Why People Are So Bad At Picking Passwords

mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."

Re:because

[master_kaos]

Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
Then you get redicoulous requirements on some websites, like can't use special characters, can't be longer than 10 chars. Why? You should be using a hashing algo which means special characters or max length shouldn't matter (within reason)

I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions

This way I always know when I go to a site which password it uses.

However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious). This may increase security of password a little, as well as benefit of most passwords being unique.. but not sure how much it increases the security by

People are taught wrong

[Archangel Michael]

On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.

My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.

And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.

Re:because

[Nemyst]

I use LastPass and the two-factor authentication adds a lot to the security. If someone can guess my password and obtain my two factor secret, I'm probably screwed regardless of what I did. I also enable two-factor on as many sites as I can (stupidly most banks don't have that).