Geezers Pick Stronger Passwords Than Young'uns

McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Squiddie]

Maybe, or maybe we're forgetting that it's also more likely for those geezers to forget their passwords.

Re:Use case differences...

[Anonymous Coward]

username: OldGeezr
pwd: G3t0ffMyL4wn!

Re:Use case differences...

[OldGeezr]

Dammit...

Re:

[Kangburra]

username: OldGeezr
pwd: G3t0ffMyL4wn!

I am going to start using this, oh wait! :)

Very funny though thank you :)

Re:

[Macrat]

Maybe, or maybe we're forgetting that it's also more likely for those geezers to forget their passwords.

Even when their password is 123456 they can't remember it.

No, I'm not making a joke. I know a user that has difficulty with this password and I can't convince her to use a phrase instead.

Re:Use case differences...

[ShanghaiBill]

Older users are more likely to have a Yahoo address as their primary email, etc.

Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

Re:Use case differences...

[perpenso]

Older users are more likely to have a Yahoo address as their primary email, etc.

Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client.

For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-)

(*) Substitue alpine, mutt, whatever if you prefer.

Re:

[93 Escort Wagon]

Joking aside, ssh and pine(*) work really well.

For sufficiently loose definitions of "work really well".

Re:

[dbIII]

I use pine a couple of times a month to send out attachments that ended up mistakenly being put into quarantine by email scanners (eg. two extensions, long filenames, or many of the other things virus writers used to trick Outlook Express users). To do that I check the file, rename it, attach it to an email with pine and write a short one line note in the email. For something like that pine is a very quick way to do it that does "work really well".
Of course I don't use it for my email on my desktop machi

Re:

[vigour]

Older users are more likely to have a Yahoo address as their primary email, etc.

Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client. For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-) (*) Substitue alpine, mutt, whatever if you prefer.

+1 for pine/alpine. I'm a big fan of that, especially when visiting China where I can still ssh to my old university account and use alpine from there. Plus it's much faster to load than mutt when dealing with huge IMAP inboxes.

Re:

[garaged]

Take a look at mutt, you will love it

Re:

[vigour]

Take a look at mutt, you will love it

Used to use it for years, but got fed up with how long it takes to load imap folders so I moved back to alpine.

Re:

[antdude]

Same here. I prefer text mode for a lot of things like e-mails (Mutt; used to use Pine), Tin (newsreader), etc. People call me crazy for using these text mode clients. I don't care. Fast, more secured, etc. I am old school so bite me! Oh and I still use Zmodem to download and upload through SSH! Beat that with SFTP that has no resumes! ;)

Re:

[realityimpaired]

Joking aside, ssh and pine(*) work really well.

Functional, yes, but I *really* don't like the idea of my mail users having SSH access to the system. IMAP and a decent Webmail client will give them a more intuitive UI without requiring you to open up SSH to users who have no business using it. SSH should be default deny, with a whitelist of allowed users, and that whitelist should be kept to a minimum.

Re:Use case differences...

[rubycodez]

bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.

we use stronger passwords because we've been around the block enough times to know there are bad people out there

Re:Use case differences...

[AliasMarlowe]

bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.

we use stronger passwords because we've been around the block enough times to know there are bad people out there

Yup. And it galls me to see some places sending a confirmation message to your email address with your chosen username and password in cleartext when you register. Maybe that's why the kids don't bother with decent passwords, but to me it's another good reason to use a unique password for every site, and to then tailor the password strength to the weakness of password protection (cleartext, the mind boggles). Luckily, sites with personal and/or financial data (Amazon, banks, etc.) are a bit better, but it's still worth keeping their passwords strong and unique per site.

BTW, I beat you in the greybeard stakes by a few years...

Re:

[__aaltlg1547]

And have more to protect. An average person of 25 has approximately zero net worth. An average person of 55 has many times that...

Re:

[fatphil]

What's funny about this? Informative/insightful, yes, funny no.

If I'm travelling, or in the pub, I SSH (not telnet) into my server to pick up the screen session that contains a mutt window in order to read my mail.

