Slashdot Mirror
Geezers Pick Stronger Passwords Than Young'uns
McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?
It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords. Older users are more likely to have a Yahoo address as their primary email, etc.
Did Yahoo give him its user password database or what?
There's a good chance that the "younguns" passwords are easy to remember while the older folks have very secure passwords that also happen to be written down on post-its stuck on a monitor. Which one is *really* more secure?
I tend to believe that its a difference in education between the generations. I know the vocabulary in my family is completly different in the older generations of my family. Half the time my teenagers dont understand the conversations when my grandparents are around, and there always asking "what did they mean" later on.
This one seemed pretty intuitive to me. If you've lived a longer life, you probably have a bigger list of personal experiences to pick from where there are words/phrases to build passwords around that are meaningful to you.
From the article: Unsurprisingly, people who change their password from time to time tend to select the strongest ones.
That actually is surprising to me... Although I guess storing passwords in Firefox (w/ Sync), and having them be very long (32 random characters+), might not be a common demographic...
Geezers have more memorable life experience from which to draw good passwords. Which doesn't exactly explain why all geezer passwords are some version of DamnTeenagers!
... the more likely it is that you actually have an identity worth stealing.
The older people had less carp to put up with over the years then younger ones.
If it's at home, somebody needs to break in physically, commit a felony, risk their life, and know to obtain one single password from a monitor.
Other passwords are compromised in mass dictionary attack and hacking invisibly, in foreign jurisdictions, and never get compromised.
I have another theory about the results: older people are more responsible.
They also write their passwords down on a pad of paper right next to the computer. Just you try to remember that super secure password, bluehair.
1) Can the older folks actually remember all their passwords? Or are they writing them down?
2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).
I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.
And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.
On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.
Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.
-"Those who fought today will die tommorow."-
Maybe it's because older people are more likely to take the time to read the instructions on choosing your password.
If you don't think you can remember a password, you may write it down. If it is going to be written down, then it is pretty easy to select a strong password.
Of course, this isn't helpful if someone else gets access to the post-it note. But end to end security wasn't the subject of the survey, was it?
I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.
In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity
http://alternatives.rzero.com/
Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.
Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.
With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.
,
I'll see your Constitution and raise you a Queen.
The original paper includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.
A8%l+$mr is a terrible password. The security experts like passwords like that but they're stupid. It's impossible to remember.
The convention I follow and what I think most people should follow is "JustTypingASentenceOutMinusSpaces". That is very easy to remember. You can do cool things like quote a line from a play, song, poem, or movie that you like. What's the likelihood a dictionary attack is going to crack "hastalavistababy!"...
Humans are very good at remembering sentences. It works into our neumonic memory. Many people that couch study habits encourage students to turn complex study concepts into such phrases. And why? Because we don't forget them.
Stupid lines like "I before e but not after c."... regardless of whether that's grammatically correct, I'll never forget that stupid little rhyme. It's in my head... forever.
That is how people should make passwords. Not their children's birthdays plus the name of their dog with a pound sign at the end. "ToBeOrNotToBeThatIsTheQuestion" is a great password. It's long but you'll never forget it.
I know what some people are saying. What about those *** that block out what you're typing making it so you have to retype everything if you make a mistake? Well, how often are those even required? They're pretty stupid. 99 percent of the time I'm typing in a password no one is there is to see it. And even if there were someone just ask him to stare at his feet for two seconds.
Using this system we could all have dozens of uncrackable passwords that we never had to write down.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Since the study was done at U of Cambridge geezers and young'uns would be the same group.Hence old geezers in popular usage to refer to those of advanced years if not experience.
