Forgot your password?
typodupeerror
Security

Geezers Pick Stronger Passwords Than Young'uns 189

Posted by timothy
from the as-many-characters-as-the-post-it-will-hold dept.
McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?
This discussion has been archived. No new comments can be posted.

Geezers Pick Stronger Passwords Than Young'uns

Comments Filter:
  • by DrEldarion (114072) on Saturday June 02, 2012 @01:32PM (#40195027)

    It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords. Older users are more likely to have a Yahoo address as their primary email, etc.

    • by Squiddie (1942230)
      Maybe, or maybe we're forgetting that it's also more likely for those geezers to forget their passwords.
    • by ShanghaiBill (739463) on Saturday June 02, 2012 @01:50PM (#40195129)

      Older users are more likely to have a Yahoo address as their primary email, etc.

      Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

      • by perpenso (1613749) on Saturday June 02, 2012 @02:21PM (#40195317)

        Older users are more likely to have a Yahoo address as their primary email, etc.

        Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

        Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client.

        For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-)

        (*) Substitue alpine, mutt, whatever if you prefer.

        • Joking aside, ssh and pine(*) work really well.

          For sufficiently loose definitions of "work really well".

          • by dbIII (701233)
            I use pine a couple of times a month to send out attachments that ended up mistakenly being put into quarantine by email scanners (eg. two extensions, long filenames, or many of the other things virus writers used to trick Outlook Express users). To do that I check the file, rename it, attach it to an email with pine and write a short one line note in the email. For something like that pine is a very quick way to do it that does "work really well".
            Of course I don't use it for my email on my desktop machi
        • by vigour (846429)

          Older users are more likely to have a Yahoo address as their primary email, etc.

          Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

          Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client. For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-) (*) Substitue alpine, mutt, whatever if you prefer.

          +1 for pine/alpine. I'm a big fan of that, especially when visiting China where I can still ssh to my old university account and use alpine from there. Plus it's much faster to load than mutt when dealing with huge IMAP inboxes.

          • by garaged (579941)

            Take a look at mutt, you will love it

            • by vigour (846429)

              Take a look at mutt, you will love it

              Used to use it for years, but got fed up with how long it takes to load imap folders so I moved back to alpine.

        • by antdude (79039)

          Same here. I prefer text mode for a lot of things like e-mails (Mutt; used to use Pine), Tin (newsreader), etc. People call me crazy for using these text mode clients. I don't care. Fast, more secured, etc. I am old school so bite me! Oh and I still use Zmodem to download and upload through SSH! Beat that with SFTP that has no resumes! ;)

        • Joking aside, ssh and pine(*) work really well.

          Functional, yes, but I *really* don't like the idea of my mail users having SSH access to the system. IMAP and a decent Webmail client will give them a more intuitive UI without requiring you to open up SSH to users who have no business using it. SSH should be default deny, with a whitelist of allowed users, and that whitelist should be kept to a minimum.

      • by rubycodez (864176) on Saturday June 02, 2012 @02:29PM (#40195351)

        bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.

        we use stronger passwords because we've been around the block enough times to know there are bad people out there

        • by AliasMarlowe (1042386) on Saturday June 02, 2012 @03:37PM (#40195685) Journal

          bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.

          we use stronger passwords because we've been around the block enough times to know there are bad people out there

          Yup. And it galls me to see some places sending a confirmation message to your email address with your chosen username and password in cleartext when you register. Maybe that's why the kids don't bother with decent passwords, but to me it's another good reason to use a unique password for every site, and to then tailor the password strength to the weakness of password protection (cleartext, the mind boggles). Luckily, sites with personal and/or financial data (Amazon, banks, etc.) are a bit better, but it's still worth keeping their passwords strong and unique per site.

          BTW, I beat you in the greybeard stakes by a few years...

        • by Shavano (2541114)
          And have more to protect. An average person of 25 has approximately zero net worth. An average person of 55 has many times that...
      • by fatphil (181876)
        What's funny about this? Informative/insightful, yes, funny no.

