Slashdot Mirror
Geezers Pick Stronger Passwords Than Young'uns
McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?
This one seemed pretty intuitive to me. If you've lived a longer life, you probably have a bigger list of personal experiences to pick from where there are words/phrases to build passwords around that are meaningful to you.
The original paper includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.
Ya 'cause TELNET is so secure.
The methodology is explained in the paper "The science of guessing: analyzing an anonymized corpus of 70 million passwords" available at http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf Plain text passwords were captured at login time in coöperation with Yahoo! under ethics and legal-approved rules. The experimental design contains technical measures to ensure that user IDs were not associated with passwords and further measures to protect against passwords that might be used in more than one place.
You're young aren't you?
"What's the likelihood a dictionary attack is going to crack "hastalavistababy!"..."
Pretty damn fucking HIGH I'd say.
How do you figure? While each of the constituent words will likely be in a dictionary, the concatenated string is much less likely to be. Realistically an attacker will have to try low-hanging fruit passwords (such as "password") first, then try brute-forcing short combinations (such as "123abc"), then try a dictionary attack (such as "elephantine"), move back to brute-forcing slightly longer possibilities (such as "1234password#1") and finally start combinations of dictionary words in the desperate hope they might stumble upon a passphrase (such as "pluckmypubichairwithyourteeth").
While yes, phrases consisting of dictionary words are technically a group of tokens, in practice hacking an unknown password isn't trivial. You can think a phrase using five words is equivalent to a five-letter password, but it's really not. By extending the length of the password, you force the attacker to try other combinations first, for efficiency's sake. And if you introduce a single spelling error you screw the attacker right over.
"Oh no... he found the
As usual.
The original paper is located here. From the conclusion:
"The most troubling finding of our study is how little password distributions seem to vary, with all populations of users we were able to isolate producing similar skewed distributions with effective security varying by no more than a few bits."
And yet in TFA this gets transformed into "old people use strong passwords and young people use weak ones!" and everyone starts wondering what could account for this. It also makes the study sound as though it specifically focused on user age, or that user age was the most interesting result, when in fact there were several other significant (yet still small) variations in different groups in the study, e.g. Indonesian users tended to use much weaker passwords than German or Korean users. They also found that users who tend to log in from multiple locations also tend to use stronger passwords.
So why is the old people/young people thing the single takeaway that gets headlined and reported? It's not like what I just wrote would have been particularly difficult to outline or explain, even in a brief news article. I blame laziness on the part of the reporter.