I wouldn't be surprised if that's the case. I know I use "strong" passwords mainly out of habit, and a bit of laziness (it's easier to get random sequences past password rules). I'm well aware that at best the only protection that gives me is the possibility that whoever compromised the password database will be satisfied with the results of a dictionary attack and not bother doing a brute-force attack on what's left. I'm also aware that I get more protection from a site locking my account out after repeated failures than from the password being hard to guess (the likely failure limit being a lot less than the number needed to guess even a "weak" password). And I find it amusing that a site classifies "kwo5*f(2n" as a weak password (no upper-case letters) (no, that's not one of my actual passwords) while "Jn4thon!" is considered strong (mix of upper-case, lower-case, numbers and symbols, no dictionary words present).
Older folks have accounts that have already been compromised.
... of reasons like these:
* More years of being forced to remember hard passwords forced on them.
* More years spent inventing a better password.
And the big one...
* Older users can only remember a few number of passwords, so they make them very strong and then use them everywhere. Crack their Yahoo password, and you'll likely have cracked their bank, ebay, paypal, billing, and porn password.
IINM, the term is usually 'old geezers', implying they can be young too..
Max.
Older people are less tech savy, blacks are lazy, jews are greedy, muslims are terrorists- Blah, blah, blah. Generalizations suck.
I'm a 51 year-old "geezer" and work with other geezers as technically competent as myself, you insensitive clod(s). While we're admittedly statistical outliers, we do just as well if not better in many technical endeavors as our younger counterparts, while managing to avoid denigrating those younger guys and girls as "young idiots" if they're lacking in a particular skillset. We work together with them, enjoying better results by capitalizing on the strengths of each group.
If you keep learning and stay out of safe, comfortable ruts encouraged by age and society, you're just fine.
It -is- sort of distressing that I honestly don't like people walking on my lawn, however.
I've always had a casual attitude toward locks, alarms and passwords. All they do is keep honest people honest, if someone is truly determined to get at some aspect of my life in that way, surely they will not be stopped. For the record I'm 23 and CAPABLE of coming up with a strong password, I CHOOSE not to.
Old Geezers probably write their passwords down more often as well. Just a hunch based on casual observations of old people with stickynotes all over their monitors.
Ask the actuaries for the car insurance companies.
It IS their job to "do the math".
And, they tell us that people under 25 get into far more accidents, and are far more careless.
People over 45 are far more careful and get into fewer accidents.
This is not opinion or conjecture.
It is statistics.
Maurice W. Hilarius Voice: (778) 347-9907
Search the pastebins. Plenty of good passwords. Doesn't really matter when a website is storing it as an unencrypted hash in a database with the default admin password still enabled. Maybe this is why the young'uns are cynical...
On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password
A 3-letter password would require up to 17,576 attempts, and a 4-digit pin would require up to 10,000. So I don't know what kind of passwords these people are using.
Back in the Day -- as we geezers like to begin the sentences we use to talk down to you -- having that box on your desk prompt you for a password was a much more rare and curious thing than it is today. Our computer-y crap sat right there in the box by our legs, or maybe down the hall in that cold room with the raised floor with the fat bastard in it. And we would have li'l whispered conversations with the fat bastard as we passed him in the Break Room, like "I know you know my password, you fat bastard, and if I ever think for a heartbeat that you're going through my crap I will key your car and beat you like a baby seal." Our passwords were the things meant to keep our crap from the prying eyes of the sinister-but-clever sociopaths in Marketing and Accounting who would indeed rifle our desks for clues, like children's and pet names, in order to look at our computer-y crap. So selecting a password like P*/34_##FuK-U-Joey!!39* had real value. So today, when industry insists we store our computer-y crap -- which now includes bank account access, photo albums, our music collections, and christ-knows what else -- on servers spread around the world operated by even fatter bastards whom we don't see and can't effectively intimidate, it should come as no surprise the habit has stayed with us, despite being prompted for passwords every twenty minutes...
Younger people just pick passwords that are easier to remember as opposed to picking strong passwords that old people write down on a note that they put right next to their computers.
I work with many over 60 year old new computer users. It's my experience that they tend to use family names for passwords without regard to how long they are - they don't seem to consider how much longer or more annoying it would be to type in a longer name, for example. When I choose a password I want to find the shortest one that will do the most good; they don't think that way.
