Study Claims Old People Select Stronger Passwords Than Teens
from the maybe-they-just-follow-instructions-better? dept
We’ve all seen tons of reports on how bad people are at choosing secure passwords, but it’s not too surprising to find out that different demographic segments are better or worse than others at having secure passwords. Though, it may be a bit surprising to find out that a new study suggests that those over 55 pick passwords that are twice as secure as teenagers:
This was based on research on the hashed versions of 70 million Yahoo users, in which a Cambridge research tried to determine the strength of all of the passwords, and see how different groups did. Some of the other findings:
People with a credit card stored on their account do little to increase their security other than avoiding very weak passwords such as “123456”. Unsurprisingly, people who change their password from time to time tend to select the strongest ones.
In terms of more specifics:
Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss, and each additional bit doubles the password’s strength. On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password, and around 20 bits of security against offline attacks.
That’s surprising, because even a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. Bonneau says the discrepancy is due to people picking much easier passwords than those theoretically allowed. He suggests assigning people randomly chosen nine-digit numbers instead, which would offer 30 bits of security against every type of attack – a 1000-fold increase in security on average. “I think it’s reasonable to expect people to have the capacity to remember that, because they do it for phone numbers,” he says.
Of course, this reminds me (like so much does) of an xkcd comic on how we’ve all been trained into selecting weak passwords that are hard to remember, on the false belief that they’re strong.
Filed Under: cambridge, passwords, security, teenagers, xkcd
Comments on “Study Claims Old People Select Stronger Passwords Than Teens”
“I think it’s reasonable to expect people to have the capacity to remember that, because they do it for phone numbers”
Yeah, and if I can’t remember the phone number, I probably have it scribbled down somewhere or I can query my friends who know it too or, in the worst case, I can still look it up in a public database on the Internet.
I’m not sure that approach works so great for passwords.
Re: Re:
Never seen a post from someone saying “Dropped my phone in the toilet everyone text me their numbers so I have them again.”
Re: Re:
I have exactly two 10 digit phone numbers memorized, and that came through repeated use rather than than a conscious attempt to memorize (and 3 of those 10 digits are the area code, so really I memorized 2 7 digit numbers).
Passwords are the only time when i still use l33t5p34k, the preferred method of the xkcd strip was what’s taught me in highschool in IT-classes.
Misleading
I’d like to point out that that XKCD comic doesn’t show the whole truth. The problem is that it uses the wrong algorithm to try to bruteforce passwords generated with his proposal.
The entropy there isn’t the number of actual characters (since each individual word is an actual English word) it’s actually (number most commonly used words) ^ (number of words).
Which is still pretty darn good though.
Also http://me.veekun.com/blog/2011/12/04/fuck-passwords/
All bow to public key cryptography!
Re: Misleading
“(number most commonly used words) ^ (number of words)” is exactly what the comic uses. Notice how the words have the same number of bits of entropy in the “correct horse battery staple” example, even though they’re different lengths. Did you read it? I believe he also has a “blag” post explaining exactly how he came up with the numbers.
I agree with your link, though, that it’s extremely frustrating when websites have policies that prevent certain password options, like alpha-only passwords (even if long) or passwords over a certain number of characters.
Re: Re: Misleading
Ah my bad for jumping to conclusions.
I can’t find a blog post of his explaining how he got the numbers (although I didn’t look further than when the comic was posted).
Re: Re: Re: Misleading
Randall went into some detail here.
Re: Re: Misleading
Here, let me give it a try with Hollywood Math.
If my password is ten words and three letters and I am owed fifty trillion dollars that means that I am owed the square root of negative fifty trillion which is an imaginary number and so I am owed an imaginary number of dollars per infringement. Every time you infringe I lose billions of dollars and no matter what your password is you infringe on something. So, since there are fifty million commonly used words + a gazillion other words, everyone owes me infinity to the power infinity imaginary dollars which translates to …. (plugging numbers in calculator) infinity factorial real dollars to the power infinity. Now pay up.
See, I can be good at math too!!!
