from the maybe-they-just-follow-instructions-better? dept
This was based on research on the hashed versions of 70 million Yahoo users, in which a Cambridge research tried to determine the strength of all of the passwords, and see how different groups did. Some of the other findings:
People with a credit card stored on their account do little to increase their security other than avoiding very weak passwords such as "123456". Unsurprisingly, people who change their password from time to time tend to select the strongest ones.In terms of more specifics:
Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss, and each additional bit doubles the password's strength. On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password, and around 20 bits of security against offline attacks.Of course, this reminds me (like so much does) of an xkcd comic on how we've all been trained into selecting weak passwords that are hard to remember, on the false belief that they're strong.
That's surprising, because even a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. Bonneau says the discrepancy is due to people picking much easier passwords than those theoretically allowed. He suggests assigning people randomly chosen nine-digit numbers instead, which would offer 30 bits of security against every type of attack – a 1000-fold increase in security on average. "I think it's reasonable to expect people to have the capacity to remember that, because they do it for phone numbers," he says.