        If I'm travelling, or in the pub, I SSH (not telnet) into my server to pick up the screen session that contains a mutt window in order to read my mail.
      • I used to think I couldn't shoot down a German plane. But last year I proved myself wrong!

           

    • by Anonymous Coward on Saturday June 02, 2012 @01:57PM (#40195181)
      Yeah people who create throwaway yahoo accounts are unlikely to use very strong passwords.

      IIRC there was a time when you had to go through a drop down to select the birth year, and who is going to bother to scroll to geezer age for their throwaway account?
      • by b4dc0d3r (1268512) on Saturday June 02, 2012 @05:16PM (#40196125)

        You reminded me - I never put my real age. Someone who is tech savvy is likely to have a strong password, as well as keeping other personal info private. Resetting my password involves remembering a fake birthdate, fake mother's maiden name, fake first job, everything is fake.

        If one site gets compromised, that info won't get someone into any other account.

        So one of the assumptions here is that the ages are correct, which is not necessarily the case. For more tech savvy people, it is more likely the age will be incorrect. To me, this study therefore has no value without validating a statistically significant portion of the user data. And if asked, I would say i really was born 25 years earlier than I was.

        • by skine (1524819)

          I've been to a few websites that require you to enter your age, with month, day, and year as drop down menus. Not porn sites, as most would assume, but websites with R-rated videos.

          Depending on how strongly I scroll, my birthday ranges from January 1st 1930 to January 1st 1990.

          I can only hope that the websites save the birth date data with the IP address data, and they are surprised that there are at least 50 people at my household who were born on January 1st.

    • by Presto Vivace (882157) <marshall@prestovivace.biz> on Saturday June 02, 2012 @03:03PM (#40195537) Homepage Journal
      It is just possible that geezers have learned a thing or two.
  • by Hentes (2461350) on Saturday June 02, 2012 @01:35PM (#40195045)

    Did Yahoo give him its user password database or what?

    • Hopefully they collected only the strength calculated before hashing salting and storing the result.

      Hopefully.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      What's really frightening is the implication that Yahoo stores passwords. There's really no justification for ever storing a password unhashed. You'd think Yahoo of all places would have the competence to know that.

    • by Fred Ferrigno (122319) on Saturday June 02, 2012 @01:55PM (#40195169)

      The original paper [cam.ac.uk] includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.

      • by Hentes (2461350)

        Interesting read, but in this case they couldn't really measure password strength, only password uniqueness which isn't exactly the same.

        • Interesting read, but in this case they couldn't really measure password strength, only password uniqueness which isn't exactly the same.

          True, strength and uniqueness are not the same. However, the later (in particular when considering a large population sample) can serve as a proxy to quantify the former. Think of if this way, the more unique a password is, the greater the probability that this password is long enough and with a sufficiently large character set to make it strong. That is, the more random that it will look.

          The less unique the password, the greater the probability that it will share more characters (off a smaller character

    • by Joe Loughry (525975) on Saturday June 02, 2012 @02:16PM (#40195305)
      The methodology is explained in the paper "The science of guessing: analyzing an anonymized corpus of 70 million passwords" available at http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf [cam.ac.uk] Plain text passwords were captured at login time in coöperation with Yahoo! under ethics and legal-approved rules. The experimental design contains technical measures to ensure that user IDs were not associated with passwords and further measures to protect against passwords that might be used in more than one place.
  • I tend to believe that its a difference in education between the generations. I know the vocabulary in my family is completly different in the older generations of my family. Half the time my teenagers dont understand the conversations when my grandparents are around, and there always asking "what did they mean" later on.

  • Not so surprising (Score:3, Informative)

    by Narrowband (2602733) on Saturday June 02, 2012 @01:38PM (#40195071)
    This one seemed pretty intuitive to me. If you've lived a longer life, you probably have a bigger list of personal experiences to pick from where there are words/phrases to build passwords around that are meaningful to you.
  • by gQuigs (913879) on Saturday June 02, 2012 @01:39PM (#40195075) Homepage

    From the article: Unsurprisingly, people who change their password from time to time tend to select the strongest ones.

