Geezers Pick Stronger Passwords Than Young'uns 189
McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?
The older you are ... (Score:5, Insightful)
the geezer's, obviously (Score:5, Insightful)
If it's at home, somebody needs to break in physically, commit a felony, risk their life, and know to obtain one single password from a monitor.
Other passwords are compromised in mass dictionary attack and hacking invisibly, in foreign jurisdictions, and never get compromised.
I have another theory about the results: older people are more responsible.
Re:How did he analyse it? (Score:2, Insightful)
What's really frightening is the implication that Yahoo stores passwords. There's really no justification for ever storing a password unhashed. You'd think Yahoo of all places would have the competence to know that.
Re:Memory? (Score:5, Insightful)
young != geek (Score:5, Insightful)
I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.
In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity
Perhaps it's like other 'yoof' items (Score:5, Insightful)
Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.
Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.
With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.
,
Re:Use case differences... (Score:4, Insightful)
IIRC there was a time when you had to go through a drop down to select the birth year, and who is going to bother to scroll to geezer age for their throwaway account?
Re:Easy to remember? (Score:4, Insightful)
Which one is *really* more secure?
The one written on the monitor obviously.
Re:Use case differences... (Score:5, Insightful)
Older users are more likely to have a Yahoo address as their primary email, etc.
Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.
Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client.
;-)
For those unfamiliar with text email clients think of them as twitter without a 140 character limit.
(*) Substitue alpine, mutt, whatever if you prefer.
Re:Use case differences... (Score:5, Insightful)
bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.
we use stronger passwords because we've been around the block enough times to know there are bad people out there
Re:Use case differences... (Score:5, Insightful)
Re:How many passwords? And can they remember them? (Score:4, Insightful)
I'm twice your age and I've been working/playing with computers for over forty years. In general, I've divided all sites that require passwords into three sets: those that store data that I care about (banks and so on), those that don't (comic strip sites, Slashdot and so on) and those that don't but require "strong" passwords.
The first set gets strong, unique passwords. For those that Firefox can't store, I have a place on-line to stash them; if you can find and access it, I've got more things to worry about than my passwords. For the second, all of them use the same password, simply to make things easy. After all, there's no way that the software running a blog (let's say) is going to know that you're using the same password for it as you are to sign on to a shopping site. And, the password's obscure enough that nobody who doesn't know me very, very well is ever going to come up with by guessing, and it's at least as safe from a dictionary attack as any random, unpronouncable word can be. For the third, I have several variations on my standard password to fit various restrictions. Thus, things I don't care about very much are safe from anything except a very determined attack, and those I do are even better protected. Frankly, I'm more concerned about the possibility of my password being picked up by a cracker stealing a password database than by having it guessed.
Re:Use case differences... (Score:5, Insightful)
You reminded me - I never put my real age. Someone who is tech savvy is likely to have a strong password, as well as keeping other personal info private. Resetting my password involves remembering a fake birthdate, fake mother's maiden name, fake first job, everything is fake.
If one site gets compromised, that info won't get someone into any other account.
So one of the assumptions here is that the ages are correct, which is not necessarily the case. For more tech savvy people, it is more likely the age will be incorrect. To me, this study therefore has no value without validating a statistically significant portion of the user data. And if asked, I would say i really was born 25 years earlier than I was.