Re:

[Brett Buck]

I used to think I couldn't shoot down a German plane. But last year I proved myself wrong!

   

Re:Use case differences...

[mrclisdue]

...and the Concorde just flew an inch over yer head....

Re:

[BigSes]

That wasn't reallly that long ago. Barbados baby!

Re:Use case differences...

[Anonymous Coward]

Yeah people who create throwaway yahoo accounts are unlikely to use very strong passwords.

IIRC there was a time when you had to go through a drop down to select the birth year, and who is going to bother to scroll to geezer age for their throwaway account?

Re:Use case differences...

[b4dc0d3r]

You reminded me - I never put my real age. Someone who is tech savvy is likely to have a strong password, as well as keeping other personal info private. Resetting my password involves remembering a fake birthdate, fake mother's maiden name, fake first job, everything is fake.

If one site gets compromised, that info won't get someone into any other account.

So one of the assumptions here is that the ages are correct, which is not necessarily the case. For more tech savvy people, it is more likely the age will be incorrect. To me, this study therefore has no value without validating a statistically significant portion of the user data. And if asked, I would say i really was born 25 years earlier than I was.

Re:

[skine]

I've been to a few websites that require you to enter your age, with month, day, and year as drop down menus. Not porn sites, as most would assume, but websites with R-rated videos.

Depending on how strongly I scroll, my birthday ranges from January 1st 1930 to January 1st 1990.

I can only hope that the websites save the birth date data with the IP address data, and they are surprised that there are at least 50 people at my household who were born on January 1st.

Re:Use case differences...

[Presto Vivace]

It is just possible that geezers have learned a thing or two.

How did he analyse it?

[Hentes]

Did Yahoo give him its user password database or what?

Re:

[marcello_dl]

Hopefully they collected only the strength calculated before hashing salting and storing the result.

Hopefully.

Re:

[Hentes]

Hopefully they did hash and salt the result before storing.

Re:

[Surt]

False hope, making people feel better about reality since 6000 BC.

Re:

[Anonymous Coward]

What's really frightening is the implication that Yahoo stores passwords. There's really no justification for ever storing a password unhashed. You'd think Yahoo of all places would have the competence to know that.

TFA says they were hashed

[Fred Ferrigno]

The original paper [cam.ac.uk] includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.

Re:

[Hentes]

Interesting read, but in this case they couldn't really measure password strength, only password uniqueness which isn't exactly the same.

uniqueness as proxy of strength.

[luis_a_espinal]

Interesting read, but in this case they couldn't really measure password strength, only password uniqueness which isn't exactly the same.

True, strength and uniqueness are not the same. However, the later (in particular when considering a large population sample) can serve as a proxy to quantify the former. Think of if this way, the more unique a password is, the greater the probability that this password is long enough and with a sufficiently large character set to make it strong. That is, the more random that it will look.

The less unique the password, the greater the probability that it will share more characters (off a smaller character

Re:How did he analyse it?

[Joe Loughry]

The methodology is explained in the paper "The science of guessing: analyzing an anonymized corpus of 70 million passwords" available at http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf [cam.ac.uk] Plain text passwords were captured at login time in coöperation with Yahoo! under ethics and legal-approved rules. The experimental design contains technical measures to ensure that user IDs were not associated with passwords and further measures to protect against passwords that might be used in more than one place.

Education

[bdrees]

I tend to believe that its a difference in education between the generations. I know the vocabulary in my family is completly different in the older generations of my family. Half the time my teenagers dont understand the conversations when my grandparents are around, and there always asking "what did they mean" later on.

Re:Education

[CptNerd]

Newspeak FTW. LOL.

Not so surprising

[Narrowband]

This one seemed pretty intuitive to me. If you've lived a longer life, you probably have a bigger list of personal experiences to pick from where there are words/phrases to build passwords around that are meaningful to you.

Change passwords from time to time?

[gQuigs]

From the article: Unsurprisingly, people who change their password from time to time tend to select the strongest ones.