    That actually is surprising to me... Although I guess storing passwords in Firefox (w/ Sync), and having them be very long (32 random characters+), might not be a common demographic...

    • They change their password from time to time because they forgot their old one and went through the password recovery process.

      Fortunately for them, their security questions are "What is my favorite color?" and "How many kids do I have?" so that's not too difficult.

  • Geezers have more memorable life experience from which to draw good passwords. Which doesn't exactly explain why all geezer passwords are some version of DamnTeenagers!
  • by jabberwock (10206) on Saturday June 02, 2012 @01:41PM (#40195081) Homepage
    ... the more likely it is that you actually have an identity worth stealing.
    • by swillden (191260) <shawn-ds@willden.org> on Saturday June 02, 2012 @02:37PM (#40195393) Homepage Journal

      ... the more likely it is that you actually have an identity worth stealing.

      And the more likely it is that you'll have a wealth of background to draw on when coming up with obscure-but-memorable (to you) bits of information you can combine and tweak to make a good password. I definitely notice this when comparing passwords my wife chooses with passwords my kids choose. She uses bits of old but important dates, parts of names of people she knew decades ago, etc. and comes up with some pretty good ones. I can mostly recognize where she got the pieces but doubt I'd ever be able to guess her password if she didn't tell it to me.

      My kids, on the other hand, tend to pick simple names of favorite entertainment characters. Even when I try to get them to pick something more complex, they just don't seem to have much else to draw on. When I pointed out not long ago that one son's choice of his favorite pokemon's name as a password wasn't very hard to guess, he proceeded to pick a another pokemon with a longer name. When I talked him through the idea of picking several and using pieces of their names, the result was still not very good.

      Perhaps all of this is just a result of not caring as much, but I think there's more to it.

      (BTW, some are undoubtedly wondering why I force my family to give me their passwords. I don't. In fact I harp at them all regularly about how they shouldn't ever tell me their password. They roll their eyes and just blurt it out when I ask them to type it so that I can fix something on their account. I also find out their password when they forget their old password and I have to reset it for them. I used to change it to "changeme", but then I found out that just meant that my kids, at least, always had "changeme" as their password. So they actually have better security if I make them come up with something and tell it to me so I can set it. It also gives me a chance to make them think about whether or not they can remember the new password so I don't end up having to reset it again tomorrow.)

      • by arose (644256)
        The way the young'uns name their kids today it stands to reason that geezers picking their grandkids name and adding their birthday makes a reasonably strong (i.e. not detected as kinda crappy by computer analysis) password. In short, I'm with you on the wealth of obscure-ish information, but I'm not sure how many would actually stand up to real analysis.
    • ....the more likely it is that you actually have nude photos (of yourself) worth stealing.
  • The older people had less carp to put up with over the years then younger ones.

  • by Faizdog (243703) on Saturday June 02, 2012 @01:48PM (#40195117)

    1) Can the older folks actually remember all their passwords? Or are they writing them down?

    2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

    I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

    And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.

    On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.

    Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.

    • Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

      Yeah, yeah - mnemonics like "this password rhymes with cuppy"

      Seriously, just use a secure password manager so you can use unique passwords everywhere, but only really need to remember one password. OS X's Keychain Access works great for this. Gnome's had a similar tool available for a while, and there are third-party Windows solutions as well. They all encrypt the information, so five years from now you won't have to worry about remembering what some obscure mnemonic actually meant. And if someone compromis

    • 1) Can the older folks actually remember all their passwords? Or are they writing them down?

      2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

      I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. .

      I'm an old geezer and I use LastPass. My LastPass password is a very long sequence that I generated with a random number generator and memorized. Problem solved.

    • by Macrat (638047)

      1) Can the older folks actually remember all their passwords? Or are they writing them down?

      Some are writing them down and even with the password sitting there in front of them, they have trouble typing it in.

