Forgot your password?
typodupeerror
Security

Why People Are So Bad At Picking Passwords 299

Posted by samzenpus
from the 1-2-3-4-5 dept.
mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."
This discussion has been archived. No new comments can be posted.

Why People Are So Bad At Picking Passwords

Comments Filter:
  • Huh? (Score:5, Funny)

    by hduff (570443) <hoytduff AT gmail DOT com> on Monday December 02, 2013 @11:30AM (#45574463) Homepage Journal

    These studies also reveal that when it comes to passwords, women prefer length and men diversity.

    We are still talking about passwords, right?

    • Re:Huh? (Score:5, Funny)

      by Thanshin (1188877) on Monday December 02, 2013 @11:34AM (#45574505)

      Probably not.

      Studies suggest that news about studies are only vaguely related to the studies themselves.

    • Re:Huh? (Score:5, Funny)

      by QQBoss (2527196) on Monday December 02, 2013 @12:10PM (#45574895)

      Is it too obvious to point out that it isn't so much the length of the password that is important, but how you use it? The luckiest, of course, are able to take advantage of both.

      • Here's a crutch for those with too few passwords on too many sites. Just paste it to something like safepassword.sh in /usr/local/bin or similar:

        #!/bin/bash
        # script: safepassword
        # this script depends on sha512sum
        if [ "$2" = "" ]
        then
        echo "usage: safepassword constant_key password_purpose"
        echo " where constant_key is a string of printable non-whitespace characters,"
        echo " and password_purpose is a memorable string related to the purpose of"
        echo " the password, e.g. a website address and ye

    • by KDN (3283)
      That is, ....interesting. Great way to wake everyone up monday morning :-).
    • Re:Huh? (Score:4, Funny)

      by Anonymous Coward on Monday December 02, 2013 @12:41PM (#45575227)

      This is why women never use 'penis' as their password since it's never long enough.

  • Obligatory xkcd (Score:5, Insightful)

    by DexPleiadian (634812) on Monday December 02, 2013 @11:37AM (#45574543)
  • by LongearedBat (1665481) on Monday December 02, 2013 @11:38AM (#45574561)

    So, before choosing an important password make sure you have shaved, had a haircut and dyed your hair red.

    (A sex change is asking too much though.)

  • by Dave Whiteside (2055370) on Monday December 02, 2013 @11:39AM (#45574579)
    • by oodaloop (1229816)
      Correct!
    • by gmack (197796)

      Not all of my passwords can be that long. My bank password (the one I care about the most) has a 5 char limit and and I hate random passwords. I came across a good method a few years ago for generating passwords that need to be short: Take a song and chose a line then take the first character of each word and you have an easy to remember but hard to guess password.

  • Also are the most passionate lovers.
  • by amalcolm (1838434) on Monday December 02, 2013 @11:45AM (#45574637)
    ... for RMS !
    • by Wdi (142463)

      His password is open source and everybody is entitled to read it, modify it, or to sell it as text source if he can find a buyer, as long as the copyright notice remains attached!

  • A modern day password cracker (brute force) with a reasonably large dictionary can basically break all human generated paswords these days.

    First - besides the dictionary, they also try variations - including l33t 5p34k variations, various capitalizations and putting numbers at the beginning or end of the word.

    Second, the old trick of picking a phrase and using it? Also done - the dictionaries often pick phrases out of the Bible and other texts and run with those, too. You'd think this would be difficult, bu

    • If a system is making it possible for you to do a brute for attack for "days" then your system is the problem more than your password.

      Sorry, but brute force attacks should throw up a red flag in a way that any well designed system can automatically detect it and shut down the user account. Most already do this in more roundabout fashions such as locking the account after a number of invalid tries or by forcing the user to wait between failed attempts or a combination of both.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        A brute force attack is typically done on a stolen list of hashed passwords, not on the running system.

      • by mlts (1038732) *

        If an attacker were brute-forcing against an account, something like sshguard or a lockout mechanism [1]. However, since hashed password lists like /etc/shadow are the target, once those are snarfed, those can be cracked at the blackhat's leisure. Stuff like bcrypt helps, but there is a balance between having a number of rounds high enough to slow down an attacker, versus it interfering with legitimate uses.

