Largest-ever password study: We are all idiots

The largest-ever study on user-selected password security shows that no matter how old you are or what language you speak, your password probably sucks.

The study, conducted by Joseph Bonneau at the University of Cambridge, analyzed the password strength of about 70 million Yahoo users. While the data was protected with hashing and Bonneau was unable to see individual account info, he was still able to measure relative strength of passwords across various demographics like age, gender, and nationality.

“We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution,” Bonneau wrote.

What’s also funny in the study is that when users are prompted to give a debit or credit card number, that had no effect on whether the password associated with the card would be stronger. People with cards associated with their accounts avoid extremely weak passwords like “1234,” but they don’t do much beyond that. We’re sure hackers love that data point.

Another fascinating bit is that no matter what language you speak, your password is almost always weaker than security experts suggest.

“More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists,” Bonneau wrote.

The study indicates that the people who have the strongest passwords are also in the same category as folks who change their passwords occasionally. Most people simply keep the same password associated with an account for years, significantly increasing the likelihood of the account being hacked.

Bonneau suggests people chose a randomly selected number at least nine digits long because it will be easy enough to remember like a phone number and still provide a an above-average level of security. He also says that businesses that make people create passwords should make users pick tougher passcodes. “A stricter password selection policy might produce distributions with significantly higher resistance to guessing,” Bonneau wrote.

All this talk of passwords and security is admittedly making me a bit nervous. I’m going to change some passwords today. You should too.

Photo credit: Dino O./Shutterstock

blog comments powered by Disqus