Geezers Pick Stronger Passwords Than Young'uns

← Back to Stories (view on slashdot.org)

Geezers Pick Stronger Passwords Than Young'uns

Posted by timothy on Saturday June 2, 2012 @05:29AM from the as-many-characters-as-the-post-it-will-hold dept.

McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

23 of 189 comments (clear)

Min score:

Reason:

Sort:

Use case differences... by DrEldarion · 2012-06-02 05:32 · Score: 4, Interesting

It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords. Older users are more likely to have a Yahoo address as their primary email, etc.
1. Re:Use case differences... by ShanghaiBill · 2012-06-02 05:50 · Score: 5, Funny
  
  Older users are more likely to have a Yahoo address as their primary email, etc.
  Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.
2. Re:Use case differences... by Anonymous Coward · 2012-06-02 05:56 · Score: 5, Funny
  
  username: OldGeezr
  pwd: G3t0ffMyL4wn!
3. Re:Use case differences... by Anonymous Coward · 2012-06-02 05:57 · Score: 4, Insightful
  
  Yeah people who create throwaway yahoo accounts are unlikely to use very strong passwords.
  
  IIRC there was a time when you had to go through a drop down to select the birth year, and who is going to bother to scroll to geezer age for their throwaway account?
4. Re:Use case differences... by perpenso · 2012-06-02 06:21 · Score: 5, Insightful
  
  Older users are more likely to have a Yahoo address as their primary email, etc.
  Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.
  Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client.
  
  For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-)
  
  (*) Substitue alpine, mutt, whatever if you prefer.
5. Re:Use case differences... by rubycodez · 2012-06-02 06:29 · Score: 4, Insightful
  
  bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.
  we use stronger passwords because we've been around the block enough times to know there are bad people out there
6. Re:Use case differences... by mrclisdue · 2012-06-02 06:30 · Score: 4, Funny
  
  ...and the Concorde just flew an inch over yer head....
7. Re:Use case differences... by Presto+Vivace · 2012-06-02 07:03 · Score: 4, Insightful
  
  It is just possible that geezers have learned a thing or two.
8. Re:Use case differences... by OldGeezr · 2012-06-02 07:11 · Score: 4, Funny
  
  Dammit...
9. Re:Use case differences... by AliasMarlowe · 2012-06-02 07:37 · Score: 4, Interesting
  
  bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.
  we use stronger passwords because we've been around the block enough times to know there are bad people out there
  Yup. And it galls me to see some places sending a confirmation message to your email address with your chosen username and password in cleartext when you register. Maybe that's why the kids don't bother with decent passwords, but to me it's another good reason to use a unique password for every site, and to then tailor the password strength to the weakness of password protection (cleartext, the mind boggles). Luckily, sites with personal and/or financial data (Amazon, banks, etc.) are a bit better, but it's still worth keeping their passwords strong and unique per site.
  BTW, I beat you in the greybeard stakes by a few years...
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
10. Re:Use case differences... by b4dc0d3r · 2012-06-02 09:16 · Score: 4, Insightful
  
  You reminded me - I never put my real age. Someone who is tech savvy is likely to have a strong password, as well as keeping other personal info private. Resetting my password involves remembering a fake birthdate, fake mother's maiden name, fake first job, everything is fake.
  If one site gets compromised, that info won't get someone into any other account.
  So one of the assumptions here is that the ages are correct, which is not necessarily the case. For more tech savvy people, it is more likely the age will be incorrect. To me, this study therefore has no value without validating a statistically significant portion of the user data. And if asked, I would say i really was born 25 years earlier than I was.
How did he analyse it? by Hentes · 2012-06-02 05:35 · Score: 4, Interesting

Did Yahoo give him its user password database or what?
1. Re:How did he analyse it? by Joe+Loughry · 2012-06-02 06:16 · Score: 5, Informative
  
  The methodology is explained in the paper "The science of guessing: analyzing an anonymized corpus of 70 million passwords" available at http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf Plain text passwords were captured at login time in coöperation with Yahoo! under ethics and legal-approved rules. The experimental design contains technical measures to ensure that user IDs were not associated with passwords and further measures to protect against passwords that might be used in more than one place.
The older you are ... by jabberwock · 2012-06-02 05:41 · Score: 5, Insightful

... the more likely it is that you actually have an identity worth stealing.
the geezer's, obviously by mbkennel · 2012-06-02 05:42 · Score: 4, Insightful

If it's at home, somebody needs to break in physically, commit a felony, risk their life, and know to obtain one single password from a monitor.
Other passwords are compromised in mass dictionary attack and hacking invisibly, in foreign jurisdictions, and never get compromised.
I have another theory about the results: older people are more responsible.
1. Re:the geezer's, obviously by dgatwood · 2012-06-02 06:29 · Score: 4, Interesting
  
  The latter. They know that the worst that could happen would be somebody impersonating them, and given how unlikely it is for someone to bother cracking their account to do so (SMTP is completely without security, for all practical purposes), they consider their email passwords to be unimportant. Now their Facebook passwords, they will protect. After all, that's where they do most of their communication.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
How many passwords? And can they remember them? by Faizdog · 2012-06-02 05:48 · Score: 4, Interesting

1) Can the older folks actually remember all their passwords? Or are they writing them down?
2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).
I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.
And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.
On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.
Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.

--
-"Those who fought today will die tommorow."-
Re:Memory? by spire3661 · 2012-06-02 05:51 · Score: 4, Insightful

Every password I have is written down in a Red & Black notebook in my office at home. If you are clever/powerful enough to get a look at it without my permission, I have bigger problems then worrying about my passwords.

--
Good-bye
Re:Education by CptNerd · 2012-06-02 05:51 · Score: 4, Funny

Newspeak FTW. LOL.

--
By the taping of my glasses, something geeky this way passes
young != geek by tverbeek · 2012-06-02 05:52 · Score: 5, Insightful

....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?
I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.
In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity

--
http://alternatives.rzero.com/
Perhaps it's like other 'yoof' items by Gonoff · 2012-06-02 05:54 · Score: 4, Insightful

Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.
Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.
With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.
,

--
I'll see your Constitution and raise you a Queen.
TFA says they were hashed by Fred+Ferrigno · 2012-06-02 05:55 · Score: 4, Informative

The original paper includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.
I'm Happy to Explain This by RobotRunAmok · 2012-06-02 06:51 · Score: 5, Funny

Back in the Day -- as we geezers like to begin the sentences we use to talk down to you -- having that box on your desk prompt you for a password was a much more rare and curious thing than it is today. Our computer-y crap sat right there in the box by our legs, or maybe down the hall in that cold room with the raised floor with the fat bastard in it. And we would have li'l whispered conversations with the fat bastard as we passed him in the Break Room, like "I know you know my password, you fat bastard, and if I ever think for a heartbeat that you're going through my crap I will key your car and beat you like a baby seal." Our passwords were the things meant to keep our crap from the prying eyes of the sinister-but-clever sociopaths in Marketing and Accounting who would indeed rifle our desks for clues, like children's and pet names, in order to look at our computer-y crap. So selecting a password like P*/34_##FuK-U-Joey!!39* had real value. So today, when industry insists we store our computer-y crap -- which now includes bank account access, photo albums, our music collections, and christ-knows what else -- on servers spread around the world operated by even fatter bastards whom we don't see and can't effectively intimidate, it should come as no surprise the habit has stayed with us, despite being prompted for passwords every twenty minutes...