        I have a dedicated appliance that is in testing stages which just stores usernames and hashes, and

      • The problem is many webapps are designed with the password hashes stored in a database that is directly accessible to the webapp. So if there is a security hole in the webapp that allows arbitary database queries then the attacker can simply steal the password database and brute force it at their leisure.

    • by xorsyst (1279232)

      yep [wikipedia.org]

    • WTF brute force still? All password system should enforce at least x failed attempts in y time lockouts if not requiring multiple things (time+seed based passwords are trivial with everybody having a smartphone). If they have the hashes and salts your pretty much damned anyways.

    • by melikamp (631205)

      This. But the problem, as I see it, is not with people designing poor passwords. The password authentication itself is the problem. One basic issue is that passwords, ostensibly, authenticate a person, but in practice they do not. It is the computer that gets the direct access, not a person, so we could as well be consistent and have a procedure designed to authenticate a person+computer pair. And that leads us to a much more secure way to authenticate: using the strong encryption, either symmetric or asymm

  • by toonces33 (841696) on Monday December 02, 2013 @11:48AM (#45574661)

    What is the quality of the password then?

  • by Junta (36770) on Monday December 02, 2013 @11:50AM (#45574681)

    As a very well known xkcd points out, a great deal of the problem could be averted if people weer encouraged to use long passphrases with spaces and everything rather than a pass'word'. password as a concept was good enough for the time of it's popularity, to defend against people typing their way into someone else's account. When the model fell apart in a world with much more automation and network connectivity, the 'fix' was 'keep length about the same, but toss some numbers and maybe some punctuation in there'.

    The madness comes in when a great deal of the sites I visit put a 12 character *maximum* on a password for their site.

    My personal strategy: base64.b64encode(os.urandom(12)) for every site and store the values on a couple of my devices with a phrase that is about 32 characters long (but easy for me to remember and easy to type). hashing a master key with the domain to generate passwords like some chrome and firefox plugins (password hasher) can do is similarly nice without having to worry that you won't have access to the copy of the database.. Of course, the annoying thing is my 16 random numbers and letters frequently fail the 'complexity' check and I have to add some punctuation character to it.

    • by sjwt (161428)

      I was somewhere the other day that needed at lest one Upper Case, one Lowecase, one Number and a symbol. Not too bad, except they also limited you to 6 chr only.

      • Not too bad, except they also limited you to 6 chr only.

        How nice of them to completely reduce the complexity space of the 6-character search!

  • by tiberus (258517) on Monday December 02, 2013 @11:50AM (#45574687)

    Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here [xkcd.com], the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.

    Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.

    After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.

    • Passwords on sticky notes on monitors.
    • Passwords shared with co-workers, that have not been granted access.
    • System does not require default password to be changed.
    • Default password is a known pattern.
    • Techs routinely ask users for passwords
    • Co-workers say, "Just give them your password".
    • And so on . . .

    Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".

    • by ccguy (1116865) on Monday December 02, 2013 @12:41PM (#45575223) Homepage

      complete failing of organizations to have or heaven forbid enforce policies about password practices

      Most of the time the problem is the opposite. Absurd policies and a delusion of the password being important to the user. And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).

      For like 95% of the sites I don't give a shit if my account if hacked. I use the same password for most of those sites (if they are too retarded with requirements I might add a few 0s or #s at the end). If you make me change the password even if once a year then I'm not going back to your site because I don't care much about it in the first place. So I'll forget the new password.

      -Passwords on sticky notes on monitors.
      -Passwords shared with co-workers, that have not been granted access.
      System does not require default password to be changed.

      None of these are user problems. They are system design problems which I can translate to this:

      - They make me change the password every 90 days, so I have to write it down.
      - Danny needs to access credit card information because it's part of his job to do refunds but they won't give him access because for some reason that also means they have to give him access to XXX (they have one permission for two things) so I have to type my password at his terminal 10 a day. I cannot be interrupted that much, or I might not be around, etc, so I just let him use my password.
      - My sysadmin uses the same default password for everyone.