....the more likely it is that you actually have nude photos (of yourself) worth stealing.
Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.
Yeah, yeah - mnemonics like "this password rhymes with cuppy"
Seriously, just use a secure password manager so you can use unique passwords everywhere, but only really need to remember one password. OS X's Keychain Access works great for this. Gnome's had a similar tool available for a while, and there are third-party Windows solutions as well. They all encrypt the information, so five years from now you won't have to worry about remembering what some obscure mnemonic actually meant. And if someone compromises one of your accounts... they've only got one of your accounts.
#DeleteChrome
As usual.
The original paper is located here. From the conclusion:
"The most troubling finding of our study is how little password distributions seem to vary, with all populations of users we were able to isolate producing similar skewed distributions with effective security varying by no more than a few bits."
And yet in TFA this gets transformed into "old people use strong passwords and young people use weak ones!" and everyone starts wondering what could account for this. It also makes the study sound as though it specifically focused on user age, or that user age was the most interesting result, when in fact there were several other significant (yet still small) variations in different groups in the study, e.g. Indonesian users tended to use much weaker passwords than German or Korean users. They also found that users who tend to log in from multiple locations also tend to use stronger passwords.
So why is the old people/young people thing the single takeaway that gets headlined and reported? It's not like what I just wrote would have been particularly difficult to outline or explain, even in a brief news article. I blame laziness on the part of the reporter.
1) Can the older folks actually remember all their passwords? Or are they writing them down?
2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).
I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. .
I'm an old geezer and I use LastPass. My LastPass password is a very long sequence that I generated with a random number generator and memorized. Problem solved.
1) Can the older folks actually remember all their passwords? Or are they writing them down?
Some are writing them down and even with the password sitting there in front of them, they have trouble typing it in.
I too, use KeePass for all my passwords plus Dropbox to be able to access these passwords from anywhere. A mobile version of Keepass is right next to the database file. So I have to memorize two passwords -- for Dropbox and for Keepass (both pretty secure). All the other passwords are random-generated 30 characters (unless the server has stupid maximum password length restriction).
The only downside is that sometimes I am too lazy to go through these hops, e.g. when using a LiveCD which is the case right now :)
My 9-year-old son has a password that's at least 15 characters long, composed of several made-up words, mixed case, with numbers and an exclamation point. Personally, I don't know how he remembers it. Of course, I'm the security guy, at work, so I've had quite a few discussions with my wife about choosing secure passwords for things like bank accounts, etc., in front of the kids. I guess they've learned through osmosis, at this point.
By the standards of the article, I'm a geezer, and I've always tried to choose strong passwords, even when I was younger. It really annoys me when I go to a site, even today, and they only accept 8 characters. Do they really care about the security of their users?
Sit, Ubuntu, sit. Good dog.
Interesting read, but in this case they couldn't really measure password strength, only password uniqueness which isn't exactly the same.
True, strength and uniqueness are not the same. However, the later (in particular when considering a large population sample) can serve as a proxy to quantify the former. Think of if this way, the more unique a password is, the greater the probability that this password is long enough and with a sufficiently large character set to make it strong. That is, the more random that it will look.
The less unique the password, the greater the probability that it will share more characters (off a smaller character set), substrings, and length in common with others (as per the birthday problem in probability.) Ergo, it is less random.
So yes, uniqueness does not equate strength in absolute terms. But randomness is proportional to uniqueness (off set of elements under consideration.) And apparent randomness in a password is a necessary condition for strength.
...they test it out with the users of a web service that isn't a dinosaur that just hasn't realized that it's dead yet.
Seriously? C'mon man, I quit using Yahoo about 5 years ago. Surprisingly, they deleted my email account without any warning at all, although they did send me a note afterwards telling me that they did it.
I am by no means young, I'm 31, but am part of a more tech savvy generation.
