All Sections

Weak passwords are everywhere claims online security researcher

Most security passwords are weak, but younger computer users pick passwords half the strength of over-55s says the largest-ever study of password security.

Passwords are like pants - Richard Parmiter/FlickrSecurity researchers who compared 70 million Yahoo users’ passwords to their age, nationality and online histories found that it’s very hard to make people choose strong passwords.

Registering for online payments, visual password strength warnings and even choosing a new password if you know it’s been compromised make very little difference to its strength.

The least-guessable passwords were found among users who actively changed their passwords or log in from many different locations.

Cambridge University IT security researcher Joseph Bonneau said: “Passwords have been argued to be ‘secure enough’ for the web with users rationally choosing weak passwords for accounts of little importance.

“These results may undermine this explanation as user choice does not vary greatly with changing security concerns as would be expected if weak passwords arose primarily due to user apathy.

“This may indicate an underlying problem with passwords that users aren’t willing or able to manage how difficult their passwords are to guess.

“We are yet to see compelling evidence that motivated users can choose passwords which resist guessing by a capable attacker.”

Bonneau was able to examine the Yahoo users’ passwords and users’ histories without seeing their names or Yahoo IDs.

Worldwide, the weakest passwords are chosen by Indonesian users, while the strongest are picked by Germans and Koreans.

Regular password changes are only effective if users choose to do them – forced changes lead to passwords just as weak as the ones they had before.

Password strength is rated in bits: a one-bit password has a 50 per cent chance of being guessed the first time, with each bit doubling its effectiveness.

A randomly-chosen six-figure password mixing numbers with upper and lower-case numbers should have 32 bits of security, needing more than four billion attempts to guess it.

Bonneau’s research found the average password has less than 10 bits of security against online attacks, so it would take less than 1,000 guesses to crack – seconds of work for automated hacking software. 

Image: Richard Parmiter / Flickr