of these systems require, and in fact it's much longer and much more secure. But it's very easy for a person to remember, they just need to recall those two important dates. And the two initials that they picked. Researchers have actually studied this, and when they asked people to create a standard seven character password on three different sites, 50% of the time, people could remember the password that they created. When they asked people to create a four chunk password like this, ti has two chunks as dates and two chunks as initials, they created four chunk passwords on three sites, they were able to recall it 76% of the time. So, not only does chunking allow us to advise people on how to create passwords that they remember more easily, they also create passwords that are more secure, because they're longer and have more characters in them. So, this is a great example of how we can take advantage of this cognitive ability of chunking that people have and apply it to a security principle like password creation to create systems that are both more usable and more secure. We'll talk more about passwords later on in this course and how to create useable ones, and we'll also look at how chunking appears in a lot of other examples as we discuss useable security.
