Joseph Bonneau, a computer scientist at the University of Cambridge, recently analyzed the passwords of nearly 70 million Yahoo! users. http://www.newscientist.com/article/dn21871-over55s-pick-passwords-twice-as-secure-as-teenagers.html.
And while technophiles may look down at those who use a pedestrian service like YAHOO (“Who doesn’t use GMAIL?”), the findings are still pretty interesting because Bonneau had unprecedented access to the passwords. Most other studies like this are based on leaked databases that are most likely impcomplete and/or compromised. Apparently they used a security technique called hashing (way beyond my understanding) so Bonneau didn’t not have access to the individual accounts, but was still able to calculate the password strengths for different demographic groups and compared the results. Results included:
- People over the age of 55 pick passwords that are twice as strong as those pcked by people who are under 25
- Most of us (regardless of age) don’t pick passwords that are nearly strong enough
- Most user generated passwords have only 10-bits of security (more on that below)
- Germans and Koreans chose the strongest passwords.
- Indonesians choose weakest
- People who change their password regularly tend to select the strongest ones
A few other common sense things can help steer your away from trouble, you shouldn’t use anything that contains your user name, real name, or company name or does not contain a complete word. Also, when changing, passwords don’t just change one number, make it significantly different.
Strength in Numbers
Password strength is measured in bits, with each bit being roughly a 1-to-2 chance to be right. Without getting into the math, every bit you add will double the password strength. Imagine flipping a coin heads or tails 16 times. Now imagine how many times you’d have to flip that same coin again to repeat the exact same 16 flip sequence. That’s how long it would take to break an
As mentioned above, the survey found that most user-chosen passwords offer only 10 bits of security. This means that so 1000 attempts to try every possible password, and around 20 bits of security against offline attacks.
In contrast, a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. The author of the study suggests that we should all use 9 character passwords. He says that we can remember phone numbers, so why not passwords.
5 Tips for Juicing up your Passwords
- Use the whole keyboard if you can. Combine letters, (capital and lower case) and numbers, and symbols. Most keyboards have 40 or so keys on them, so you can double that up and make the possible combinations based on 80 -100 characters
- Substitute symbols for letters or numbers – it’s a simple thing but use $ instead or and S, use a 1 instead of an “I”, use @ instead of an A. If you usually use your anniversary them make May1294 = M@OneTwo94#
- There’s is always the danger of using something someone might guess (like your anniversary) So use something you already remember that wouldn’t be personally identifying? How about your best friend in high school’s phone number (524-7185) combined with your favorite radio station growing up (WXKS)? 5two4WxK$
- Abbreviate song/Poem: Hd$on1w = Humpty Dumpty Sat on a Wall” or Ni4thaDEa! = ”..No info for the DEA! “ (Mo Money Mo Problem)
- Bullet proof password hints, too: “Where did you go to high school?” is a bad idea if you have it listed on your Facebook profile. Same with “What’s your mother’s maiden name” or your favorite food. Sometimes these are your only choices, so why not do something different: Make your High School your favorite car “Porche911#” or make your mother’s maiden name your favorite movie“St@rWars1977”.
If all that fails, just do what we all do and write it on a sticky note and tape it to your desk.