Why People Are So Bad At Picking Passwords 299
mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."
Obligatory xkcd (Score:5, Insightful)
We needed a study for this?!? (Score:5, Insightful)
Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here [xkcd.com], the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.
Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.
After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.
Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".
Who works for whom? (Score:5, Insightful)
"people are lousy at picking good passwords"
This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.
A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.
"You have to remember we are all human and we all make mistakes"
Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,
"password systems are lousy at serving people."
(as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)
Re:Pretty much the only good passwords are random (Score:2, Insightful)
A brute force attack is typically done on a stolen list of hashed passwords, not on the running system.
Re:because (Score:5, Insightful)
Given that it's widespread across huge numbers of people, presumably of all kinds and intelligence levels, I think that dismissing the problem as being because people are too lazy/stupid is...well....lazy and stupid.
Remember that people treat their computers like a social being - and a subordinate one at that. Every morning, someone will go and sit down at their office computer and find it's forgotten who he is, even though it sees him every day. He can walk away for an hour and it'll forget again. It'll fail to understand that he's him over and over again as he uses websites, servers, etc, stopping each time to refuse his instructions and demand that he perform some silly little task purely to help the computer out in functioning correctly: remember an irrelevant string of nonsense. And, very occasionally, the computer will fail and do something like send banking details to someone in Russia, or show his ex-wife his e-mails to his lawyer.....even though it's blatantly obvious to even an imbecile that these are the wrong things to do.
We all know that computers are unintelligent tools that are not capable of doing better than this - on slashdot, at least. But it still feels like talking to a forgetful, obstructive, naive, reckless, stupid and insubordinate little shit. Even the most stupid of assistants should be expected to do better most of the time.
People can certainly do better, but we have to accept that humans behave like humans and recognize that we're going to need to improve the technology as well as people's habits. In the short term that could mean things like providing ways to generate secure passphrases and asking them to write them down, using authentication devices and using UIs to promote better practices....and we need security researchers who stop looking a memory dumps for a while and look for more secure ways to interact with users.
Re:We needed a study for this?!? (Score:4, Insightful)
complete failing of organizations to have or heaven forbid enforce policies about password practices
Most of the time the problem is the opposite. Absurd policies and a delusion of the password being important to the user. And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).
For like 95% of the sites I don't give a shit if my account if hacked. I use the same password for most of those sites (if they are too retarded with requirements I might add a few 0s or #s at the end). If you make me change the password even if once a year then I'm not going back to your site because I don't care much about it in the first place. So I'll forget the new password.
-Passwords on sticky notes on monitors.
-Passwords shared with co-workers, that have not been granted access.
System does not require default password to be changed.
None of these are user problems. They are system design problems which I can translate to this:
- They make me change the password every 90 days, so I have to write it down.
- Danny needs to access credit card information because it's part of his job to do refunds but they won't give him access because for some reason that also means they have to give him access to XXX (they have one permission for two things) so I have to type my password at his terminal 10 a day. I cannot be interrupted that much, or I might not be around, etc, so I just let him use my password.
- My sysadmin uses the same default password for everyone.
Re:because (Score:4, Insightful)
I like the algorithm method (and even if the algorithm would be obvious to a human with access to 3-4 passwords, it would save you from some bot getting one password and simply trying the same pair at every major service), but when you have sets of requirements like this, it is impossible to implement. A and C are mutually exclusive, B is annoying (and actually reduces brute force complexity) but avoidable, and D will break your whole algorithm the first time it changes (unless you add a counter, but then you have to remember what iteration you are on).
I keep a little list in a google doc of the rarely accessed but important sites that have weird password requirements (since it is rare they tell you the requirements on the login page)...then at least I know that I may have had to modify my algorithm because '^*()' aren't valid characters, or that the requirements were dumb enough that I just said "screw it" and used some old insecure password that has probably been unknowingly leaked 15 times while hoping for the best.
Re:936-style passwords are kinda easy to crack now (Score:5, Insightful)
That's why I don't bother making really strong passwords for most websites. It's a waste of my time - the site is more likely to get hacked then my password bruteforced over network connections. Every few months there's a web service getting pwned.
It's silly to waste time making your password much stronger than a typical website's admin password.
FWIW I've encountered at least one online bank that actually limits passwords to 8 characters for some unknown stupid reason.
Re:936-style passwords are kinda easy to crack now (Score:5, Insightful)
Every time someone sets up forum software to require an account to simply read it, they should be kicked in the nuts. Requiring an account to post is totally ok, but requiring an account to read is not.