That actually is surprising to me... Although I guess storing passwords in Firefox (w/ Sync), and having them be very long (32 random characters+), might not be a common demographic...

Re:

[theedgeofoblivious]

They change their password from time to time because they forgot their old one and went through the password recovery process.

Fortunately for them, their security questions are "What is my favorite color?" and "How many kids do I have?" so that's not too difficult.

Geezers have more experience

[kawabago]

Geezers have more memorable life experience from which to draw good passwords. Which doesn't exactly explain why all geezer passwords are some version of DamnTeenagers!

The older you are ...

[jabberwock]

... the more likely it is that you actually have an identity worth stealing.

Re:The older you are ...

[swillden]

... the more likely it is that you actually have an identity worth stealing.

And the more likely it is that you'll have a wealth of background to draw on when coming up with obscure-but-memorable (to you) bits of information you can combine and tweak to make a good password. I definitely notice this when comparing passwords my wife chooses with passwords my kids choose. She uses bits of old but important dates, parts of names of people she knew decades ago, etc. and comes up with some pretty good ones. I can mostly recognize where she got the pieces but doubt I'd ever be able to guess her password if she didn't tell it to me.

My kids, on the other hand, tend to pick simple names of favorite entertainment characters. Even when I try to get them to pick something more complex, they just don't seem to have much else to draw on. When I pointed out not long ago that one son's choice of his favorite pokemon's name as a password wasn't very hard to guess, he proceeded to pick a another pokemon with a longer name. When I talked him through the idea of picking several and using pieces of their names, the result was still not very good.

Perhaps all of this is just a result of not caring as much, but I think there's more to it.

(BTW, some are undoubtedly wondering why I force my family to give me their passwords. I don't. In fact I harp at them all regularly about how they shouldn't ever tell me their password. They roll their eyes and just blurt it out when I ask them to type it so that I can fix something on their account. I also find out their password when they forget their old password and I have to reset it for them. I used to change it to "changeme", but then I found out that just meant that my kids, at least, always had "changeme" as their password. So they actually have better security if I make them come up with something and tell it to me so I can set it. It also gives me a chance to make them think about whether or not they can remember the new password so I don't end up having to reset it again tomorrow.)

Re:

[arose]

The way the young'uns name their kids today it stands to reason that geezers picking their grandkids name and adding their birthday makes a reasonably strong (i.e. not detected as kinda crappy by computer analysis) password. In short, I'm with you on the wealth of obscure-ish information, but I'm not sure how many would actually stand up to real analysis.

The younger you are ....

[McGruber]

....the more likely it is that you actually have nude photos (of yourself) worth stealing.

pass word rules??

[Joe_Dragon]

The older people had less carp to put up with over the years then younger ones.

Re:

[BigSes]

So, they don't catch as many fish?

How many passwords? And can they remember them?

[Faizdog]

1) Can the older folks actually remember all their passwords? Or are they writing them down?

2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.

On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.

Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.

Re:

[93 Escort Wagon]

Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

Yeah, yeah - mnemonics like "this password rhymes with cuppy"

Seriously, just use a secure password manager so you can use unique passwords everywhere, but only really need to remember one password. OS X's Keychain Access works great for this. Gnome's had a similar tool available for a while, and there are third-party Windows solutions as well. They all encrypt the information, so five years from now you won't have to worry about remembering what some obscure mnemonic actually meant. And if someone compromis

Re:

[RespekMyAthorati]

1) Can the older folks actually remember all their passwords? Or are they writing them down?

2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. .

I'm an old geezer and I use LastPass. My LastPass password is a very long sequence that I generated with a random number generator and memorized. Problem solved.

Re:

[Macrat]

1) Can the older folks actually remember all their passwords? Or are they writing them down?

Some are writing them down and even with the password sitting there in front of them, they have trouble typing it in.

Re:How many passwords? And can they remember them?

[techno-vampire]

I am by no means young, I'm 31, but am part of a more tech savvy generation.

