Study Claims Old People Select Stronger Passwords Than Teens
from the maybe-they-just-follow-instructions-better? dept
We've all seen tons of reports on how bad people are at choosing secure passwords, but it's not too surprising to find out that different demographic segments are better or worse than others at having secure passwords. Though, it may be a bit surprising to find out that a new study suggests that those over 55 pick passwords that are twice as secure as teenagers:This was based on research on the hashed versions of 70 million Yahoo users, in which a Cambridge research tried to determine the strength of all of the passwords, and see how different groups did. Some of the other findings:
People with a credit card stored on their account do little to increase their security other than avoiding very weak passwords such as "123456". Unsurprisingly, people who change their password from time to time tend to select the strongest ones.In terms of more specifics:
Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss, and each additional bit doubles the password's strength. On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password, and around 20 bits of security against offline attacks.Of course, this reminds me (like so much does) of an xkcd comic on how we've all been trained into selecting weak passwords that are hard to remember, on the false belief that they're strong.
That's surprising, because even a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. Bonneau says the discrepancy is due to people picking much easier passwords than those theoretically allowed. He suggests assigning people randomly chosen nine-digit numbers instead, which would offer 30 bits of security against every type of attack – a 1000-fold increase in security on average. "I think it's reasonable to expect people to have the capacity to remember that, because they do it for phone numbers," he says.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cambridge, passwords, security, teenagers, xkcd
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yeah, and if I can't remember the phone number, I probably have it scribbled down somewhere or I can query my friends who know it too or, in the worst case, I can still look it up in a public database on the Internet.
I'm not sure that approach works so great for passwords.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Misleading
The entropy there isn't the number of actual characters (since each individual word is an actual English word) it's actually (number most commonly used words) ^ (number of words).
Which is still pretty darn good though.
Also http://me.veekun.com/blog/2011/12/04/fuck-passwords/
All bow to public key cryptography!
[ link to this | view in chronology ]
Re: Misleading
I agree with your link, though, that it's extremely frustrating when websites have policies that prevent certain password options, like alpha-only passwords (even if long) or passwords over a certain number of characters.
[ link to this | view in chronology ]
Re: Re: Misleading
I can't find a blog post of his explaining how he got the numbers (although I didn't look further than when the comic was posted).
[ link to this | view in chronology ]
Re: Re: Re: Misleading
[ link to this | view in chronology ]
Re: Re: Misleading
If my password is ten words and three letters and I am owed fifty trillion dollars that means that I am owed the square root of negative fifty trillion which is an imaginary number and so I am owed an imaginary number of dollars per infringement. Every time you infringe I lose billions of dollars and no matter what your password is you infringe on something. So, since there are fifty million commonly used words + a gazillion other words, everyone owes me infinity to the power infinity imaginary dollars which translates to .... (plugging numbers in calculator) infinity factorial real dollars to the power infinity. Now pay up.
See, I can be good at math too!!!
[ link to this | view in chronology ]
Re: Misleading
[ link to this | view in chronology ]
Re: Re: Misleading
Put simply: 'It's not what you know, it's how you present it.'
[ link to this | view in chronology ]
It's also no surprise when seniors look at the world through the eyes of "everyone's out to get them".
To think, the issue gets more complicated when companies out there think it's in our best interest to share a single username/password across multiple applications.
Thanks, Google (though certainly not alone), in allowing anyone to crack any one application access to, well, everything else the account's assigned to.
[ link to this | view in chronology ]
Re:
The large number of password hacks last year lead to a bunch of younger people screaming how this was so rude because they had to change all of their passwords now. They often just use 1 password because its simpler for them, they don't look at what might possibly go wrong from it.
Google is in a difficult situation, they offer a huge variety of services. To make you have a different password for each would annoy the consumer, so they have 1 password but offer (after a few failures of large proportions) more ways to keep your account secure.
You can click a link and lock the account with the new password being sent to your phone.
I got an email that someone somewhere in China was trying to access one of my accounts, and they blocked it. It suggested changing the password. No fuss no muss.
The problem really is weak passwords, and people blindly clicking links forwarded to them assuming someone else made sure it was safe. There are entire sets of malware that just propagate via Facebook, click here to see video of that thing you like and people keep clicking and it keeps spreading.
One can't expect the platform to protect them, but so many do.
[ link to this | view in chronology ]
Re: Re:
The problem is that it is virtually impossible to follow good practice when you have 30 or 40 different logins to worry about.
Following good practice is too much hard work - and for most people it simply isn't worth it.
My advice would be to write down all your passwords - but keep them in a drawer at home - not in your wallet.
Burglary is comparatively rare and you KNOW when it has happened so you can take action. For the most part burglars don't really want your Techdirt login....