Re: Misleading
What is all this math stuff everyone keeps talking about. I’m so confused. How am I supposed to be an effective shill when everyone I’m shilling to is so much smarter than me?
Re: Re: Misleading
Actual knowledge isn’t needed for shilling, just present your ‘evidence’ in a confusing manner, so it’s hard for people to refute it or even figure out what you’re saying.
Put simply: ‘It’s not what you know, it’s how you present it.’
Considering the words/phrases older people know, compared to teens, this should come as no surprise.
It’s also no surprise when seniors look at the world through the eyes of “everyone’s out to get them”.
To think, the issue gets more complicated when companies out there think it’s in our best interest to share a single username/password across multiple applications.
Thanks, Google (though certainly not alone), in allowing anyone to crack any one application access to, well, everything else the account’s assigned to.
Re: Re:
Seniors do not always think everyone is out to get them, they are a large part of those who fall for email scams.
The large number of password hacks last year lead to a bunch of younger people screaming how this was so rude because they had to change all of their passwords now. They often just use 1 password because its simpler for them, they don’t look at what might possibly go wrong from it.
Google is in a difficult situation, they offer a huge variety of services. To make you have a different password for each would annoy the consumer, so they have 1 password but offer (after a few failures of large proportions) more ways to keep your account secure.
You can click a link and lock the account with the new password being sent to your phone.
I got an email that someone somewhere in China was trying to access one of my accounts, and they blocked it. It suggested changing the password. No fuss no muss.
The problem really is weak passwords, and people blindly clicking links forwarded to them assuming someone else made sure it was safe. There are entire sets of malware that just propagate via Facebook, click here to see video of that thing you like and people keep clicking and it keeps spreading.
One can’t expect the platform to protect them, but so many do.
Re: Re: Re:
The problem really is weak passwords, and people blindly clicking links forwarded to them assuming someone else made sure it was safe.
The problem is that it is virtually impossible to follow good practice when you have 30 or 40 different logins to worry about.
Following good practice is too much hard work – and for most people it simply isn’t worth it.
My advice would be to write down all your passwords – but keep them in a drawer at home – not in your wallet.
Burglary is comparatively rare and you KNOW when it has happened so you can take action. For the most part burglars don’t really want your Techdirt login….
If you need to carry them arround then write them down in an encrypted form and remember only the key.
Re: Re: Re: Re:
I’m a fan of paper keys, you know you use QR-Codes to store cryptographic keys and just flash them in front of the camera when you need it, of course it has its own problems, but you can change those anytime you like and don’t have a hard time remembering anything.
Re: Re: Re:
“Seniors do not always think everyone is out to get them, they are a large part of those who fall for email scams.”
Sorry, but statistics from all sides show seniors are less likely to click a link they’re unfamiliar is than say, someone’s mother who thinks the link will take her to another cute dancing baby video.
Per the studies, women between 32 and 40 account for nearly 60% for these types of breaches.
Seniors are under 22%, which is better than the last demographic of 13-24 of both genders.
Of course, as with any study, a large dose of salt’s needed because the way one asks the question definitely affects the answer given.
Luckily, I can also go with my own personal experience:
Number of times grammies called for PC assistance: 4.
Number of times my mom called for PC assistance: Payback is priceless. I stopped counting after 20… and that was 10 years ago.
Re: Re:
“It’s also no surprise when seniors look at the world through the eyes of “everyone’s out to get them”.”
More like; you don’t get old by being stupid.
Which is Better?Using Different Types Of Characters, Or Making The Passwords Longer?
Making the passwords longer.
A hint that I stumbled across for passwords, quite some time ago, that’s proved handy is to pad the password. Just add blank spaces, or A’s or whatever, to take it out the maximum length that the website allows. Just as long as you can remember how many padding characters you put in there it’s easy to remember (normally). And the extra length makes it harder to guess.
Re: Re:
I recommend using something like PasswordHasher, a firefox plugin.
Unfortunatly....
….even the best passwords do not keep the worst offenders out of your life. When some government wonk or a police thug wants into your computer or account they tell you to log on or sit in jail forever. Of course its “for the children” so I s’pose it’s ok.