I'm twice your age and I've been working/playing with computers for over forty years. In general, I've divided all sites that require passwords into three sets: those that store data that I care about (banks and so on), those that don't (comic strip sites, Slashdot and so on) and those that don't but require "strong" passwords.

The first set gets strong, unique passwords. For those that Firefox can't store, I have a place on-line to stash them; if you can find and access it, I've got more things to worry about than my passwords. For the second, all of them use the same password, simply to make things easy. After all, there's no way that the software running a blog (let's say) is going to know that you're using the same password for it as you are to sign on to a shopping site. And, the password's obscure enough that nobody who doesn't know me very, very well is ever going to come up with by guessing, and it's at least as safe from a dictionary attack as any random, unpronouncable word can be. For the third, I have several variations on my standard password to fit various restrictions. Thus, things I don't care about very much are safe from anything except a very determined attack, and those I do are even better protected. Frankly, I'm more concerned about the possibility of my password being picked up by a cracker stealing a password database than by having it guessed.

Re:

[swillden]

What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling.

Two-step authentication is a good option. It wouldn't do exactly what you want, because you'd need to keep using it after you got back (Internet cafe sniffers and the like would get your main password), but if you just turn it on and leave it on, it would keep you safe. On the computers you use regularly you can click the "remember verification" checkbox when you use it, so you'll only get prompted once per month for a one-time password, so in practice you don't have to do the second step very often -- ex

Re:

[fast turtle]

Guess I'm unique in being part of the studied demographic along with being on the tail end of the baby boomers. Yet I don't even know any of my passwords nowdays because of a nice password manager called KeepPass 1. Password strength is as high as possible for every site I use and none of them have been duplicated. Does this mean I'm a god among users? Hell no! It means I've gotten smart and lazy and use the computer to my advantage where it makes sense to do so.

Post it notes make for stronger passwords

[erice]

If you don't think you can remember a password, you may write it down. If it is going to be written down, then it is pretty easy to select a strong password.
Of course, this isn't helpful if someone else gets access to the post-it note. But end to end security wasn't the subject of the survey, was it?

Re:

[Todd Knarr]

And of course, how many attackers will have access to my desk? For my desk at home I can count them on my fingers and not run out, and I know where they live. For my desk at work, that's why one drawer has a lock on it and the key's on my key-ring. Sure Security or Facilities could open it, but if they're compromised they've got access to far more lucrative places in the building without needing to mess with my desk.

Re:

[arose]

Does your drawer lock take more than 30 seconds for an experienced lock picker? It's not altogether bad, but would probably be even better if you only wrote down half of it and locked it up there, together with regular (every 6 months or so) password changes it probably is quite good if you are diligent.

young != geek

[tverbeek]

....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.

In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity

Re:young != geek

[AthanasiusKircher]

....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means.

Yeah, seriously, who wrote the summary crap? Does anyone really think that most Yahoo mail users under 25 have conversations like this:

-- Reginald, I'm signing up for a new Yahoo account. I must design a new password.

-- Well, Theodore, I read in my issue of Network Security Weekly that lots of account information is compromised everywhere.

-- You know, Reginald, I never thought about thought about it that way. I am feeling rather cynical about strong passwords, given this era of large-scale user-database compromises. As an existential protest against the very concept of password protection in such an age, I think I'll just make my password "password" or maybe "123."

-- Good show, Theodore! Let's celebrate the anarchy of the internet by joining in a medley of Gilbert and Sullivan tunes from HMS Pinafore. Tally ho!

Umm, no. Actual conversations are more like:

-- Yo, Bob, I need a new email. Gonna go with Yahoo, even though it's kinda crap. Damn... I need a password.

-- Woah, Sam, who cares? Pass me a beer.

-- Yeah, you're right. Hell... I'm just gonna type "123." Pass me a beer, too.

-- Awesome, Sam. LOL. Where did that keg go?

Perhaps it's like other 'yoof' items

[Gonoff]

Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.

Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.

,

Re:

[TemperedAlchemist]

Pff, won't happen to me.