    • by techno-vampire (666512) on Saturday June 02, 2012 @04:55PM (#40195997) Homepage
      I am by no means young, I'm 31, but am part of a more tech savvy generation.

      I'm twice your age and I've been working/playing with computers for over forty years. In general, I've divided all sites that require passwords into three sets: those that store data that I care about (banks and so on), those that don't (comic strip sites, Slashdot and so on) and those that don't but require "strong" passwords.

      The first set gets strong, unique passwords. For those that Firefox can't store, I have a place on-line to stash them; if you can find and access it, I've got more things to worry about than my passwords. For the second, all of them use the same password, simply to make things easy. After all, there's no way that the software running a blog (let's say) is going to know that you're using the same password for it as you are to sign on to a shopping site. And, the password's obscure enough that nobody who doesn't know me very, very well is ever going to come up with by guessing, and it's at least as safe from a dictionary attack as any random, unpronouncable word can be. For the third, I have several variations on my standard password to fit various restrictions. Thus, things I don't care about very much are safe from anything except a very determined attack, and those I do are even better protected. Frankly, I'm more concerned about the possibility of my password being picked up by a cracker stealing a password database than by having it guessed.
    • by swillden (191260)

      What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling.

      Two-step authentication is a good option. It wouldn't do exactly what you want, because you'd need to keep using it after you got back (Internet cafe sniffers and the like would get your main password), but if you just turn it on and leave it on, it would keep you safe. On the computers you use regularly you can click the "remember verification" checkbox when you use it, so you'll only get prompted once per month for a one-time password, so in practice you don't have to do the second step very often -- ex

    • Guess I'm unique in being part of the studied demographic along with being on the tail end of the baby boomers. Yet I don't even know any of my passwords nowdays because of a nice password manager called KeepPass 1. Password strength is as high as possible for every site I use and none of them have been duplicated. Does this mean I'm a god among users? Hell no! It means I've gotten smart and lazy and use the computer to my advantage where it makes sense to do so.

  • If you don't think you can remember a password, you may write it down. If it is going to be written down, then it is pretty easy to select a strong password.
    Of course, this isn't helpful if someone else gets access to the post-it note. But end to end security wasn't the subject of the survey, was it?

    • by Todd Knarr (15451)

      And of course, how many attackers will have access to my desk? For my desk at home I can count them on my fingers and not run out, and I know where they live. For my desk at work, that's why one drawer has a lock on it and the key's on my key-ring. Sure Security or Facilities could open it, but if they're compromised they've got access to far more lucrative places in the building without needing to mess with my desk.

      • by arose (644256)
        Does your drawer lock take more than 30 seconds for an experienced lock picker? It's not altogether bad, but would probably be even better if you only wrote down half of it and locked it up there, together with regular (every 6 months or so) password changes it probably is quite good if you are diligent.
  • young != geek (Score:5, Insightful)

    by tverbeek (457094) on Saturday June 02, 2012 @01:52PM (#40195145) Homepage

    ....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

    I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.

    In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity

    • Re:young != geek (Score:4, Interesting)

      by AthanasiusKircher (1333179) on Saturday June 02, 2012 @02:46PM (#40195435)

      ....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

      I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means.

      Yeah, seriously, who wrote the summary crap? Does anyone really think that most Yahoo mail users under 25 have conversations like this:

      -- Reginald, I'm signing up for a new Yahoo account. I must design a new password.

      -- Well, Theodore, I read in my issue of Network Security Weekly that lots of account information is compromised everywhere.

      -- You know, Reginald, I never thought about thought about it that way. I am feeling rather cynical about strong passwords, given this era of large-scale user-database compromises. As an existential protest against the very concept of password protection in such an age, I think I'll just make my password "password" or maybe "123."

      -- Good show, Theodore! Let's celebrate the anarchy of the internet by joining in a medley of Gilbert and Sullivan tunes from HMS Pinafore. Tally ho!

      Umm, no. Actual conversations are more like:

      -- Yo, Bob, I need a new email. Gonna go with Yahoo, even though it's kinda crap. Damn... I need a password.

