We've all seen tons of reports on how bad people are at choosing secure passwords, but it's not too surprising to find out that different demographic segments are better or worse than others at having secure passwords. Though, it may be a bit surprising to find out that a new study suggests that those over 55 pick passwords that are twice as secure as teenagers:

This was based on research on the hashed versions of 70 million Yahoo users, in which a Cambridge research tried to determine the strength of all of the passwords, and see how different groups did. Some of the other findings:

People with a credit card stored on their account do little to increase their security other than avoiding very weak passwords such as "123456". Unsurprisingly, people who change their password from time to time tend to select the strongest ones.

In terms of more specifics:

Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss, and each additional bit doubles the password's strength. On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password, and around 20 bits of security against offline attacks.

That's surprising, because even a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. Bonneau says the discrepancy is due to people picking much easier passwords than those theoretically allowed. He suggests assigning people randomly chosen nine-digit numbers instead, which would offer 30 bits of security against every type of attack – a 1000-fold increase in security on average. "I think it's reasonable to expect people to have the capacity to remember that, because they do it for phone numbers," he says.

Of course, this reminds me (like so much does) of an xkcd comic on how we've all been trained into selecting weak passwords that are hard to remember, on the false belief that they're strong.

One of the more controversial approaches to the already controversial field of climate change is geoengineering, which Wikipedia defines as "deliberate large-scale engineering and manipulation of the planetary environment to combat or counteract anthropogenic changes in atmospheric chemistry."

Some people are concerned that such large-scale interventions might produce large-scale disasters. That makes small-scale experiments exploring the underlying technologies an important first step before taking this route. Unfortunately, it seems that one geoengineering experiment has been called off because of patents:

A field trial for a novel UK geoengineering experiment has been cancelled amid questions about a pre-existing patent application for some of the technology involved.

The Stratospheric Particle Injection for Climate Engineering (SPICE) project is a collaboration among several UK universities and Cambridge-based Marshall Aerospace to investigate the possibility of spraying particles into the stratosphere to mitigate global warming. Such particles could mimic the cooling produced by large volcanic eruptions, by reflecting sunlight before it reaches Earth’s surface.

As the article quoted above goes on to explain, the main issue here is a potential conflict of interests:

a patent application that was submitted by Peter Davidson, who runs the UK consulting firm Davidson Technology on the Isle of Man and was an adviser at the workshop that gave rise to the SPICE project, and Hugh Hunt, an engineer at the University of Cambridge, UK, who is one of the SPICE project investigators. The patent is for an "apparatus for transporting and dispersing solid particles into the Earth’s stratosphere" by "balloon, dirigible or airship" technology related to the SPICE field trial.

UK funding bodies require possible conflicts of interest to be declared when applying for grants, whereas here the patent application apparently only came to light a year into the experiment. Part of the project is continuing -- things like climate modelling and analysis -- but the most innovative element, the field trial, has been cancelled.

This episode shows one of the problems with trying to marry "pure" science with commerce, and the tensions that can arise between sharing knowledge freely and trying to make money by restricting access through licensing. It would be regrettable, to say the least, if the exploration of ideas that might play a role in addressing climate change were blocked because of patents.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn't really come to the US...) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn't happy about this, but rather than fixing the problems it's reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association -- a trade group representing banks and credit card companies -- has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.

You can see the demand letter embedded below, but it's fairly amusing. The letter claims that the publication (which you can read about on the author's (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) "oversteps the boundaries of what constitutes responsible disclosure." In other words, they're not happy about it, so Cambridge should force the student to shut up. Of course, what's amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:

Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry's fraud prevention systems would be able to detect when such an attack had happened.

So why take it down?

Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.

This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it's pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.

The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about "future research." The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:

The bankers also fret that "future research, which may potentially be more damaging, may also be published in this level of detail". Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.