Re:

[swillden]

Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

But... 30-somethings are young'uns.

Re:

[jpapon]

Here in Germany the old drive just as fast as the young. Getting passed while going 160 (like you're standing still) by some grey-hairded fella in an M5 is a daily occurrence on the autobahn. Maybe old Americans are just sissies.

The current password convention is wrong

[Karmashock]

A8%l+$mr is a terrible password. The security experts like passwords like that but they're stupid. It's impossible to remember.

The convention I follow and what I think most people should follow is "JustTypingASentenceOutMinusSpaces". That is very easy to remember. You can do cool things like quote a line from a play, song, poem, or movie that you like. What's the likelihood a dictionary attack is going to crack "hastalavistababy!"...

Humans are very good at remembering sentences. It works into our neumonic m

Re:

[cashman73]

The best password ever is the one used by Rodney McKay of Stargate Atlantis: 16431879196842. The birth years of Isaac Newton, Albert Einstein, and himself, plus the number 42. ;-)

Re:

[Karmashock]

"IThinkTechnicallyThisIsAStrongerPassword."

Re:

[Hatta]

Why no spaces? Spaces and punctuation increase the search space.

Re:The current password convention is wrong

[PsychoSlashDot]

You're young aren't you?

"What's the likelihood a dictionary attack is going to crack "hastalavistababy!"..."

Pretty damn fucking HIGH I'd say.

How do you figure? While each of the constituent words will likely be in a dictionary, the concatenated string is much less likely to be. Realistically an attacker will have to try low-hanging fruit passwords (such as "password") first, then try brute-forcing short combinations (such as "123abc"), then try a dictionary attack (such as "elephantine"), move back to brute-forcing slightly longer possibilities (such as "1234password#1") and finally start combinations of dictionary words in the desperate hope they might stumble upon a passphrase (such as "pluckmypubichairwithyourteeth").

While yes, phrases consisting of dictionary words are technically a group of tokens, in practice hacking an unknown password isn't trivial. You can think a phrase using five words is equivalent to a five-letter password, but it's really not. By extending the length of the password, you force the attacker to try other combinations first, for efficiency's sake. And if you introduce a single spelling error you screw the attacker right over.

Re:

[codegen]

The problem with your augment is that you are assuming that the words are randomly chosen. They are not. While your comment about introducing a spelling error is valid, the problem is that most people will not go to that effort. Instead, they will use a sentence from common lore. The first line or title of their favourite pop song at the moment. Standard phrases from popular movies. I did a thought experiment in my operating systems class where I explained the concept of a phrase password and had all of th

Re:

[93 Escort Wagon]

You can also just change one word of a common phrase, or insert one that doesn't belong.

"WhatsthefrequencyBillBixby"

"hastalavistaclementinebaby"

I wouldn't be surprised

[Todd Knarr]

I wouldn't be surprised if that's the case. I know I use "strong" passwords mainly out of habit, and a bit of laziness (it's easier to get random sequences past password rules). I'm well aware that at best the only protection that gives me is the possibility that whoever compromised the password database will be satisfied with the results of a dictionary attack and not bother doing a brute-force attack on what's left. I'm also aware that I get more protection from a site locking my account out after repeated failures than from the password being hard to guess (the likely failure limit being a lot less than the number needed to guess even a "weak" password). And I find it amusing that a site classifies "kwo5*f(2n" as a weak password (no upper-case letters) (no, that's not one of my actual passwords) while "Jn4thon!" is considered strong (mix of upper-case, lower-case, numbers and symbols, no dictionary words present).

geezer != old?

[dwater]

IINM, the term is usually 'old geezers', implying they can be young too..

In other news....

[espiesp]

Old Geezers probably write their passwords down more often as well. Just a hunch based on casual observations of old people with stickynotes all over their monitors.

Young people ( under 26) are careless

[mauriceh]

Ask the actuaries for the car insurance companies.
It IS their job to "do the math".

And, they tell us that people under 25 get into far more accidents, and are far more careless.
People over 45 are far more careful and get into fewer accidents.