      -- Woah, Sam, who cares? Pass me a beer.

      -- Yeah, you're right. Hell... I'm just gonna type "123." Pass me a beer, too.

      -- Awesome, Sam. LOL. Where did that keg go?

  • by Gonoff (88518) on Saturday June 02, 2012 @01:54PM (#40195167)

    Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.

    Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

    With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.

    ,

    • Pff, won't happen to me.

    • by swillden (191260)

      Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

      But... 30-somethings are young'uns.

    • by jpapon (1877296)
      Here in Germany the old drive just as fast as the young. Getting passed while going 160 (like you're standing still) by some grey-hairded fella in an M5 is a daily occurrence on the autobahn. Maybe old Americans are just sissies.
  • A8%l+$mr is a terrible password. The security experts like passwords like that but they're stupid. It's impossible to remember.

    The convention I follow and what I think most people should follow is "JustTypingASentenceOutMinusSpaces". That is very easy to remember. You can do cool things like quote a line from a play, song, poem, or movie that you like. What's the likelihood a dictionary attack is going to crack "hastalavistababy!"...

    Humans are very good at remembering sentences. It works into our neumonic m

    • by cashman73 (855518)
      The best password ever is the one used by Rodney McKay of Stargate Atlantis: 16431879196842. The birth years of Isaac Newton, Albert Einstein, and himself, plus the number 42. ;-)
    • by Hatta (162192)

      Why no spaces? Spaces and punctuation increase the search space.

  • by Todd Knarr (15451) on Saturday June 02, 2012 @01:59PM (#40195201) Homepage

    I wouldn't be surprised if that's the case. I know I use "strong" passwords mainly out of habit, and a bit of laziness (it's easier to get random sequences past password rules). I'm well aware that at best the only protection that gives me is the possibility that whoever compromised the password database will be satisfied with the results of a dictionary attack and not bother doing a brute-force attack on what's left. I'm also aware that I get more protection from a site locking my account out after repeated failures than from the password being hard to guess (the likely failure limit being a lot less than the number needed to guess even a "weak" password). And I find it amusing that a site classifies "kwo5*f(2n" as a weak password (no upper-case letters) (no, that's not one of my actual passwords) while "Jn4thon!" is considered strong (mix of upper-case, lower-case, numbers and symbols, no dictionary words present).

  • IINM, the term is usually 'old geezers', implying they can be young too..

  • Old Geezers probably write their passwords down more often as well. Just a hunch based on casual observations of old people with stickynotes all over their monitors.

  • Ask the actuaries for the car insurance companies.
    It IS their job to "do the math".

    And, they tell us that people under 25 get into far more accidents, and are far more careless.
    People over 45 are far more careful and get into fewer accidents.

    This is not opinion or conjecture.
    It is statistics.

    • by Nimey (114278)

      And before someone younger than 26 comes in and says "I'm not careless!", the individual case is irrelevant; this is statistics, taking into account the tendencies of a large number of people.

      Paying extra on your insurance if you think you're not careless sucks, but you're probably still not as careful as you will be in a few years.

      PS: the worst group here is actually under-25 males.

  • How does someone obtain 70 million Yahoo passwords, and the associated demographic information?

    On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password

    A 3-letter password would require up to 17,576 attempts, and a 4-digit pin would require up to 10,000. So I don't know what kind of passwords these people are using.

    • by mcavic (2007672)
      I guess it might take fewer tries than that, due to hash collisions. But that's why the hashed passwords should be unattainable.
      • by jpapon (1877296)
        If there's so many collisions, it just means that many many people are using the same password. The statement "it would only take around 1000 attempts to try every possible password" is misleading and ridiculous. A more accurate statement is that it would only take 1000 attempts to try the 1000 most common hashes. No shit, Sherlock.
  • I work with many over 60 year old new computer users. It's my experience that they tend to use family names for passwords without regard to how long they are - they don't seem to consider how much longer or more annoying it would be to type in a longer name, for example. When I choose a password I want to find the shortest one that will do the most good; they don't think that way.

