Why People Are So Bad At Picking Passwords

mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."

Huh?

[hduff]

These studies also reveal that when it comes to passwords, women prefer length and men diversity.

We are still talking about passwords, right?

Re:Huh?

[Thanshin]

Probably not.

Studies suggest that news about studies are only vaguely related to the studies themselves.

Re:Huh?

[QQBoss]

Is it too obvious to point out that it isn't so much the length of the password that is important, but how you use it? The luckiest, of course, are able to take advantage of both.

Re:Huh?

This is why women never use 'penis' as their password since it's never long enough.

Obligatory xkcd

[DexPleiadian]

http://xkcd.com/936/

Before choosing an important password

[LongearedBat]

So, before choosing an important password make sure you have shaved, had a haircut and dyed your hair red.

(A sex change is asking too much though.)

Re:Before choosing an important password

[emag]

Especially every 90 days...

Horse Battery Staple is common too

[Dave+Whiteside]

http://xkcd.com/936/

Re:Horse Battery Staple is common too

[BobNET]

Presumably the same one that designed the air shield for planet Druidia.

Re:Horse Battery Staple is common too

[14erCleaner]

What value is there in having a low limit on password lengths?

When they store it in clear text on a laptop, it takes up less disk space.

Re:Horse Battery Staple is common too

[arth1]

My favorite way of achieving easy to remember and hard to guess is to use qwerty encoding. Simply move your hands from the f/j row to the r/u row and then type a memorable word or simple phrase. The password 'password' would become '0qww294e' and yet can be typed just as quickly and remembered just as easily. The only downside is that it's less effective for people who don't touch type.

That's not the only downside. It also makes it very hard to enter passwords from other devices, like cell phones. But most of all, it doesn't add much security - the standard crackers have rules for shifting the letters as they would be shifted on a keyboard. Both John the Ripper and Crack, at least.

Bad news ....

[amalcolm]

... for RMS !

What about red headed women with beards?

[toonces33]

What is the quality of the password then?

We needed a study for this?!?

[tiberus]

Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here, the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.

Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.

After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.

• Passwords on sticky notes on monitors.
• Passwords shared with co-workers, that have not been granted access.
• System does not require default password to be changed.
• Default password is a known pattern.
• Techs routinely ask users for passwords
• Co-workers say, "Just give them your password".
• And so on . . .

Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".

Re:We needed a study for this?!?

[ccguy]

complete failing of organizations to have or heaven forbid enforce policies about password practices

Most of the time the problem is the opposite. Absurd policies and a delusion of the password being important to the user. And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).

For like 95% of the sites I don't give a shit if my account if hacked. I use the same password for most of those sites (if they are too retarded with requirements I might add a few 0s or #s at the end). If you make me change the password even if once a year then I'm not going back to your site because I don't care much about it in the first place. So I'll forget the new password.

-Passwords on sticky notes on monitors.
-Passwords shared with co-workers, that have not been granted access.
System does not require default password to be changed.

None of these are user problems. They are system design problems which I can translate to this:

- They make me change the password every 90 days, so I have to write it down.
- Danny needs to access credit card information because it's part of his job to do refunds but they won't give him access because for some reason that also means they have to give him access to XXX (they have one permission for two things) so I have to type my password at his terminal 10 a day. I cannot be interrupted that much, or I might not be around, etc, so I just let him use my password.
- My sysadmin uses the same default password for everyone.

Re:because

[master_kaos]

Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
Then you get redicoulous requirements on some websites, like can't use special characters, can't be longer than 10 chars. Why? You should be using a hashing algo which means special characters or max length shouldn't matter (within reason)

I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions

This way I always know when I go to a site which password it uses.

However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious). This may increase security of password a little, as well as benefit of most passwords being unique.. but not sure how much it increases the security by

People are taught wrong

[Archangel+Michael]

On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.

My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.

And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.

weak, because they don't care

[jessepdx]

there are a lot of sites, that require setting up and account, i could care less about. i use a junk email account and a simple junk password. those accounts, if they are hacked, won't give you any useful information to get into another site's account that i do care about. i think many people do the same. those junk sites also get hacked and the stolen lists get published. then the appalling headlines stating "OMG these passwords are so easy!!!" get published... so what...

Re:PI-N?

[gazbo]

All of us. We just choose a different place to start.

Who works for whom?

[mcmonkey]

"people are lousy at picking good passwords"

This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.

A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.

"You have to remember we are all human and we all make mistakes"

Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,

"password systems are lousy at serving people."

(as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)

Re:Except

[bobbied]

your favorite color".

Blue... No, RED!

My Password solution

[OzPeter]

I use regexes related to the site name/function. (*)

Now the hackers have 2 two problems when they want to break into my account!

* I actually I do incorporate regex like strings.

Re:because

[xelah]

Given that it's widespread across huge numbers of people, presumably of all kinds and intelligence levels, I think that dismissing the problem as being because people are too lazy/stupid is...well....lazy and stupid.

Remember that people treat their computers like a social being - and a subordinate one at that. Every morning, someone will go and sit down at their office computer and find it's forgotten who he is, even though it sees him every day. He can walk away for an hour and it'll forget again. It'll fail to understand that he's him over and over again as he uses websites, servers, etc, stopping each time to refuse his instructions and demand that he perform some silly little task purely to help the computer out in functioning correctly: remember an irrelevant string of nonsense. And, very occasionally, the computer will fail and do something like send banking details to someone in Russia, or show his ex-wife his e-mails to his lawyer.....even though it's blatantly obvious to even an imbecile that these are the wrong things to do.