This is not opinion or conjecture.
It is statistics.

Re:

[Nimey]

And before someone younger than 26 comes in and says "I'm not careless!", the individual case is irrelevant; this is statistics, taking into account the tendencies of a large number of people.

Paying extra on your insurance if you think you're not careless sucks, but you're probably still not as careful as you will be in a few years.

PS: the worst group here is actually under-25 males.

Wait, what??

[mcavic]

How does someone obtain 70 million Yahoo passwords, and the associated demographic information?

On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password

A 3-letter password would require up to 17,576 attempts, and a 4-digit pin would require up to 10,000. So I don't know what kind of passwords these people are using.

Re:

[mcavic]

I guess it might take fewer tries than that, due to hash collisions. But that's why the hashed passwords should be unattainable.

Re:

[jpapon]

If there's so many collisions, it just means that many many people are using the same password. The statement "it would only take around 1000 attempts to try every possible password" is misleading and ridiculous. A more accurate statement is that it would only take 1000 attempts to try the 1000 most common hashes. No shit, Sherlock.

It's because they're not thinking about it

[tchdab1]

I work with many over 60 year old new computer users. It's my experience that they tend to use family names for passwords without regard to how long they are - they don't seem to consider how much longer or more annoying it would be to type in a longer name, for example. When I choose a password I want to find the shortest one that will do the most good; they don't think that way.

Terrible science reporting

[MsWhich]

As usual.

The original paper is located here. [cam.ac.uk] From the conclusion:

"The most troubling finding of our study is how little password distributions seem to vary, with all populations of users we were able to isolate producing similar skewed distributions with effective security varying by no more than a few bits."

And yet in TFA this gets transformed into "old people use strong passwords and young people use weak ones!" and everyone starts wondering what could account for this. It also makes the study sound as though it specifically focused on user age, or that user age was the most interesting result, when in fact there were several other significant (yet still small) variations in different groups in the study, e.g. Indonesian users tended to use much weaker passwords than German or Korean users. They also found that users who tend to log in from multiple locations also tend to use stronger passwords.

So why is the old people/young people thing the single takeaway that gets headlined and reported? It's not like what I just wrote would have been particularly difficult to outline or explain, even in a brief news article. I blame laziness on the part of the reporter.

Not true in my family

[Dadoo]

My 9-year-old son has a password that's at least 15 characters long, composed of several made-up words, mixed case, with numbers and an exclamation point. Personally, I don't know how he remembers it. Of course, I'm the security guy, at work, so I've had quite a few discussions with my wife about choosing secure passwords for things like bank accounts, etc., in front of the kids. I guess they've learned through osmosis, at this point.

By the standards of the article, I'm a geezer, and I've always tried to choose strong passwords, even when I was younger. It really annoys me when I go to a site, even today, and they only accept 8 characters. Do they really care about the security of their users?

Doesn't mean a thing unless...

[Cute Fuzzy Bunny]

...they test it out with the users of a web service that isn't a dinosaur that just hasn't realized that it's dead yet.

Seriously? C'mon man, I quit using Yahoo about 5 years ago. Surprisingly, they deleted my email account without any warning at all, although they did send me a note afterwards telling me that they did it.

You know what pisses me off?

[mysidia]

Probably most of the "old" people who have chosen "strong passwords" are children under 13 who are lying about their age, because Yahoo won't let you signup for an e-mail account, you can't trust the demographic data in Yahoo's DB.

"Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users.

How the hell did a researcher get access to Yahoo's password database?

Why are the passwords not hashed? How come a researcher is able

Comment removed

[account_deleted]

Comment removed based on user account deletion

Where did he get the data?

[RenderSeven]

What I'd like to know is how somebody at University of Cambridge got the plain text passwords of 70 million Yahoo users. I dont think I agreed to that in the Yahoo TOS.

Not surprising

[tsotha]

Doesn't surprise me at all. Old people have more to lose. Break into a 20 year old's bank account and you'll net yourself fifty nine dollars and seventy two cents. But a guy who's nearing retirement might have a few hundred grand in his brokerage account. And he doesn't have forty years to make it back if it's stolen.