He has a wrong assumption
“I think it’s reasonable to expect people to have the capacity to remember that, because they do it for phone numbers,”
xxx-yyy-zzzz
The way I memorize is it more like x-y-zzzz, so I only have to memorize 6 digits. X and Z are repeated so often that my mind has hardwired dedicated paths for the few x and z combinations. Actually, z is so common through out my state, that I only have 1 effective number to “memorize”.
Give me a full 10 digit phone number from an area code that I don’t know, and it will take me weeks to memorize it.
Re: He has a wrong assumption
“z is so common” was meant to be “x is so common”
123456?
That’s amazing! I’ve got the same combination on my luggage.
Re: 123456?
infringement!!! you owe me money now
my employer doesn’t pay me enough to shill and so now I must find another source of income and so everyone else is it. i declare everything that anyone does infringement. pay me.
GRC has evn a better take on this
Increasing the search space is the key. A password is always a needle. The larger the haystack the longer it takes to find.
https://www.grc.com/haystack.htm
And here is his test:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g…………………
PrXyc.N(n4k77#L!eVdAfp9
Believe it or not. it is the first password.
Re: GRC has evn a better take on this
The site clearly states “It is NOT a ?Password Strength Meter.?” and “The example with ?D0g…………………? should not be taken literally”
Re: GRC has evn a better take on this
That is assuming the password cracker isn’t looking for patterns to help it predict the next character. Assuming this much, the moment the cracker starts seeing a repetitive string of periods (hold your chuckles please), it will predict that the next character is also a period. I don’t know if any tool used to break passwords do that, but it’s worth considering and taking measures against it.
Re: Re: GRC has evn a better take on this
???
Do you have a way to confirm each and every character is correct before?
That got to be some breakthrough of some kind.
From what I understand you have to match the hash is there any method that shows neighboring hashes to deduce the characters being used?
Well anyways that works for now, you can have a lot of repetition and change only one or 2 characters people don’t have a way to looking at that at the moment it may be possible to guess it, but password cracking is nothing like Hollywood movies show, where you get one digit right and confirmed, you get all or nothing all the time for now.
Re: Re: Re: GRC has evn a better take on this
I think what he means is that every time the cracker algorithm hits a guess with a character that repeats exactly N times in a row, it will enter a sub-loop which extends that character out until it reaches N+X times in a row. Then it will resume checking as if it had not done that.
Of course, the benefit gained from this isn’t enough to counter-act the padding advice, it just means that non-standard padding is likely better.
D.0.g.D.0.g.D.0.g.g.0.D.g.0.D.g.0.D.
I’d like to see an equally efficient algorithm for breaking patterns like that.
Re: Re: GRC has evn a better take on this
nah, why that may make sense, it isnt true, either the hashing is “solved” or its good, i never seen between
Re: GRC has evn a better take on this
Sweet my most commonly used password Password1 will take 4.37 thousand centuries to crack in an online attack. I’ll sleep better tonight.
strong requirements does not make a strong password
I used to work in a building where we were required to have a password with upper and lower case letters, numbers and a symbol. Plus we had could not use any of the 26 previous passwords. A lot of the staff just used the same password and numbered it 1-26.
Re: strong requirements does not make a strong password
Ditto.
At my current work I need to remember three separate passwords. Two of those passwords have to be changed every 6 weeks. So I just use the same password and increase the number by one.
After 12 months we can reuse the old password.
So the process begins again.
Meanwhile, I’ve had the same password for online banking for at least 15 years.
Re: Re: strong requirements does not make a strong password
any money missing from ur account?
395
According to his math my “Secure” password would last 395 days @ 1000/sec …. not bad I think. My “oh it’s another tech blog site” password would last 6.
I used to have a strong password,
but then I took an arrow to the knee.
I am not one to plug products, but long ago I learned about a password manager known as RoboForm that I have used with good success. Passwords are a cinch since it includes a password generator capable of providing what I believe to be high strength passwords. The list can be encrypted to keep them safe should my computer be accessed by a third party, and the list can be replicated in a separate text file that can likewise be encrypted.