      • by pla (258480)
        And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).

        You realize you don't need to answer those accurately?

        I treat security questions as the emergency sticky-note under my desk, in that I will answer them however the hell I want, then just make a note (not sticky, but yes, an actual physical offline note) as a clue to what I picked.

        I figure if someone wants to impersonate me, they already know my mother's
  • by gmuslera (3436) on Monday December 02, 2013 @11:53AM (#45574717) Homepage Journal
    If we start with the asumption that that passwords must be memorized somewhat, we are better remembering things with an attached meaning than something random, and those meanings make usually bad passwords. But, we don't need to remember all passwords, there are password managers for making and storing a bunch of meaningless, secure passwords, and for the keys you must remember (the password manager one at the very least) there are some mnemonic tricks [xkcd.com] that can help to have safe enough passwords.
  • Must be an idle day at the BBC. A couple paragraphs of statistical wank about physical attributes seeming to correlate with password quality. Then a rehash of old news about bad passwords being easy to crack. My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)

    • My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)

      Okay... 62 character password? Are you compensating for not being ginger [youtube.com]?

  • by Archangel Michael (180766) on Monday December 02, 2013 @11:55AM (#45574749) Journal

    On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.

    My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.

    And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.

    • I've been saying it for years: length! Thisshittasteslikechicken! Will take many, many years for any algorithm to crack. http://www.securityadminisanidiot.com/ [securityad...nidiot.com] will also assure security. Why don't management and administrators understand this?

  • I devised my best password for my luggage. I'm too tired after doing that to worry about online passwords

  • I love them.. I trawl through them laughing at the passwords on them, at least so far as mine have never shown or close variants of them.

  • by jessepdx (1207628) on Monday December 02, 2013 @12:02PM (#45574811) Homepage
    there are a lot of sites, that require setting up and account, i could care less about. i use a junk email account and a simple junk password. those accounts, if they are hacked, won't give you any useful information to get into another site's account that i do care about. i think many people do the same. those junk sites also get hacked and the stolen lists get published. then the appalling headlines stating "OMG these passwords are so easy!!!" get published... so what...
  • by mcmonkey (96054) on Monday December 02, 2013 @12:03PM (#45574821) Homepage

    "people are lousy at picking good passwords"

    This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.

    A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.

    "You have to remember we are all human and we all make mistakes"

    Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,

    "password systems are lousy at serving people."

    (as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)

  • I would hope the list of allowable PINs is shorter than that. The 10 possibilities with the same number repeated all the way through should be disallowed (and usually are), as well as 1234, 4321, and anything else with four consecutive digits. While taking those 24 possibilities out doesn't dramatically reduce the number of possible PINs (only 2.4% reduction) it is still a list of less than 10,000.
    • by Qzukk (229616)

      The 10 possibilities with the same number repeated all the way through should be disallowed

      If it's good enough for nuclear launch code, it's good enough for my bank card!

  • I have a really really good password that I use to get into my server at home. All other passwords are for random sites (like slashdot) and I use a very simple password for them. Does this make me 'bad at picking passwords', or do I simply not care if someone hijacks my slashdot account, ruining my excellent karma?

    A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.
    • by mcmonkey (96054)

      A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.

      On that note, non-printing characters should be allowed as part of a password. E.g. "12345" is a bad password. But why shouldn't we be able to use "12356[backspace][backspace]45"?

  • by OzPeter (195038) on Monday December 02, 2013 @12:12PM (#45574905)

    I use regexes related to the site name/function. (*)

    Now the hackers have 2 two problems when they want to break into my account!

    * I actually I do incorporate regex like strings.

  • Why can't my home computer manage passwords. Seems like it's smart enough to generate a password, pass it to the secure site, then at log off generate another password pass it to the site and then log off. Let the computers handle the task. Then have one master password or some other technique to log onto the computer that can only be used from the keyboard.
  • by ilsaloving (1534307) on Monday December 02, 2013 @12:36PM (#45575187)

    Every time I see articles like this, I feel compelled to bring up the solution I'm using, which is (so far) the single best solution I have been able to find.