This fits with my experience

[RobinH]

I run into a lot of "users" in my job, and certainly the younger generation feels more "at home" with technology than the older generations, but the younger ones do what young people always do, they underestimate risk. That leads young people to think it's OK to use the same password on multiple sites, post all their personal info on social media sites, and even share their passwords with other people, particularly girlfriends/boyfriends. The two most computer-illiterate people I know (both older) are bot

the geezer's, obviously

[mbkennel]

If it's at home, somebody needs to break in physically, commit a felony, risk their life, and know to obtain one single password from a monitor.

Other passwords are compromised in mass dictionary attack and hacking invisibly, in foreign jurisdictions, and never get compromised.

I have another theory about the results: older people are more responsible.

Re:

[Surt]

I have a theory that says young people have a better grasp of cost-benefit analysis.

Re:

[Rob the Bold]

I have a theory that says young people have a better grasp of cost-benefit analysis.

You might think so from just this one data point. Or you might think that the perceived costs and benefits are different for different people.

Re:the geezer's, obviously

[dgatwood]

The latter. They know that the worst that could happen would be somebody impersonating them, and given how unlikely it is for someone to bother cracking their account to do so (SMTP is completely without security, for all practical purposes), they consider their email passwords to be unimportant. Now their Facebook passwords, they will protect. After all, that's where they do most of their communication.

Re:Easy to remember?

[icebike]

Which one is *really* more secure?

The one written on the monitor obviously.

Re:

[jones_supa]

You still shouldn't store them like that.

Re:Memory?

[spire3661]

Every password I have is written down in a Red & Black notebook in my office at home. If you are clever/powerful enough to get a look at it without my permission, I have bigger problems then worrying about my passwords.

Re:Memory?

[ShanghaiBill]

They also write their passwords down on a pad of paper right next to the computer.

That is what I do. All my passwords have the same initial six characters. So I only write down what comes after those six, and make them as long and secure as each site will allow. If a burglar steals the list, it will be useless because they don't know the common prefix, nor do they even know that there is a prefix. They just see "correct horse battery staple" and have no idea that the real password is "R5u7qPcorrect horse battery staple".

Re:

[dgatwood]

They just see "correct horse battery staple" and have no idea that the real password is "R5u7qPcorrect horse battery staple".

Now they do.

Re:

[Hatta]

The real prefix is ******.

I'm Happy to Explain This

[RobotRunAmok]

Back in the Day -- as we geezers like to begin the sentences we use to talk down to you -- having that box on your desk prompt you for a password was a much more rare and curious thing than it is today. Our computer-y crap sat right there in the box by our legs, or maybe down the hall in that cold room with the raised floor with the fat bastard in it. And we would have li'l whispered conversations with the fat bastard as we passed him in the Break Room, like "I know you know my password, you fat bastard, and if I ever think for a heartbeat that you're going through my crap I will key your car and beat you like a baby seal." Our passwords were the things meant to keep our crap from the prying eyes of the sinister-but-clever sociopaths in Marketing and Accounting who would indeed rifle our desks for clues, like children's and pet names, in order to look at our computer-y crap. So selecting a password like P*/34_##FuK-U-Joey!!39* had real value. So today, when industry insists we store our computer-y crap -- which now includes bank account access, photo albums, our music collections, and christ-knows what else -- on servers spread around the world operated by even fatter bastards whom we don't see and can't effectively intimidate, it should come as no surprise the habit has stayed with us, despite being prompted for passwords every twenty minutes...

Re:

[Paracelcus]

As the "Fat Bastard" or "BOFH" of old, I would like to remind you that I and my brethren (sysadmins/sysops) have LART to wreak upon you LUSERS!

Re:

[Taco Cowboy]

As the "Fat Bastard" or "BOFH" of old, I would like to remind you that I and my brethren (sysadmins/sysops) have LARD to wreak upon you LUSERS!

TFTFY