A massive study of the passwords people choose came to a conclusion that shouldn’t surprise anyone who works in IT: Password security is not a priority for users.
In the largest ever study of password security, Joseph Bonneau of the University of Cambridge analyzed the passwords of 70 million Yahoo! users.
Age made a big difference in the strength of the passwords chosen, with younger users being more lax about password security. In fact, users over the age of 55 chose passwords that were twice as strong as those of folks under 25, according to the research.
That doesn’t necessarily mean those older users are choosing highly secure passwords — the study found that password security is much lower than it should be, regardless of users’ age.
The research also compared users across different geographic areas and languages. The conclusion: No matter what country people are from or what native tongue they speak, they’re still choosing passwords that don’t require much effort for hackers to crack.
On average, Bonneau found, users choose passwords that offer less than 10 bits of security against online attacks — meaning hackers could try all possible password combinations in 1,000 attempts. Given the technology available to cybercriminals today, that’s not very difficult to do.
Even potential financial damage doesn’t appear to be enough to convince users that password security is important — users that had credit card information stored in their Yahoo! accounts were not very much more likely to use strong passwords than those who did not.
What’s the best way to increase password security for user accounts? Bonneau suggests assigning people randomly chosen nine-digit numbers. While those aren’t as secure as passwords made up of numbers, letters and special characters, they would still be, on average, 1,000 times more secure than user-chosen passwords, which are often easily guessable strings such as “12345″ or “password.”
Also, those number sequences would be easy to memorize, Bonneau says — people can remember phone numbers, so they should be able to remember a nine-number password.
To learn more, download Bonnueau’s report here.