Slashdot Mirror
Smarter People Don't Have Better Passwords, Study Finds (bleepingcomputer.com)
An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
Why does this still work? I would think we would have adjusted things years ago so that once a wrong password is tried like, oh, I don't know, say 50 times the account is locked. Or don't allow more than one attempt per second. Something along those lines.
I wouldn't expect intelligence to factor into strength of passwords. Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...
Or maybe it's just that no-one likes using hard passwords and even the paranoid will not bother.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Look at password rules and if they have 5+ different systems to deal with.
Judge intelligence based on password strength.
A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.
This conforms that password quality is an irrelevant metric when looking at folks with better grades as compared to those without.
Question though is why they used the Philippines and not the USA, where my bias assumes the USA has more avenues where folks would be exposed to the need of a password [as a percentage] of the whole population.
This assumes that higher GPA means smarter. While this may generally be the case, this is far from a foregone conclusion. Smartness or intelligence is a complex subject, and the measurement of intelligence is not something that is trivial and universally accepted. A different study that has access to other measures of intelligence – such as standardized aptitude tests – to combine with GPA may yield further insightful result.
Oh hey, yeah I think you're really smart, and we're doing a study of smart passwords, yeah that's the ticket. Now, if you'll just write all those down right here on this form.
It's easy to make a hard to find password... Just take a regular password that someone might use, like "derpface19" and then apply upper cases and special characters to it, while increasing the length, like "D3rPf@c£N|net€eN".
Or really, just use a local password manager to get a unique password for everything and which is kept on an external drive. If someone gets access to your password manager and can crack the encryption, they deserve it.
Use a password manager, and you never need to remember what rules were in use where.
You do not have a moral or legal right to do absolutely anything you want.
they looked at grades, which is a dubious measurement of intelligence at best.
My password predicament went away when I changed all mine to correcthorsebatterystaple !
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
At least we can tell the editor is a moron. Grades are only loosely correlated with intelligence. They are a much better measure of self-discipline and long range planning.
>"Smarter People Don't Have Better Passwords, Study Finds"
>"students with better grades use bad passwords in the same proportion as students with bad ones"
Um, students with better grades are not necessarily "smarter." Just saying...
>"because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools."
Any system that allows fast, unlimited login attempts (which is necessary for brute force) is BROKEN. Even weak passwords can't be "brute forced" when you only have X attempts in X attempts per minute across X seconds and then that account is locked for X minutes/hours/days.
verifying if the password is also listed in previous public breaches
So does NIST recommend maintaining an offline archive of every breach ever or are they recommending you transmit the password in cleartext to a 3rd party?
This study just shows that people with better grades doesn't necessarily use better password; nothing more or less.
... than the 'other' people. Smart people tend to think for themselves, to ignore common beliefs and behaviors. Smart people are like cats who are difficult to herd. If the gospel among computer users is to have an obscure password, smart people will question that and may do so only for special accounts.
The 'other' people, OTOH, tend to do as they are told, to follow the rules, to behave themselves. If they are told to use safe passwords, and they can remember that rule, they will make some effort to do so. Those 'other' people are like dogs- they will do as told if they understand and remember the rules. We all like dogs, but not everyone likes those smartass cats.
...omphaloskepsis often...
Studies also show that TFS submitters don't know when to not stick apostrophes into words. For example in this TFS it is studies not study's because they are not talking about things belonging to the studies. I guess this proves that smarter people don't do Slashdot TFS submissions?
Passwords are a braindead concept, so there's no surprise that intelligent people don't have better passwords. With all the "good password" rules that get ignored, most password breaches are still not caused by the user but on the other side of the screen. I would not be surprised to read that some site's passwords got compromised because they sent them to a phishing site that pretends to check if a password has been leaked.
That can still create havoc when having to make a new password. I've been to some sites that only allow certain non-alphanumeric characters, then there are ones that don't allow three of the same character anywhere in the password string, even if it's 20 characters. I've yet to see a password manager that can generate some passwords based on these asinine rules.