If you need to carry them arround then write them down in an encrypted form and remember only the key.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Sorry, but statistics from all sides show seniors are less likely to click a link they're unfamiliar is than say, someone's mother who thinks the link will take her to another cute dancing baby video.
Per the studies, women between 32 and 40 account for nearly 60% for these types of breaches.
Seniors are under 22%, which is better than the last demographic of 13-24 of both genders.
Of course, as with any study, a large dose of salt's needed because the way one asks the question definitely affects the answer given.
Luckily, I can also go with my own personal experience:
Number of times grammies called for PC assistance: 4.
Number of times my mom called for PC assistance: Payback is priceless. I stopped counting after 20... and that was 10 years ago.
[ link to this | view in chronology ]
Re:
More like; you don't get old by being stupid.
[ link to this | view in chronology ]
Which is Better—Using Different Types Of Characters, Or Making The Passwords Longer?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Unfortunatly....
[ link to this | view in chronology ]
He has a wrong assumption
xxx-yyy-zzzz
The way I memorize is it more like x-y-zzzz, so I only have to memorize 6 digits. X and Z are repeated so often that my mind has hardwired dedicated paths for the few x and z combinations. Actually, z is so common through out my state, that I only have 1 effective number to "memorize".
Give me a full 10 digit phone number from an area code that I don't know, and it will take me weeks to memorize it.
[ link to this | view in chronology ]
Re: He has a wrong assumption
[ link to this | view in chronology ]
123456?
[ link to this | view in chronology ]
Re: 123456?
my employer doesn't pay me enough to shill and so now I must find another source of income and so everyone else is it. i declare everything that anyone does infringement. pay me.
[ link to this | view in chronology ]
GRC has evn a better take on this
https://www.grc.com/haystack.htm
And here is his test:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
Believe it or not. it is the first password.
[ link to this | view in chronology ]
Re: GRC has evn a better take on this
[ link to this | view in chronology ]
Re: Re: GRC has evn a better take on this
Sites that don't allow all four character sets or limit the number of letters in a password have questionable security models. If you find this in a bank it is probably time for a new bank.
[ link to this | view in chronology ]
Re: GRC has evn a better take on this
[ link to this | view in chronology ]
Re: Re: GRC has evn a better take on this
Do you have a way to confirm each and every character is correct before?
That got to be some breakthrough of some kind.
From what I understand you have to match the hash is there any method that shows neighboring hashes to deduce the characters being used?
Well anyways that works for now, you can have a lot of repetition and change only one or 2 characters people don't have a way to looking at that at the moment it may be possible to guess it, but password cracking is nothing like Hollywood movies show, where you get one digit right and confirmed, you get all or nothing all the time for now.
[ link to this | view in chronology ]
Re: Re: Re: GRC has evn a better take on this
Of course, the benefit gained from this isn't enough to counter-act the padding advice, it just means that non-standard padding is likely better.
D.0.g.D.0.g.D.0.g.g.0.D.g.0.D.g.0.D.
I'd like to see an equally efficient algorithm for breaking patterns like that.
[ link to this | view in chronology ]
Re: Re: GRC has evn a better take on this
[ link to this | view in chronology ]
Re: Re: GRC has evn a better take on this
[ link to this | view in chronology ]
Re: GRC has evn a better take on this
[ link to this | view in chronology ]
strong requirements does not make a strong password
[ link to this | view in chronology ]
Re: strong requirements does not make a strong password
At my current work I need to remember three separate passwords. Two of those passwords have to be changed every 6 weeks. So I just use the same password and increase the number by one.
After 12 months we can reuse the old password.
So the process begins again.
Meanwhile, I've had the same password for online banking for at least 15 years.
[ link to this | view in chronology ]
Re: Re: strong requirements does not make a strong password
[ link to this | view in chronology ]
395
[ link to this | view in chronology ]
I used to have a strong password,
[ link to this | view in chronology ]
What make the software easy is that when I click the name of a site it takes me to the site and automatically enters my user name and password, making logins quite easy.
Certainly there are other similar products, and it might prove useful to give them a quick look. Cost is about $50, but it is worth every dollar and more.
Just a thought.
[ link to this | view in chronology ]
Re:
So it seems that instead of a hacker having to crack each account/password separately, if someone had a program like that they'd only have to hack one program and suddenly they'd have access to all of the login names and passwords instead. Not only that but it would completely take out any guessing needed on the part of the hacker by giving them a handy list of what sites/accounts they now have access to.
How is that supposed to be more secure?