  • by MsWhich (2640815) on Saturday June 02, 2012 @03:30PM (#40195659) Homepage

    As usual.

    The original paper is located here. [cam.ac.uk] From the conclusion:

    "The most troubling finding of our study is how little password distributions seem to vary, with all populations of users we were able to isolate producing similar skewed distributions with effective security varying by no more than a few bits."

    And yet in TFA this gets transformed into "old people use strong passwords and young people use weak ones!" and everyone starts wondering what could account for this. It also makes the study sound as though it specifically focused on user age, or that user age was the most interesting result, when in fact there were several other significant (yet still small) variations in different groups in the study, e.g. Indonesian users tended to use much weaker passwords than German or Korean users. They also found that users who tend to log in from multiple locations also tend to use stronger passwords.

    So why is the old people/young people thing the single takeaway that gets headlined and reported? It's not like what I just wrote would have been particularly difficult to outline or explain, even in a brief news article. I blame laziness on the part of the reporter.

  • by Dadoo (899435) on Saturday June 02, 2012 @04:07PM (#40195821) Journal

    My 9-year-old son has a password that's at least 15 characters long, composed of several made-up words, mixed case, with numbers and an exclamation point. Personally, I don't know how he remembers it. Of course, I'm the security guy, at work, so I've had quite a few discussions with my wife about choosing secure passwords for things like bank accounts, etc., in front of the kids. I guess they've learned through osmosis, at this point.

    By the standards of the article, I'm a geezer, and I've always tried to choose strong passwords, even when I was younger. It really annoys me when I go to a site, even today, and they only accept 8 characters. Do they really care about the security of their users?

  • ...they test it out with the users of a web service that isn't a dinosaur that just hasn't realized that it's dead yet.

    Seriously? C'mon man, I quit using Yahoo about 5 years ago. Surprisingly, they deleted my email account without any warning at all, although they did send me a note afterwards telling me that they did it.

  • Probably most of the "old" people who have chosen "strong passwords" are children under 13 who are lying about their age, because Yahoo won't let you signup for an e-mail account, you can't trust the demographic data in Yahoo's DB.

    "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users.

    How the hell did a researcher get access to Yahoo's password database?

    Why are the passwords not hashed? How come a researcher is able

  • by jmerlin (1010641) on Saturday June 02, 2012 @05:03PM (#40196053)
    After reading the PDF, the conclusion is absolutely not that "geezers pick stronger passwords," rather that in a snapshot of data, accounts with ages under 25 had significantly less strong passwords than those over 55. This doesn't take a LOT of information into account, it's just a passing observation in a paper not really pointed towards this analysis. For instance, there are a lot more young people than old people, unless you account for this, you can easily argue that there are a lot more weak passwords from "younguns" than "geezers." There's also the issue of bot vs real person, active account vs inactive account (which he does address, but which is not mentioned in either this summary nor TFA, when he talks about password updates implying an increase in strength, which would imply "geezers" who still use Yahoo are likely to have updated their passwords more than "younguns" that haven't logged in in over 5 years who would have relatively weak passwords as a result).

    Overall, the paper is interesting, but this summary and TFA are completely wrong in their conclusions.
  • What I'd like to know is how somebody at University of Cambridge got the plain text passwords of 70 million Yahoo users. I dont think I agreed to that in the Yahoo TOS.
  • Doesn't surprise me at all. Old people have more to lose. Break into a 20 year old's bank account and you'll net yourself fifty nine dollars and seventy two cents. But a guy who's nearing retirement might have a few hundred grand in his brokerage account. And he doesn't have forty years to make it back if it's stolen.
  • I run into a lot of "users" in my job, and certainly the younger generation feels more "at home" with technology than the older generations, but the younger ones do what young people always do, they underestimate risk. That leads young people to think it's OK to use the same password on multiple sites, post all their personal info on social media sites, and even share their passwords with other people, particularly girlfriends/boyfriends. The two most computer-illiterate people I know (both older) are bot

One man's constant is another man's variable. -- A.J. Perlis

Working...