This assumes that higher GPA means smarter
That's a pretty excellent point really, the ability to get good grades is possibly an indicator of intelligence, but I don't think lack of good grades is a negative indicator for intelligence... I seem to remember reading lots of really intelligent people got bad grades, in part because they were bored or grades were not what they cared about in studying.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
$ pwgen -s 20
That is all.
The one I got assigned by default from corporate was ridiculously easy to break with John the Ripper and an update password list. Due to this, I changed the password to a unique 20 characters which would have been next to impossible to break using today's technology.
Less than 9 weeks pass and I receive the automated e-mail that forces you to change your e-mail. Genius!
After that I just used the original password they gave me and incremented it by one - EVERY time they sent me another e-mail to change it.
Why even bother trying when idiots run the show.
Let me get this straight. So the NIST is saying that when a new user creates an account on a site, that site should immediately shuffle a copy of that password off to another site where it can be compared tona list of passwords on that site.
That sounds a little shitty. When I sign up for an account somewhere, the password I create and give them shouldn't be passed around to other entities. It sounds like a great opportunity for somebody building a password dictionary to log a copy of everything that's being sent to that site.
It is interesting to ask just how good a password needs to be this year. Cracking a password involves computing many hashes, and because of bitcoin, specialized hardware exists to do this very very quickly. For example, there is AntMiner 9 that does 14TH/s while consuming 1.3kW. It will not, of course, crack passwords, but we can probably assume that similar hardware exists on the black market that can. So, how long does your password need to be to counter threats like this?
An average identity theft results in $1343 in profit for the thief. A thief equipped with AntMiner9-equivalent hardware will be able to run it for about a year at current electricity prices. A year is about 2^25 seconds. 14TH is approximately 2^44, 44 bits. Together that's 69 bits of password strength required before a brute force attack becomes unprofitable.
According to wikipedia's password strength table, 69 bits can be achieved with 11 character case sensitive alphanumeric + symbols password. With single-case alphanumeric, 14 characters would be needed.
So, how many of you smart ones use a password this long on some random website? What, nobody? Of course not. Nobody will be able to remember many 14 character passwords. Use a password manager! Don't let your friends use the web without a password manager!
...it helps writting titles that actually do reflect studies.
Better grades is not the same as being "smarter".
I got fairly good grades, As and some Bs. I'm also pretty intelligent. Unfortunately, I'm also fairly lazy in a lot of ways. For whatever reason, if I could easily get good enough, I have never really had the motivation to push for the best.
Sure, I sometimes am the best at some given thing and at work I do a great job but by the same token, have zero interest in going into management (learned 10 years ago that I hate managing people that can't be bothered to try or even care and way to many people fit the bill) and so I therefore stay in my position. I'm happy with my pay and benefits.
I also own a townhouse but have no yard. Making the push to the house level would require my wife and I to earn an additional 30k a year between us and I just can't find the motivation to really push for it.
TLDR: Just because you are intelligent doesn't mean you'll be extremely successful in life.
Better grades != smarter
The only thing that correlates highly with "better grades" is *effort*, not intelligence.
> Read about rainbow tables
Good advice. You should take that advice. Maybe even try using one.
Let's look at your claim regarding the length of the password. Back in the early 1990s, MD5 was the recommended algorithm. It had a short 128-bit hash. That's roughly the same entropy as an 18-20 character password. As long as two passwords were both at least 20 characters, a longer password wasn't better because they'd both get reduced to a 128-bit hash anyway. By the late 1990s weaknesses had been found in MD5 and we started recommending SHA-1 instead. I personally distributed sample code showing how to convert your MD5 password hashes to SHA1, something that sounds impossible at first.
Then about 15 years ago MD5 was completely broken. Anyone with a clue moved to SHA1 or, later, SHA2. IF your web application is using an algorithm that has been broken for 15 years, AND your pass is at least 20 characters, longer than 20 isn't much more secure.
You might be thinking "there is a four character password with the same hash". No, there isn't, in all likelihood. There are very few 4-character passwords, and very many possible 128-bit hashes. For any given long password, there probably is no short password with the same hash.
