Security sophisticates tend to be plenty cynical about “typical users” – especially when it comes to choosing strong passwords. But, according to computer security researchers at CyLab, Carnegie Mellon’s Security and Privacy Institute, ordinary users aren’t quite as dumb as advertised. And their misunderstandings fall into just four specific categories. That’s actually a pretty manageable amount of education.
CyLab’s methodology: show people pairs of passwords, and ask, which is more secure? Then, correlate their answers with the actual performance of today’s most common approaches to password cracking. Overall, out of 75 pairs, participants averaged 59 right. That’s 79%: practically a “B.”
Granted, CyLab’s 165-user sample might be slightly more technical than your average bears: they were recruited online via Amazon’s Mechanical Turk system. And CyLab isn’t saying they do all this good stuff – just that they know they should. But still… these results aren’t terrible.
CyLab’s respondents knew passwords are more secure when you:
- Capitalize the middle of words rather than the beginning
- Place digits and symbols in the middle rather than the end
- Use random digit sequences instead of obvious ones, like years
- Choose words other than common first names
- Avoid words that are personal to you, like your child’s name
- Avoid words that are obviously related to the site or account you’re trying to protect
Of course, they still got 21% wrong. That leaves plenty of holes for crackers to climb through. So, what were their big misconceptions?
- Participants thought that adding digits makes a password more secure than using only letters. Nope: crackers know that users often stick numbers at the end, so “brooklynqy” is more secure than “brooklyn16.”
- Participants thought merely swapping in digits made passwords far more secure. Nope: Password crackers “exploit users’ tendency to make predictable substitutions,” so “punk4life” isn’t stronger than “punkforlife.”
- Participants overestimated the security of keyboard patterns. Nope again: Today’s password crackers quickly search common keyboard patterns like “qwertyuiop,” as well as other common patterns – not only words.
- Participants misjudged the popularity of particular words and phrases. According to CyLab, for example, users thought “ieatkale88” and “iloveyou88” were equally secure. Not so: password crackers require a billion times more guesses to compromise “ilovekale.” It’s often more secure to choose a single rare word than a phrase incorporating “iloveyou” or “ilove.” Love-infused passwords are ridiculously common… which is actually sort of sweet if you’re not responsible for site security.
What might help users overcome flawed password strategies? According to the study’s authors:
A promising direction to help users better evaluate their passwords relative to common practices is through targeted, data-driven feedback during password creation. Current password-strength meters only tell users if a password is weak or strong, not why.
Future work in this area could build on a recent study that showed users likely “autocompletions” of the partial password they had typed… [and] could build on research using motivational statements or peer pressure to ‘nudge’ users to create stronger passwords.
You could also watch our short video on how to pick a proper password:
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
Mark Stockley
A simpler thing that companies can do is to stop users choosing one of the 10,000 most popular passwords. This was a recommendation that came out of Microsoft Research and one they’ve since adopted on at least some of their online platforms.
Personally I’m not ready to give users a grade B. It so happens that I end up being given a lot of passwords by small businesses and their password selections and password hygiene is generally terrible.
Apart from the small size and self-selecting nature of the audience I’m skeptical that choosing poor passwords from a selection created by somebody else is strongly related to generating your own strong passwords (although I’m not a neurologist.)
Jim
Agreed. Just because someone can RECOGNIZE a good password does not mean that s/he USES good passwords.
Andrew Ludgate
I think they get a B on “identifying which password is stronger” — but the refrain I hear again and again is “but I don’t need a strong password for this, it’s only….” People tend to use stronger passwords for online banking and for services they pay to use. Unfortunately, they often use medium-strength passwords for free sites like webmail. And they often use glaringly obvious passwords for “registration required” sites, which on the face of it seems fine, but results in potential identity/data theft nonetheless. And what happens when the service you use becomes more valuable to you?
Matt
It’s almost depressing how often I link this article. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
And even that, this whole “strong password” nonsense is, well, nonsense. They don’t exist anymore. Schneier’s article helps you avoid dictionary attacks, but who cares? A brute force attack against MD5 can test every password 6 characters or fewer in about 40 seconds. And while it’s slower for SHA-1, not slow enough.
In fact, if you pony up the dough for any number of ways to get massive parallelism, even SHA-256 and SHA-512 don’t offer a lot of protection. Point is, brute forcing hashes, especially all the ones commonly used today, is easy and salts only add to the length of the text. Which means that even if salting the hash works now, it probably won’t help in the future. Unless your password is being stored in a BCrypt, or BCrypt-like, fashion your password can look like line noise on a modem and still fall to a brute-force attack.
Mark Stockley
Strong passwords aren’t nonsense, using MD5 or SHA-* hashes to store passwords is.
Serious security: how to store your users passwords safely.
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
Do we really need strong passwords.
https://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/
Faeroe Reinard
The issue isn’t password complexity, it’s password length.
A salted hash of a 16+ character password is going to be extremely difficult to brute force. Then you just need to create an easy to remember phrase that is unique and won’t show up in a dictionary.
Most likely, your password age will expire before a good cracking machine will be able to crack it.
Scott McEwan
What irritates me a lot is for those of us who WANT to use strong secure passwords there are still plenty of sites out there that don’t offer that ability… even some that use simple pin codes!
Tattooed Mummy
being told a password is too long or can only contain letters and numbers really irritates me
nice tip re the ‘ILOVE’ thing though, I ‘might’ have fallen foul of that in a 30 character sentence password (off to change it now)
Andrew Ludgate
Something I’ve begun to realize is that if a site tells you your password is too long or can only contain letters and numbers, they’re not storing the password securely. Industry standards recommend storing the data as a salted strong hash. Salted strong hashes don’t care how long the input value is, and they don’t care what characters are inputted — you could even use non-ascii characters and they should be OK. Thus, the restrictions are there because they’re putting cleartext passwords into a database somewhere that won’t function correctly with values outside the parameters — which means they’re also not doing proper field validation on the DB side, and are leaving it up to the input interface. More bad security.
So please do what I’ve started doing, and whenever you visit a site like this, send them a nice note asking them why the restrictions are in place, and would they please improve their password storage security so you can feel comfortable using their site. Surprisingly, this polite response has resulted in improved practices on a number of sites for me.
Anonymous
realy good