The Science of Password Selection

troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."

You know, what is more shocking

[Chicken_Kickers]

You know, what is more shocking is that clueless "security experts" still relying on passwords as their primary security measure. Passwords are bad because they are not natural. Humans are not computers, i.e. we are have not evolved to memorise random string of letters and numbers. Our brain has evolved to make the most of connecting and contextializing information, not memorizing 1 and 0s. This is the mistake you computer people always make, whether designing GUIs or security systems.

Non-alphanumerics

[paleo2002]

To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.

Re:You know, what is more shocking

[rolfwind]

You know what's worse? Security questions! Especially when you can't type your own.

Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.

With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.

OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.

I hate SQs with a passion. Whoever thinks this is security is nuts.

(Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)

Re:TL; DR

[fish waffle]

The problem with passwords is that if they are too complex..

Partly. There are also too damned many of them. Every pissant site seems to require a login/passwd, it's best to keep them all distinct, and the difficulty of remembering all these passwords is in a continuum with their complexity.

Re:You know, what is more shocking

[bill_mcgonigle]

I hate SQs with a passion. Whoever thinks this is security is nuts.

Simply put, security questions reduce your account's security to the strength of the security questions. Mostly, they're weaker than average passwords. Lord help you if you've got a Facebook profile. Mother's maiden name. Hell, that's public information today.

Re:Simple vs Short. Round one: Fight!

[hldn]

learn to type.

my regular password is 16 characters and i rarely mistype it, even if just for muscle memory.

Re:Whats the inspiration..?

[Teancum]

If you want to secure something like a bank account, you don't use a security measure like a password in the first place. Passwords are strictly for low security applications where you openly know that others are going to be getting into the data that you have stored behind that password.

For something that you really want to protect from prying eyes, you use something like an SHA-512 encryption hash with a public/private pair or something else along that line. I declare it is the whole notion that a password actually does more than provides a simple roadblock for pure idiots and to "keep the honest people honest" is a mistaken notion.

I should also note that the number of possible physical keys to most locks is shockingly low. I had a locksmith point out that for most cash registers in grocery stores (at least for a great many years) used only one of five basic keys. I even had all five of them in my possession at one time. Yes, they worked too! Again, it is to keep people from pushing the buttons when they really shouldn't be there. Even now, most cash registers are "protected" with nothing more than a 4-digit key that can be hacked through social engineering alone... if they use something other than the register keys. Some stores are getting fancy with barcodes that need to be scanned indicating some supervisor ID, but even that is not a complicated string of numbers.

Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name. It doesn't matter how complicated you make your passwords or encryption key, the information can be "hacked" with other very simple social engineering if you really want to get into somebody else's information. Of course, I find the whole notion of "identity theft" to usually be something absurd like this as those confirming identity are using information that really can't establish identity in the first place. Biometrics really are the only true way to establish identity, ranging from a handwritten signature to a finger print, a blood test, a DNA sample, and perhaps something like a retinal scan (something even twins have different). Identity establishment is intimately tied to passwords, as the point of a password is to prove that you are authorized to use a particular resource of some kind.