SHA-1 is a 160-bit hash. It's even less likely that a short password of say 36 bits entropy is going to have the same 160-bit hash as a longer password. ALL possible 36-bit passwords combined only cover 1/2^124 of the outputs. In other words, the odds against getting a match, even trying ALL of the short passwords, are far less than the odds that you will win the lottery without even playing, by finding a winning ticket.
SHA-2 came out in 2001. There are no rainbow tables for SHA2, because the key space is too large. So if your application has been *properly* updated in the last 10-15 years, rainbow tables simply do not apply.
I've run into that....sometimes it means I have to change my rules, and sometimes I can only get the rules so close and have to make multiple attempts.
And sometimes I get websites that won't let me paste in my password. Because apparently it's still 2004 wherever they live.
Finding God in a Dog
What's wrong with "54321EGAGGUL"?
#DeleteFacebook
This is completely stupid.
I once got a B+ in my advanced-stream, enriched introduction to calculus course, so I guess my standard 11–15 character passwords (seeded from the OpenBSD apg utility) count toward the B Ark's less-than-entirely-lame password rating.
But I guess I was pretty stupid after all, because just about any other course would have been less difficult to complete with a big fat A.
But then again, only because I effed myself to take the hard road did I gain a full and proper understanding of Simpson's paradox (apparently this is a high achievement in life, because on a straw poll I seem to be a member of a select few).
Simpson's Paradox and Statistical Urban Legends: Gender Bias at Berkeley — 8 May 2016
Wisdom is knowing the right thing to do.
IQ is then figuring how to do it effectively.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
He was working in the Manhatten project making the first atom bomb. Place was teeming with top physicists absent minded professors and was run by the Army that had safes allocated to all top scientists. After a long and interesting story about how he got into safe cracking, he mentioned: He was challenged to crack the safe of Niel Bohr or Oppenheimer. He did it in less than two minutes. Asked how, he replied, "Physicists always use 3141, 1414, 1783, or 2245 as the code". They are PI, sqrt(2), sqrt(3), sqrt(5)
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The headline said: Smarter People Don't Have Better Passwords, Study Finds
The summary said: students with better grades use bad passwords in the same proportion as students with bad ones.
Counterpoint: Better grades are not a measure of "smartness" or intelligence --- Grades are a course-specific measure of performance in class on typically assignments and tests which are bound to frequently have some level of instructor subjectivity embedded into the result: At the very least in advanced subjects, the instructors tends to chooses to emphasize some topics on exams and are bound to leave out other topics, some students are more concerned about learning than grinding specific instructor-emphasized line items for high grades in particular classes and may spend more time deepening their knowledge of material in depth and breadth, so by being less concerned about gaming grading results to ensure an A they actually learn a lot more from the course of study than the A student but perhaps get a B or C, because they weren't hammering flash cards on the small selection of topics the professor wants them to answer on a high-stakes time limited exam or narrow-deadline assignment, And grade are affected by things that don't necessarily equate to a student being smart or not.... some of the prodigies that started the tech revolution were college dropouts or got bad scores, so high grades don't equate to intelligence, they never did
Secondly.... General intelligence and Security-Awareness / security-specific intelligence may be correlated weakly but less so than one would expect with general good grades
âoeThatâ(TM)s AMAZING, Iâ(TM)ve got the SAME combination on my luggage!!â
Figured that most it services don't matter.
I use KeePass personally, and its built-in password generator has the following options:
It also has options to only allow characters to appear once at most, forbid look-alike characters like "O" and "0", and simple prohibit certain characters.
You do not have a moral or legal right to do absolutely anything you want.
Smarter People Don't ...
... remember random letters any better than dull people. Smart people don't know which passwords are compromised and probably don't know such a list exists. Smart is mixing letters and digits (mandatory for most log-ins), not re-using passwords and using a(n) (off-line) password manager.
The actual issue is that a college in the Philippines believes that smarter people get better grades. More diligent and better organized students get better grades, not smarter ones.
A major problem is that there is a lot of misinformation about what is a good password, and a lot off password policies based on said misinformation.
When people are prevented from using a good password, they'll often just throw in the towel and use one of the standard crappy passwords that every password policy allows.
Test for yourself. Does the password policy at your place of work / school allow "correct horse battery stable"? Does it allow "Summer2018"?