We all know that computers are unintelligent tools that are not capable of doing better than this - on slashdot, at least. But it still feels like talking to a forgetful, obstructive, naive, reckless, stupid and insubordinate little shit. Even the most stupid of assistants should be expected to do better most of the time.

People can certainly do better, but we have to accept that humans behave like humans and recognize that we're going to need to improve the technology as well as people's habits. In the short term that could mean things like providing ways to generate secure passphrases and asking them to write them down, using authentication devices and using UIs to promote better practices....and we need security researchers who stop looking a memory dumps for a while and look for more secure ways to interact with users.

Use a good password manager

[Nimey]

The proper way is to use a good password manager with the following features:
1) cloud-based sync, so you can access it from any computer or mobile device
2) multifactor authentication, such as a USB stick or a grid or biometrics
3) a configurable password generator (i.e. you can choose length, complexity, etc.)

I use LastPass and like it enough to have bought a year's subscription for $12, but there are other good choices out there like 1Password, or you could homebrew up something with e.g. DropBox + KeePass or Google Drive + TrueCrypt + something that can read TC volumes on iOS/Android.

Generate a different random password for each site needing an account, as complex and as long as the site will allow for, and with LastPass at least you can attach a note to each site's entry so you could enter random line-noise answers for security questions like "What is your mother's maiden name?", thus making crackers work much harder. I've also got LP set up for multifactor authentication and with a strong master password.

Re:because

[Nemyst]

I use LastPass and the two-factor authentication adds a lot to the security. If someone can guess my password and obtain my two factor secret, I'm probably screwed regardless of what I did. I also enable two-factor on as many sites as I can (stupidly most banks don't have that).

Re:because

[ottothecow]

Exactly. The problem with the algorithm method is that there is no end to the stupidity that is present in password requirements.

• Site A requires a symbol, but only accepts !?#$%.
• Site B requires a number, but god-forbid that number is at the beginning or end of your password.
• Site C won't accept any symbols, but needs upper/lower/number
• Site D has reasonable complexity requirements, but requires you to change the password every 30 days, despite being a service that you only access if something is wrong, and even then, never more than once a month (one of my student loan providers used to do this. I think I complained enough that they realized that password change requirements were stupid...especially on a website where the worst thing you could do would be pay my bill for me).

I like the algorithm method (and even if the algorithm would be obvious to a human with access to 3-4 passwords, it would save you from some bot getting one password and simply trying the same pair at every major service), but when you have sets of requirements like this, it is impossible to implement. A and C are mutually exclusive, B is annoying (and actually reduces brute force complexity) but avoidable, and D will break your whole algorithm the first time it changes (unless you add a counter, but then you have to remember what iteration you are on).

I keep a little list in a google doc of the rarely accessed but important sites that have weird password requirements (since it is rare they tell you the requirements on the login page)...then at least I know that I may have had to modify my algorithm because '^*()' aren't valid characters, or that the requirements were dumb enough that I just said "screw it" and used some old insecure password that has probably been unknowingly leaked 15 times while hoping for the best.

Re:936-style passwords are kinda easy to crack now

[TheLink]

If they can crack a website's passwords at GPU speeds it means the site is already been compromised.

That's why I don't bother making really strong passwords for most websites. It's a waste of my time - the site is more likely to get hacked then my password bruteforced over network connections. Every few months there's a web service getting pwned.

It's silly to waste time making your password much stronger than a typical website's admin password.

FWIW I've encountered at least one online bank that actually limits passwords to 8 characters for some unknown stupid reason.

Re:936-style passwords are kinda easy to crack now

[Entropius]

I don't think you understand the concept that the xkcd advocates.

The ars technica article is pointing out that context can grossly reduce the entropy in any given search space. If you're going to test combinations of words from different languages, for instance, you shouldn't bother with "crotalus fthagn" or "Cthulhu atrox" until you've already tried "crotalux atrox" and "Cthulhu fthagn". The point is that you can't beat the password crackers by picking something from an obscure search space -- in other words, it's a classic point against security by obscurity.

The XKCD is making a different point: that passwords comprised of unrelated words deprive the attacker of such information and are resistant to attack not because of the obscurity of the search space in which they're found, but because of its size. Perhaps 44 bits of entropy isn't enough to defeat extensive computational resources, but the point is that six words chosen out of the dictionary at random, all in lowercase, with spaces between them is a better password than "Cthulhu fthagn" because modern datamining techniques mean that it's likely to appear in someone's dictionary after all.

Re:936-style passwords are kinda easy to crack now

[jandrese]

That's only true if you never reuse passwords, which means you're pretty much forced to use something like Keypass anyway, and might as well make the password secure since it's just as easy to use a 32 character random string as it is a normal human password. If you don't use a password manager, then it's hard to come up with a memorable password for every goddamn site that needs a login these days. It's so damn annoying to google a problem and find a potential solution, but then click on the link and bet told "you must register a free account before you can view this forum."

Every time someone sets up forum software to require an account to simply read it, they should be kicked in the nuts. Requiring an account to post is totally ok, but requiring an account to read is not.

Re:936-style passwords are kinda easy to crack now

[swillden]

Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.

Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.

The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.