Despite the often repeated recommendations by security experts, most users regularly fail to choose strong enough passwords.
Joseph Bonneau, a computer scientist and researcher at Cambridge University, has recently shared the results of his analysis of passwords of nearly 70 million Yahoo! users with the audience at the 2012 IEEE Symposium on Security and Privacy, and among the results of his analysis are some that come as a surprise, but also some that don’t:
- The over-55 crowd chooses passwords that are twice as strong as those chosen by users under 25 years of age.
- The native language of the users affects, in part, the strength of the chosen passwords. According to the research, Germans and Koreans are best at picking a strong one, while Indonesians are worst.
- Users who often change their passwords are, expectedly, more likely to choose stronger ones – but only if the change is voluntary. When forced to change passwords, a great many users opt for one that is somehow related with the previous one used.
- Sadly enough, users who have had their password reset manually after reporting their account compromised do not choose better passwords.
- Users that store credit card information on their account do avoid the weakest and most often used passwords, but still chose ones that are not sufficiently hard to crack.
By using improved metrics to test out the hashed passwords, and taking into consideration the fact that attackers can try to breaks passwords both on the spot or by attempting to crack an entire stolen database of passwords, Bonneau and his team concluded that average passwords provide “fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack.”
He pointed out that, so far, experiments on actively encouraging users to choose stronger passwords have proved to be failures.
According to New Scientist, he proposes that users be assigned nine-digit numbers as passwords – a move that should make the passwords a thousand times more difficult to crack than the current average ones.
He argues that users should be able to remember them, as they are obviously capable of remembering phone numbers.