Most systems would consider the first "too weak" (it's only weakness is that it's the standard example of a good password), while the accepting the second one (probably the worst password ever[1]).
[1] Yes, it's worse that "batman". Because you don't know if they used "batman", "superman", "spiderman" or any of the other choices. Where as anyone using "Summer2018" is probably doing so because the system requires changing the password every three months, so you know they'll be using either "Spring2018" or "Summer2018" depending on whether they just changed their password or they need to do it soon.
When you have good test scores; in math, in literature, sports or IQ tests you have proven you are highly motivated to score well. It is not proof of intelligence.
There is a fair amount of highly intelligent people that are demotivated and will not apply themselves in a manner that is often expected in today's society.
The real challenge for educators, parents, friends and managers that know demotivated intelligent people is to help them get that spark to apply themselves.
It is perhaps unthinkable that one could achieve so much and yet not bother; and indeed it is suggestive that such behaviour is not intelligent...yet without a reward, a satisfaction of sorts there is little motivation to act.
I hope I have captured your attention if ever so briefly and ask that if it's work, grades, personal relationships or very good computer security and so on; that you find your motivation/satisfaction to apply yourself in some way today.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Looking at the numbers, it is clear that students with higher GPA (dubiously dubbed "smarter people") do have better passwords. The difference is 7 percent points which (without having done the math) seems significant to me. It's even reflected in the title of the fucking paper: Do Smarter People Have Better Passwords? Yes, But... How do you go from "yes but" to "no"? Via pop sci journalism.
Implying that smarter people grades is kind of silly imo
Many sites require for you to register because they can. For such sites, which will contain nothing but spoofed information about me, I couldn't care less about the strength of my password.
Yes, I get your point.
- Parent poster points about rainbow table (tables that point hashes back to strings that can generate the same hash).
- You point that a well designed (=non borked design) hashing function should give two different hash for two dissimilar short passwords. Thus you would need a giant rainbow table that gives a password for *every single possible 160bit hash* (that's ~10^48 entries, i.e.: within an order or two from the number of atoms on earth). Fat chance.
BUT!
Even if the hash->password direction is *hard*.
password->hash direction is easy.
All the algorithm you mention (MD5, SHA1, SHA2 and let's throw SHA3/KECCAK in the mix too) are all extremely *fast hasing functions* (They are ultra fast, and have very low ressource requirement by design).
Meaning you can take a GPU running a special compute shader/OpenCL/Cuda code that can process millions of them in a second.
So you could scan through ALL the common password (based on frequent leaked passwords and/or on frequent paterns, etc. and their substitutions) within a reasonable time until you find a match.
As the summary points out, we humans are bad at picking-up password, we definitely use less than 2^ ${whatever bits used by current popular hash} different passwords.
Even if you use salt (so your hash doesn't match any other precedent hash in any rainbow table), and even if you use the latest *hashing* function (SHA3 - well okay, it's a sponge function, but basically works the same), it's definitely within the reach of a reasonable budget to loan GPU compute time on the cloud and brute force the passwords.
So if a database containing SHA{n}-hashed (and optionally salted) passwords get leaked, you can consider that all except the most unusual passwords can be brute-forced.
So in short DO NOT USE HASHES. USE KEY DERIVATION FUNCTIONS.
Things like bcrypt, scrypt or the current competition winner argon2, are on purpose designed to be slow and resource intensive.
(By iterating multiple rounds, by require significant memory, etc.)
For you, it doesn't change much if loging in take now a third of a second - you only log once, after all, it won't kill you to wait for 300ms just once at the beginning of your session.
But for potential brute-forcers, not being able to quickly go through million of tests is suddenly a huge blocker.
So in short :
do NOT use SHA2 for your password database.
use bcrypt/scrypt/argon2 instead.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Should read: Smarter Philippine College Students Don't Have Better Passwords, Study Finds
Maybe all college students, regardless of country, choose bad passwords.
Silly premise. I wouldn't have made the link between "being smart" and using "better" passwords.
I would attribute this instead to 2 things:
a) The individual's perceived value of the item being password-protected
b) Whether said individual's ever had important data stolen before
> do NOT use SHA2 for your password database.
use bcrypt/scrypt/argon2 instead.
