Slashdot Mirror
Geezers Pick Stronger Passwords Than Young'uns
McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?
It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords. Older users are more likely to have a Yahoo address as their primary email, etc.
Did Yahoo give him its user password database or what?
This one seemed pretty intuitive to me. If you've lived a longer life, you probably have a bigger list of personal experiences to pick from where there are words/phrases to build passwords around that are meaningful to you.
... the more likely it is that you actually have an identity worth stealing.
If it's at home, somebody needs to break in physically, commit a felony, risk their life, and know to obtain one single password from a monitor.
Other passwords are compromised in mass dictionary attack and hacking invisibly, in foreign jurisdictions, and never get compromised.
I have another theory about the results: older people are more responsible.
1) Can the older folks actually remember all their passwords? Or are they writing them down?
2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).
I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.
And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.
On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.
Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.
-"Those who fought today will die tommorow."-
Every password I have is written down in a Red & Black notebook in my office at home. If you are clever/powerful enough to get a look at it without my permission, I have bigger problems then worrying about my passwords.
Good-bye
Newspeak FTW. LOL.
By the taping of my glasses, something geeky this way passes
I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.
In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity
http://alternatives.rzero.com/
Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.
Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.
With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.
,
I'll see your Constitution and raise you a Queen.
The original paper includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.
They also write their passwords down on a pad of paper right next to the computer.
That is what I do. All my passwords have the same initial six characters. So I only write down what comes after those six, and make them as long and secure as each site will allow. If a burglar steals the list, it will be useless because they don't know the common prefix, nor do they even know that there is a prefix. They just see "correct horse battery staple" and have no idea that the real password is "R5u7qPcorrect horse battery staple".
Which one is *really* more secure?
The one written on the monitor obviously.
Sig Battery depleted. Reverting to safe mode.
Back in the Day -- as we geezers like to begin the sentences we use to talk down to you -- having that box on your desk prompt you for a password was a much more rare and curious thing than it is today. Our computer-y crap sat right there in the box by our legs, or maybe down the hall in that cold room with the raised floor with the fat bastard in it. And we would have li'l whispered conversations with the fat bastard as we passed him in the Break Room, like "I know you know my password, you fat bastard, and if I ever think for a heartbeat that you're going through my crap I will key your car and beat you like a baby seal." Our passwords were the things meant to keep our crap from the prying eyes of the sinister-but-clever sociopaths in Marketing and Accounting who would indeed rifle our desks for clues, like children's and pet names, in order to look at our computer-y crap. So selecting a password like P*/34_##FuK-U-Joey!!39* had real value. So today, when industry insists we store our computer-y crap -- which now includes bank account access, photo albums, our music collections, and christ-knows what else -- on servers spread around the world operated by even fatter bastards whom we don't see and can't effectively intimidate, it should come as no surprise the habit has stayed with us, despite being prompted for passwords every twenty minutes...
You're young aren't you?
"What's the likelihood a dictionary attack is going to crack "hastalavistababy!"..."
Pretty damn fucking HIGH I'd say.
How do you figure? While each of the constituent words will likely be in a dictionary, the concatenated string is much less likely to be. Realistically an attacker will have to try low-hanging fruit passwords (such as "password") first, then try brute-forcing short combinations (such as "123abc"), then try a dictionary attack (such as "elephantine"), move back to brute-forcing slightly longer possibilities (such as "1234password#1") and finally start combinations of dictionary words in the desperate hope they might stumble upon a passphrase (such as "pluckmypubichairwithyourteeth").
While yes, phrases consisting of dictionary words are technically a group of tokens, in practice hacking an unknown password isn't trivial. You can think a phrase using five words is equivalent to a five-letter password, but it's really not. By extending the length of the password, you force the attacker to try other combinations first, for efficiency's sake. And if you introduce a single spelling error you screw the attacker right over.
"Oh no... he found the
As usual.
The original paper is located here. From the conclusion:
"The most troubling finding of our study is how little password distributions seem to vary, with all populations of users we were able to isolate producing similar skewed distributions with effective security varying by no more than a few bits."
And yet in TFA this gets transformed into "old people use strong passwords and young people use weak ones!" and everyone starts wondering what could account for this. It also makes the study sound as though it specifically focused on user age, or that user age was the most interesting result, when in fact there were several other significant (yet still small) variations in different groups in the study, e.g. Indonesian users tended to use much weaker passwords than German or Korean users. They also found that users who tend to log in from multiple locations also tend to use stronger passwords.
So why is the old people/young people thing the single takeaway that gets headlined and reported? It's not like what I just wrote would have been particularly difficult to outline or explain, even in a brief news article. I blame laziness on the part of the reporter.
My 9-year-old son has a password that's at least 15 characters long, composed of several made-up words, mixed case, with numbers and an exclamation point. Personally, I don't know how he remembers it. Of course, I'm the security guy, at work, so I've had quite a few discussions with my wife about choosing secure passwords for things like bank accounts, etc., in front of the kids. I guess they've learned through osmosis, at this point.
By the standards of the article, I'm a geezer, and I've always tried to choose strong passwords, even when I was younger. It really annoys me when I go to a site, even today, and they only accept 8 characters. Do they really care about the security of their users?
Sit, Ubuntu, sit. Good dog.
I am by no means young, I'm 31, but am part of a more tech savvy generation.
I'm twice your age and I've been working/playing with computers for over forty years. In general, I've divided all sites that require passwords into three sets: those that store data that I care about (banks and so on), those that don't (comic strip sites, Slashdot and so on) and those that don't but require "strong" passwords.
The first set gets strong, unique passwords. For those that Firefox can't store, I have a place on-line to stash them; if you can find and access it, I've got more things to worry about than my passwords. For the second, all of them use the same password, simply to make things easy. After all, there's no way that the software running a blog (let's say) is going to know that you're using the same password for it as you are to sign on to a shopping site. And, the password's obscure enough that nobody who doesn't know me very, very well is ever going to come up with by guessing, and it's at least as safe from a dictionary attack as any random, unpronouncable word can be. For the third, I have several variations on my standard password to fit various restrictions. Thus, things I don't care about very much are safe from anything except a very determined attack, and those I do are even better protected. Frankly, I'm more concerned about the possibility of my password being picked up by a cracker stealing a password database than by having it guessed.
Good, inexpensive web hosting