What make the software easy is that when I click the name of a site it takes me to the site and automatically enters my user name and password, making logins quite easy.
Certainly there are other similar products, and it might prove useful to give them a quick look. Cost is about $50, but it is worth every dollar and more.
Just a thought.
Re: Re:
Someone correct me if I’m wrong on this but…
So it seems that instead of a hacker having to crack each account/password separately, if someone had a program like that they’d only have to hack one program and suddenly they’d have access to all of the login names and passwords instead. Not only that but it would completely take out any guessing needed on the part of the hacker by giving them a handy list of what sites/accounts they now have access to.
How is that supposed to be more secure?
Re: Re: Re:
It is not supposed to be more secure is supposed to give the best security given a determined number of conditions.
If you have to deal with dozens of passwords it is not likely that anybody will memorize them all, making it even less likely that they will change over time as good practices dictate, because it is hard to memorize a lot of stuff and people will not do it on a regular basis ever, so you compromise to keep strong passwords to all accounts, you take a risk.
For very critical pieces you don’t use it you use another scheme that doesn’t involve storing any keys in the local hardware, like paper keys or secure dongles.
The alternative is to have each individual manage all their passwords by hand which probably will end up being less secure, this is s human limitation, people are just not cut out to remember a lot of stuff exactly and have it changed regularly that is not how humans operate and any security scheme that doesn’t take that into account is flawed. So as the number of accounts grow so grow the potential for insecure situations, the only reasonable solution is a manager that can keep that for someone, now where it is stored is open for debate, should it be online, local or physically separate? What are the best practices to handle those?
All alternatives have good and bad points, probably best is to have a mix of all, which again adds complexity and the more complexity the more risk.
Anything that can transform passwords in moving targets is probably good for almost all situations the downside is that you will have all of your eggs in one basket, which you could try to mitigate by having 2 or 3 baskets for different purposes, one for very sensitive accounts and one for not sensitive at the very least.
If you want to go full paranoid, use a different physical machine to login that uses a different physical path to access the internet for the sensitive and non-sensitive and fallow strict protocols to handle keys to never let them unattended or passing through unsecured channels.
Re: Re: Re: Re:
Okay, so it’s not so much ‘more secure’, but rather ‘more secure than it would otherwise be’, which makes sense. Still doesn’t seem like that great of an idea, but it beats the alternatives that would otherwise be used by people using a program like that I suppose.
Re: Re:
https://en.wikipedia.org/wiki/KeePass
I saw this on BGR last week. I still don’t believe it. My friend came up with a great explanation for this though that I accept.
Old people don’t pick good passwords, they just try to memorize the ones that get assigned to them.
Young people who have 20x more passwords online, likely pick lots of crappy ones that are easy to remember for sites they don’t care about. They also are more likely to change all their passwords.
What drives me crazy is that many sites restrict what characters may be used and/or only allow 12 or 14 characters. They should just die already.
I remember once upon a time inadvertently discovering a site that let you put in passwords as long as you felt like, but ignored all but the first 8 characters or so.
Re: Re:
You mean Amazon?
Yet another problem
Security questions don’t help with security if someone has broken into an account with personal info. I always recommend using non sequiturs as answers to them as opposed to actual answers. It means having a data base of websites that use security questions with the questions and my answers (i.e What is your favorite color = Techdirt), but it prevents a cascade breach of my accounts.
My biggest problem with trying to convince people to do this is that they think the computer is going to know they gave the wrong answer to the question. I have to convince them it is a call and response system. It doesn’t matter what the question and answer are as long as you always give the same answer to the question as you did the first time.
Re: Yet another problem
You mean people actually answer those?
I just fill the security questions with clues to the hard to remember portion of the password. Does the hacker no good, as he doesn’t have a memory of the password to jog, nor will he know the rest of the password.
Tell me, what does “u represents” tell you about one of my passwords? It tells me everything I need to know to realize not only which password I used, but the twist I stuck in there too.