I'm twice your age and I've been working/playing with computers for over forty years. In general, I've divided all sites that require passwords into three sets: those that store data that I care about (banks and so on), those that don't (comic strip sites, Slashdot and so on) and those that don't but require "strong" passwords.
The first set gets strong, unique passwords. For those that Firefox can't store, I have a place on-line to stash them; if you can find and access it, I've got more things to worry about than my passwords. For the second, all of them use the same password, simply to make things easy. After all, there's no way that the software running a blog (let's say) is going to know that you're using the same password for it as you are to sign on to a shopping site. And, the password's obscure enough that nobody who doesn't know me very, very well is ever going to come up with by guessing, and it's at least as safe from a dictionary attack as any random, unpronouncable word can be. For the third, I have several variations on my standard password to fit various restrictions. Thus, things I don't care about very much are safe from anything except a very determined attack, and those I do are even better protected. Frankly, I'm more concerned about the possibility of my password being picked up by a cracker stealing a password database than by having it guessed.
Good, inexpensive web hosting
Probably most of the "old" people who have chosen "strong passwords" are children under 13 who are lying about their age, because Yahoo won't let you signup for an e-mail account, you can't trust the demographic data in Yahoo's DB.
"Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users.
How the hell did a researcher get access to Yahoo's password database?
Why are the passwords not hashed? How come a researcher is able to look at them and analyze the strength of our passwords?
The passwords by supposed 'age distribution' is of less significance to me. I don't think Yahoo even knows my correct birthday.
After reading the PDF, the conclusion is absolutely not that "geezers pick stronger passwords," rather that in a snapshot of data, accounts with ages under 25 had significantly less strong passwords than those over 55. This doesn't take a LOT of information into account, it's just a passing observation in a paper not really pointed towards this analysis. For instance, there are a lot more young people than old people, unless you account for this, you can easily argue that there are a lot more weak passwords from "younguns" than "geezers." There's also the issue of bot vs real person, active account vs inactive account (which he does address, but which is not mentioned in either this summary nor TFA, when he talks about password updates implying an increase in strength, which would imply "geezers" who still use Yahoo are likely to have updated their passwords more than "younguns" that haven't logged in in over 5 years who would have relatively weak passwords as a result).
Overall, the paper is interesting, but this summary and TFA are completely wrong in their conclusions.
Im sorry to say this, and nobody has to this point, is that kids today are dumb as hell. Thats WHY. Never hurt, never fell off a bike or burned by a firework, their ignorant to things around them. Its just sad. They setup accounts, forget the password, and hints (Windows 7) are "Italitan for love" and you seem like somekind of a genius for figuring it out. I'm not Italian, or a music buff, but I think everone knows that amoreeeeee! You said what the word its, dumb ass, use fucking Wikipedia on the other account if you can't remember. You're fucking 13! Posting AC (and I HATE posting AC) because my wife would murder me if I had such things to say about my step-daughters, by come on, REALLY?!?!
What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling.
Two-step authentication is a good option. It wouldn't do exactly what you want, because you'd need to keep using it after you got back (Internet cafe sniffers and the like would get your main password), but if you just turn it on and leave it on, it would keep you safe. On the computers you use regularly you can click the "remember verification" checkbox when you use it, so you'll only get prompted once per month for a one-time password, so in practice you don't have to do the second step very often -- except when using random machines while traveling.
For OTPs, there are multiple choices. The most convenient is a smartphone OTP app. If you don't have a smartphone, you can also have Google send you OTPs when you need them via SMS. For those times when you don't have service (e.g. international travel), carry a piece of paper in your wallet with a list of one-time passwords, crossing them off as you use them. If you get low on backup OTPs, use one to log in and then get some more.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
"double the strength" translates to one bit more of required work effort. One bit is statically irrelevant when discussing the strength of passwords. Complete non story.
All of the hijacked email accounts I see these days are old geezers with Yahoo (including sbcglobal and AT&T) e-mail accounts from their DSL ISP.
A recent spate of parent's friends have contacted me about receiving e-mails from a handful of these geezers that they know through church.