[ link to this | view in chronology ]
Re: Re:
If you have to deal with dozens of passwords it is not likely that anybody will memorize them all, making it even less likely that they will change over time as good practices dictate, because it is hard to memorize a lot of stuff and people will not do it on a regular basis ever, so you compromise to keep strong passwords to all accounts, you take a risk.
For very critical pieces you don't use it you use another scheme that doesn't involve storing any keys in the local hardware, like paper keys or secure dongles.
The alternative is to have each individual manage all their passwords by hand which probably will end up being less secure, this is s human limitation, people are just not cut out to remember a lot of stuff exactly and have it changed regularly that is not how humans operate and any security scheme that doesn't take that into account is flawed. So as the number of accounts grow so grow the potential for insecure situations, the only reasonable solution is a manager that can keep that for someone, now where it is stored is open for debate, should it be online, local or physically separate? What are the best practices to handle those?
All alternatives have good and bad points, probably best is to have a mix of all, which again adds complexity and the more complexity the more risk.
Anything that can transform passwords in moving targets is probably good for almost all situations the downside is that you will have all of your eggs in one basket, which you could try to mitigate by having 2 or 3 baskets for different purposes, one for very sensitive accounts and one for not sensitive at the very least.
If you want to go full paranoid, use a different physical machine to login that uses a different physical path to access the internet for the sensitive and non-sensitive and fallow strict protocols to handle keys to never let them unattended or passing through unsecured channels.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Old people don't pick good passwords, they just try to memorize the ones that get assigned to them.
Young people who have 20x more passwords online, likely pick lots of crappy ones that are easy to remember for sites they don't care about. They also are more likely to change all their passwords.
[ link to this | view in chronology ]
I remember once upon a time inadvertently discovering a site that let you put in passwords as long as you felt like, but ignored all but the first 8 characters or so.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Yet another problem
My biggest problem with trying to convince people to do this is that they think the computer is going to know they gave the wrong answer to the question. I have to convince them it is a call and response system. It doesn't matter what the question and answer are as long as you always give the same answer to the question as you did the first time.
[ link to this | view in chronology ]
Re: Yet another problem
I just fill the security questions with clues to the hard to remember portion of the password. Does the hacker no good, as he doesn't have a memory of the password to jog, nor will he know the rest of the password.
Tell me, what does "u represents" tell you about one of my passwords? It tells me everything I need to know to realize not only which password I used, but the twist I stuck in there too.
By the way, a clue like that uses pretty much the same intuition that public-private key encryption uses. It is functionally equivalent to a modulus for human beings and useless to computation (just as a modulus is more or less useless to human crackers).
[ link to this | view in chronology ]
They just gave out the passwords?
And not only that, they let them see which of those passwords had CREDIT CARDS attached to the accounts? I'm not deleting my Yahoo account over this, but you can bet I'm *never* giving them my credit card info.
[ link to this | view in chronology ]
Re: They just gave out the passwords?
/Unnecessary Spelling Nazi
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Not really, no. Let's say I tell you I'm using the XKCD method of putting 4 words together, and even give you a list of 2048 words that I'm going to choose from. Even with that abridged dictionary, the number of possible passwords is 2048^4, or 17,592,186,044,416. Good luck brute-forcing that.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Assigning a 9 digit password
Sorry, no, for several reasons.
If I were to register for a Yahoo account simply so I could play some online games, and it assigned me a random 9 digit number as a password, I would REALLY have to care about the site to bother to even try to memorize it. At some point you get people constantly re-creating new accounts so they can play Yahoo Chess or whatever, resulting in a bunch of unused nicknames.
Yes, people memorize telephone numbers all the time, BUT they normally don't memorize them instantly. And if they do, it's normally because they already know the area code and possibly the exchange. And even given the area code and exchange restrictions, when was the last time someone told you a telephone number you needed and you didn't write it down or put it in your phone on the spot? Of course, you can argue that writing down a complex password is better than memorizing a weaker one... but that in turn might depend on the environment you're in. You really want to take a slip of paper containing all your passwords with you on a trip? What if you have a snoopy roommate?
And that gets worse when you consider that you sometimes need to make several accounts in a row. Maybe you're making that Yahoo account to set up an email so you can make some OTHER account. OK, great, now you have to memorize TWO randomly generated 9 digit numbers AND remember which one is which (plus the convoluted usernames you had to pick because all the simple ones were taken by people who logged in once and forgot their passwords.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why old people have good passwords
is really long, as are the stories they recite word for word to everyone who will listen. Also, they have enough history devoid of unified communication to have incredibly disparate thought patterns, so getoffmylawnyouyellowbelliedlout is just as likely to come up.
yousillyyoungthingswithyourshortkeywords.
[ link to this | view in chronology ]
Great discussion, as always
[ link to this | view in chronology ]