By the way, a clue like that uses pretty much the same intuition that public-private key encryption uses. It is functionally equivalent to a modulus for human beings and useless to computation (just as a modulus is more or less useless to human crackers).
They just gave out the passwords?
Yahoo is giving researchers a list of passwords? Sure, they took out the usernames, but I feel like this is a breech in itself, and it was intentional. You thought you have some incredibly highly secure password that nobody could EVER crack? Sorry, but now there’s a list out of every Yahoo password, and all a hacker has to do is try all of them. (Really, the passwords should be stored in an unreversable hash in the first place, shouldn’t they?)
And not only that, they let them see which of those passwords had CREDIT CARDS attached to the accounts? I’m not deleting my Yahoo account over this, but you can bet I’m *never* giving them my credit card info.
I don’t know anything about these things, but isn’t the xkcd comic weak against a dictionary attack.
Assigning a 9 digit password
“I think it’s reasonable to expect people to have the capacity to remember that, because they do it for phone numbers,”
Sorry, no, for several reasons.
If I were to register for a Yahoo account simply so I could play some online games, and it assigned me a random 9 digit number as a password, I would REALLY have to care about the site to bother to even try to memorize it. At some point you get people constantly re-creating new accounts so they can play Yahoo Chess or whatever, resulting in a bunch of unused nicknames.
Yes, people memorize telephone numbers all the time, BUT they normally don’t memorize them instantly. And if they do, it’s normally because they already know the area code and possibly the exchange. And even given the area code and exchange restrictions, when was the last time someone told you a telephone number you needed and you didn’t write it down or put it in your phone on the spot? Of course, you can argue that writing down a complex password is better than memorizing a weaker one… but that in turn might depend on the environment you’re in. You really want to take a slip of paper containing all your passwords with you on a trip? What if you have a snoopy roommate?
And that gets worse when you consider that you sometimes need to make several accounts in a row. Maybe you’re making that Yahoo account to set up an email so you can make some OTHER account. OK, great, now you have to memorize TWO randomly generated 9 digit numbers AND remember which one is which (plus the convoluted usernames you had to pick because all the simple ones were taken by people who logged in once and forgot their passwords.)
Re:
“I don’t know anything about these things, but isn’t the xkcd comic weak against a dictionary attack.”
Not really, no. Let’s say I tell you I’m using the XKCD method of putting 4 words together, and even give you a list of 2048 words that I’m going to choose from. Even with that abridged dictionary, the number of possible passwords is 2048^4, or 17,592,186,044,416. Good luck brute-forcing that.
Re:
And, doing the math, even if I choose from a list of a mere 178 words (and GIVE you the word list), there are more possible passwords than there are if someone chose a random 9 digits for me.
GRC has evn a better take on this
When the password is hashed (MD5 for example), even if you’re given the passwd file of offline attacks, you cannot see there’s repetitive characters there.
They just gave out the passwords?
If I had an online breech I’d load it with shotgun shells and blow the heads off of all the trolls.
/Unnecessary Spelling Nazi
GRC has evn a better take on this
The real message here is to mix things up and keep passwords long enough to raise the difficulty of a brute force attack. Use all four character sets- Uppercase letters, lower case letters, numbers and punctuation. If you pad out with a character or series of characters it increases the time for a brute force attack.
Sites that don’t allow all four character sets or limit the number of letters in a password have questionable security models. If you find this in a bank it is probably time for a new bank.
I4mANoLdFATbast4rd
I’m using full phrases. The problem is typing that phrase every time… But I kinda got used with it and it’s damn easy to remember. I’m in the 25-30 range.
Why old people have good passwords
getoffmycomputeryoucrazyinternet
is really long, as are the stories they recite word for word to everyone who will listen. Also, they have enough history devoid of unified communication to have incredibly disparate thought patterns, so getoffmylawnyouyellowbelliedlout is just as likely to come up.
yousillyyoungthingswithyourshortkeywords.
Great discussion, as always
In my recent syndicated column I linked to this article and I hope the readers read all the great comments. Feel free to pick apart my proposed solution to folks – How To Hide Your Password In Plain Sight. http://bit.ly/MlR3It