Largest-ever password study: We are all idiots (opens in new tab)

(venturebeat.com)

14 pointsneilkelty14y ago9 comments

9 comments

9 comments · 7 top-level

gee_totes14y ago· 1 in thread

I wonder if the researchers realize that people sometimes intentionally maintain weak password, since they are easy to remember and it's an acceptable risk for the account to get compromised.

For example, if my Gawker commenting password is 'hello1234', and it gets compromised, what's the worst that can happen? My Gawker commenting account turns into a spam feed? Oh noes my life is over!! </s>

For some applications, weak passwords are perfectly acceptable.

hello_asdf14y ago

I use layered passwords. For simple things I've used the same password for years with only slight variations on it. For things like my email account or servers, I use randomly generated passwords managed through LastPass. Although my personal favourite password system is XKCD's password algorithm: http://xkcd.com/936/

b0rsuk14y ago· 1 in thread

I try to use this method: find a password that is very abstract, but meaningful to you. For example, one of my passwords included my exact motherboard model.

stevewillows14y ago

I once had a large chunk of my user group using acronyms followed by a symbol and the three letters of the previous month.

Not the best, but better than 'qqqqq' followed by 'wwwww'.

dhx14y ago

Troy Hunt analysed the passwords of the Sony and Gawker compromises and shared the results in July 2011[1]. The analysis is worth reading and contains pretty plots that can be digested in a glance. His other blog posts at [2] relating to password security are also worth reading.

[1] http://www.troyhunt.com/2011/07/science-of-password-selectio...

[2] http://www.troyhunt.com/search/label/Passwords

alan_cx14y ago

Isn't the problem that people see passwords as "access" rather than "security"? General public see complex user-names and passwords as an impediment to access, which they are.

I rather think the people who run sites, etc see it the same since often passwords are allowed to be simple by design. Where real security is required users are given passwords like "we%W%G^&FGH344N" to use. Or there s a strictly enforced policy that the user is made to follow.

nollidge14y ago

> Bonneau suggests that people chose a randomly selected number at least nine digits long

I've been working on a program that generates passwords that are (1) English-sounding by nonsense words of a specified length, and (2) where the letters alternate hands when typed.

So (1) makes a password that's pronounceable and therefore easier to remember semantically, while (2) makes it quick-to-type and therefore easier to "remember" via muscle memory. This should make frequently changing one's passwords less painful.

Is there any reason this is a bad idea? Obviously it's not as secure compared to a purely random string of the same length, but my thought is it would encourage people to change their passwords more often since there'd be less friction involved in doing so.

EDIT: I should note that a password manager is a far better idea. But for places where that's not practical (OS login, or the password to your password database), I feel this might be useful.

EDIT ALSO: While I like the XKCD idea in theory, I think it sucks in practice. You're typing four words without the benefit of screen feedback, so typos are more likely, plus it takes a relatively long time to type them.

vph14y ago

People are not idiots. Those who say we are just don't understand how human behaves. You expect most people will remember a 8-letter random strings consisting of letters, numbers and underscore?

WalterSear14y ago

>analyzed the password strength of about 70 million Yahoo users.

Ahem.

j / k navigate · click thread line to collapse