Brypt is indeed designed as a *password* hashing function, so it's better for passwords than sha-2 is. I think sha-2 is also acceptable.
> Thus you would need a giant rainbow table that gives a password for *every single possible 160bit hash
That's actually the difference between a rainbow table and a simple lookup table. The rainbow table can be as big or small as you want. Larger tables allow faster "unhashing". While BUILDING the rainbow table, you have to compute all* the hashes, but not save the results.
> So you could scan through ALL the common password (based on frequent leaked passwords
Definitely don't use a common password. Using "password" as your password will suck no matter what else you do. Therefore it's a mistake to say:
Doing X won't help if the passwords suck. Therefore don't do X.
Because we know weak passwords will be weak no matter what you do, it probably makes sense to try to make the system as secure as possible +for users who use good passwords+.
Answer trashed by miss-typing, I'll try to rewrite my reply again.
Brypt is indeed designed as a *password* hashing function, so it's better for passwords than sha-2 is. I think sha-2 is also acceptable.
Bcrypt, Scrypt, Argon2 (and the older PBKDF2, for completeness) were all designed for password and are designed with resistance to bruteforce in mind.
sha{n} family were designed for speed (and sha-3/keccak also because a sponge function is an interesting new concept) and are only acceptable if you don't mind brute forcing.
Definitely don't use a common password. Using "password" as your password will suck no matter what else you do. Therefore it's a mistake to say:
Doing X won't help if the passwords suck. Therefore don't do X.
The problem isn't simply people using "password" or "123456" for password. The problem is general approach to security.
We human suck at picking strong purely random password.
We /. geeks, will probably pipe a decent (more than 256) amount from /dev/random (not even the 'u' one! with several true random source mixed into the kernel entropy pool !!!) through base64, and use the output for only 1 specific site, and store it into a decent opensource password manager, that backs up on our own cloud.
We also activate two-factor authentication whenever possible (using an OTP app, not insecure channels like SMS).
That thing is pretty much secure. Even with a fast hash, it's not realistic to brute force. And in case of a database leak, an attacker wouldn't gain much, until the leak is discovered, they'll only could try to log into that specific site and they'll still will be missing the 2FA.
Normal people don't do that. They seldom activate two-factor authentication (it's too cumbersome). /. geeks crowd using /dev/random. But almost all the others).
And when asked to pick a password, they tend to follow pattern.
Most frequently, they will put the required capital letter at the beginning, use a 5-6 letter combo, followed by 2-4 of the required digit, and put an "!" at the end to the mandatory punctuation sign.
Such a password follows the most stringent rules nearly everywhere. It will show a green light on most password strength evaluation.
But do the math : such a password, in best case (6 letter, 4 digits. The position of the capitalisation at the beginning and the "!" at the end don't bring much as they are predictable) has less than 42 bits of entropy. Collect all the other common patterns, allow for a few extra substitution, and you'd probably still be within 56bits, something that isn't considered secure at all nowadays.
Using these pattern, if a database using only slat+fast hashes is leaked, you can recover a very sizeable fraction of all the password within. (Not all password. There's bound to be two or three of
Worse, lots of people have a tendency to re-use passwords (out of convenience, it's hard to remember "good" passwords).
Once a database is leaked and passwords recovered, a sizeable amount of these password could be used to open other stuff (Access the e-mail account associated with that user's database record ? (and once logged in, try to use the "reset password" function of any website associated with this e-mail ?) Try to log into several social network website using the same e-mail and password ? etc.)
In short, it's not only people using "password" and "123456", it's every body who is not using /dev/[u]random (the biggest fraction of your userbase)
Because we know weak passwords will be weak no matter what you do, it probably makes sense to try to make the system as secure as possible +for users who use good passwords+.
On the other hand because we know very few users will use purely random password + a password manager, and activate two-factor authentication, it makes sense to try to make a potential database leak as resistant to brute-forcing as possible.
Specially because it only costs us a few hundreds of milliseconds and a little bit more RAM once at the beginning of a session, during the log-in phase.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
REAL scientists use sqrt(-1)