Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

The research was carried out by Gates Cambridge scholar Joseph Bonneau and will be presented at a conference held under the auspices of the Institute of Electrical and Electronics Engineers in May.

Bonneau was given access to 70 million anonymous passwords through ! – the biggest sample to date – and, using statistical guessing metrics, trawled them for information, including demographic information and site usage characteristics.

He found that for all demographic groups password security was low, even where people had to register to pay by a debit or credit card. Proactive measures to prompt people to consider more secure passwords did not make any significant difference.

There was some variation, however. Older users tended to have stronger online passwords than their younger counterparts. German and Korean speakers also had passwords which were more difficult to crack, while Indonesian-speaking users’ passwords were the least secure.

Even people who had had their accounts hacked did not opt for passwords which were significantly more secure.

The main finding, however, was that passwords in general only contain between 10 and 20 bits of security against an online or offline attack.

Bonneau, whose research was featured in The Economist, concludes that there is no evidence that people, however motivated, will choose passwords that a capable attacker cannot crack. “This may indicate an underlying problem with passwords that users aren’t willing or able to manage how difficult their are to guess,” he says.

Explore further: Fitbit to Schumer: We don't sell personal data

add to favorites email to friend print save as pdf

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Facebook adds 'app' passwords to site security

Oct 27, 2011

Facebook is ramping up security by giving people the option of setting passwords for games or other third-party applications added to pages at the leading online social network.

Large-scale data theft fazes Finnish police

Nov 14, 2011

Finnish police on Monday called on users of online services to change their passwords after nearly 15,000 user names and passwords were stolen and published on the Internet.

Hackers claim stealing SonyPictures.com passwords

Jun 02, 2011

Hackers claimed on Thursday to have stolen more than one million passwords, email addresses and other information from SonyPictures.com in the latest cyberattack on the Japanese electronics giant.

73,000 Finnish web users' details hacked: police

Nov 28, 2011

The login details of 73,000 users of a popular Finnish family-oriented discussion forum were stolen and posted online in the latest in a series of widespread hacking attacks, police said Monday.

Recommended for you

Fitbit to Schumer: We don't sell personal data

4 hours ago

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

9 hours ago

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

Philippines makes arrests in online extortion ring

10 hours ago

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

22 hours ago

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

Music site SoundCloud to start paying artists

Aug 21, 2014

SoundCloud said Thursday that it will start paying artists and record companies whose music is played on the popular streaming site, a move that will bring it in line with competitors such as YouTube and Spotify.

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

Aloken
5 / 5 (6) Apr 03, 2012
'This may indicate an underlying problem with passwords that users arent willing or able to manage how difficult their passwords are to guess'

Or they simply choose passwords they can remember. Secure passwords are much harder to recall and people expect convenience out of technology, not hassle.

On a slightly offtopic note:

'German and Korean speakers also had passwords which were more difficult to crack'

Thats no surprise, example below.

password: pen

English: Pen
German: Kugelschreiber
Lurker2358
not rated yet Apr 03, 2012
Or they simply choose passwords they can remember


This.

Even people with allegedly above average memories can't normally memorize a large string of "randomized" characters and numbers, then if you have to write down your password you run into problems: losing your password, if you can't remember, may mean you're locked out of your own account, or it may mean someone else gains access without you knowing.

then, if you have multiple sites you visit all the time, you get where you have to keep a file folder or a text file on your computer or off the computer, in case the computer breaks down, to keep track of your user names and passwords.

It's happened to me a couple times even on important sites, where I just flat out forgot both my user name and password, and I supposedly have an much above average memory....

And yeah, foreign languages tend to have much longer word forms in many cases as compared to English, so that's probably all the study is picking up on.
dschlink
not rated yet Apr 03, 2012
I have six screenshots worth of logins and passwords. I broke 200 years ago. No way can I remember them all.
nanotech_republika_pl
not rated yet Apr 03, 2012
So what are those 10 guesses? What is the link to the paper?
nanotech_republika_pl
5 / 5 (2) Apr 03, 2012
Here is an article with a file listing "10,000 Most Common Passwords with Frequency"

http://xato.net/p...asswords

Luckly I don't see one my silly passwords there.
Blakut
5 / 5 (1) Apr 04, 2012
A good password doesn't have to be randomized.
Example 1: $@#REW seems like a strong password? Wrong, it's only 6 characters long, can be cracked by brute force in a matter of minutes.
Example2: IHave226bananasinmypockets. crack that.
CardacianNeverid
5 / 5 (1) Apr 04, 2012
IHave226bananasinmypockets. crack that -Blakut

Okay. Is it IHave226bananasinmypockets?
gwrede
not rated yet Apr 08, 2012
It's interesting how these password lists are all over the place. One would think that a good site would never even store the password itself, but only a hash of it.