No doubt all of them fell for e-mail phishing attacks, as the trojan/worm spreads by spamming links to contact lists.
They are less likely to understand computer and definitely computer security and are more willing to listen to the "weak password" indicators when they pick one. Which they often do after spending 12 hours on the phone with Norton trying to fix the trojan that it didn't catch in the first place despite having 11 different security theatre services plugging into every facet of their computer, including e-mail scanning.
Geezers are also more likely to be racist and selfish and god-fearing and republicants.
And before someone younger than 26 comes in and says "I'm not careless!", the individual case is irrelevant; this is statistics, taking into account the tendencies of a large number of people.
Paying extra on your insurance if you think you're not careless sucks, but you're probably still not as careful as you will be in a few years.
PS: the worst group here is actually under-25 males.
Hail Eris, full of mischief...
E pluribus sanguinem
Guess I'm unique in being part of the studied demographic along with being on the tail end of the baby boomers. Yet I don't even know any of my passwords nowdays because of a nice password manager called KeepPass 1. Password strength is as high as possible for every site I use and none of them have been duplicated. Does this mean I'm a god among users? Hell no! It means I've gotten smart and lazy and use the computer to my advantage where it makes sense to do so.
Mod me up/Mod me down: I wont frown as I've no crown
Strength of the password is inversely proportional to the time needed to type it in and effort required to remember it. Generation "G" (today's youngsters) have much lower tolerance for complexity and deferred gratification. Not much of a surprise here IMHO.
Now, mod me down freely. My karma can't get any worse...
the mental lexicon increases with age (or at least becomes more heterogeneous) so the chance that older people use low frequent words is higher compared to young people.
What I'd like to know is how somebody at University of Cambridge got the plain text passwords of 70 million Yahoo users. I dont think I agreed to that in the Yahoo TOS.
Gmail, thats a secure place to store your passwords? Tech savvy indeed.
Doesn't surprise me at all. Old people have more to lose. Break into a 20 year old's bank account and you'll net yourself fifty nine dollars and seventy two cents. But a guy who's nearing retirement might have a few hundred grand in his brokerage account. And he doesn't have forty years to make it back if it's stolen.
The idea is supposed to be that password database compromises don't matter (much) because the passwords they contain are combined with a large salt and hashed using a cryptographically secure algorithm. Basic computer science 101.
Now look at one of the biggest password databases of all: Google's. If you run a Google Apps domain, and you want to syncronize your password database with Google, the most secure option you have is to use an unsalted sha1 hash. They're also perfectly happy to have you send them plaintext passwords if you like. Surely Google has at least one competent computer scientist working there, so why such absolutely pathetic security and disdain for their users?
I run into a lot of "users" in my job, and certainly the younger generation feels more "at home" with technology than the older generations, but the younger ones do what young people always do, they underestimate risk. That leads young people to think it's OK to use the same password on multiple sites, post all their personal info on social media sites, and even share their passwords with other people, particularly girlfriends/boyfriends. The two most computer-illiterate people I know (both older) are both very careful with data they post online, and one even asked me if there were any programs for managing passwords for websites in an offline encrypted file. (I pointed them to Keepass). So the fact that older people pick better passwords is no surprise to me. They're more careful all around.
"I have never let my schooling interfere with my education." - Mark Twain
young'uns are lazy and impatient. A well known phenomenon that moderates with age.
E Proelio Veritas.
For older people, computer accounts are new and unfamiliar, and thus worthy of caution. Once they hear a couple of horror stories, they are likely to become rather paranoid about it.
For younger people, computer accounts are like mother's milk. It's totally familiar, and like most familiar things it seems harmless. Even if they hear horror stories, they assume that "it won't happen to me"; chances are that they won't take it seriously until they personally get burned. This is simple human nature, even for adults; the fact that the habits and attitudes are ingrained from childhood just makes it even harder to snap out of.
i fought that stupidity for 20+ years. and lost. need i tell you where to stick that special character?