    It's called 1Password. Runs on Mac, Windows, Linux (read only I think), iOS, Android, and has plugins for all major browsers.

    It records your login details for you, has a password generator that you can customize in various ways, and stores an AES encrypted archive on dropbox so that all your devices can sync together.

    Now I can safely create new logins everywhere with abandon, because I'm not afraid that if one service is compromised (*cough*Adobe*cough*) I'm not afraid something else is at risk.
    It can generate passwords up to 50 characters in length with your choice of number of digits and symbols. It can even make easily pronounceable passwords if you need, and avoid ambiguous characters (eg O (oh) and 0 (zero) ).

    It's a little pricey, but IMO it's worth every penny because there is no other product out there that is this easy to use, AND supports so many platforms all at once.

    • I use a similar product called Password Safe. http://passwordsafe.sourceforge.net/ It lets you store your passwords in an encrypted file with a master password. It can also generate passwords for you (in a configurable manner so you can go from "p%qLr%&Vb9" to "+R0WeeDUck" to "PiGhtEdraN" and anywhere in between - and yes, those were Password Safe generated). There are also ports for Android, iOS, Mac, Windows, Linux, etc: http://passwordsafe.sourceforge.net/relatedprojects.shtml All free and open

  • by nomadic (141991)
    I also blame sysadmins who frequently don't understand that security is contextual; you do not need the same level of password complexity for a gardening forum or slashdot that you need for your bank account. But you still see ridiculous requirements for low-security sites.
  • by Nimey (114278) on Monday December 02, 2013 @12:46PM (#45575275) Homepage Journal

    The proper way is to use a good password manager with the following features:
    1) cloud-based sync, so you can access it from any computer or mobile device
    2) multifactor authentication, such as a USB stick or a grid or biometrics
    3) a configurable password generator (i.e. you can choose length, complexity, etc.)

    I use LastPass and like it enough to have bought a year's subscription for $12, but there are other good choices out there like 1Password, or you could homebrew up something with e.g. DropBox + KeePass or Google Drive + TrueCrypt + something that can read TC volumes on iOS/Android.

    Generate a different random password for each site needing an account, as complex and as long as the site will allow for, and with LastPass at least you can attach a note to each site's entry so you could enter random line-noise answers for security questions like "What is your mother's maiden name?", thus making crackers work much harder. I've also got LP set up for multifactor authentication and with a strong master password.

  • Oh yeah.... I really love it when I go to a site and try to create a password with punctuation, and it gets kicked because the site doesn't support it.

    Really????

    I'm talking about some major sites... financial institutions too. Scary and unacceptable.

    • Agreed! One of my credit card sites used to allow only alphanumerics, so my "standard" pw wasn't allowed because of special characters. They've fixed that problem, but I'm sure there's still plenty that still do that.

  • by PPH (736903)

    red-haired women tend to choose the best ...... and men with bushy beards or unkempt hair, the worst. .....women prefer length and men diversity.

    I was beginning to wonder where this summary was going after the first few sentences.

  • I used to have a beard and bushy hair and my password was "test123". After I neatened my hair and shaved, I had this overwhelming compulsion to change my password, and now it's UjuW8LxttbsWKqMbDaA4SqSJVST783ty

  • My bank card PIN is four digits. It's not the year I was born, nor is it any other year (or other four-digit number, for that matter) that you will find in my personal information.

    For computer passwords I like the "first letter of a phrase" algorithm, producing passwords like TbontbTitQ and MRwiTDtESSahtuwws. Or pick a phrase, l33t it up a bit, and come up with something like W1nd0ze1sTehSux0r3. Long passwords are good.

    The worst public web site I've encountered for silly password requirements is U.S. Cu

Given its constituency, the only thing I expect to be "open" about [the Open Software Foundation] is its mouth. -- John Gilmore

Working...