The password conundrum
By Alon Nir
0. Intro
Sometimes interesting opportunities can emerge from unfavorable situations. Tense diplomatic atmosphere between Israel and Turkey in the past couple of months, brought on a cyber-attack from the Turkish side. A major Israeli apartment-listing website was hacked and so was Pizza Hut’s local website. The credentials of over 100,000 user accounts (roughly 2% of internet users in the country) were revealed and published on dubious Turkish forums. Naturally, it wasn’t long before these lucrative spreadsheets, containing usernames, email addresses and passwords became so widespread anyone with basic googling abilities could find them. One person who got his hands on these files comes from a profession no less defamed than computer-hacking. You guessed it – an economist. Me.
I took a look at the spreadsheets and after some basic analysis I was left with a few interesting insights. The data reveal the extent to which people fail to think creatively and incorporate even a touch of randomness in their username and password selection.
1. Popular Passwords
My analysis focused on a spreadsheet containing 31,588 users of the above mentioned apartment-listing website. The reason I chose it is because that website was (evidently) particularly lenient in the registration process and didn’t even strict choices of password. One digit password? Not a problem. This leniency probably isn’t the best security policy the website could adopt, but it is valuable for our analysis as it shows what people will do when they are unconstrained.
15,820 of these 31,588 registered users (slightly over 50%!) used their email address as their username. Furthermore, 675 people (over 2%) picked their phone number as a username. Both of these choices aren’t considered very secure, since phone numbers, and email addresses in particular, are easy to find out.
While these two bits of information give an indication on lack of creativity on the users’ part, the really interesting discovery is their selection of passwords.
The most common password was 123456 (584 users), with 1234 as the runner up (569) and 12345 coming in third (388). All in all, 1786 passwords (5.65%!) were comprised of consecutive increasing numerals. This means that one person in 18 didn’t muster the cognitive capacity to generate a password more intricate than 1234 and the like.
788 people (roughly 2.5%, or one in forty people) chose a password identical to their username.
417 people (1.32%) chose a password comprised of identical digits (e.g. 1111).
Keyboard patterns were ubiquitous, horizontal in particular: on top of the 1786 ‘123X’ passwords mentioned above, 123 passwords began with ‘qwe’ (including 25 instances of ‘qwerty’), 41 with ‘asd’, and 31 with ‘zxc’. It’s interesting to see how the frequency of these patterns falls as we go to a lower line on the keyboard. A similar distribution appears when looking at vertical lines on the keyboard, though the frequency is substantially lower (‘1qaz’ and ‘qaz’ make up 83 observations combined).
48 passwords began with ‘abc’ (e.g. ‘abcdef’, ‘abc123’, etc.).
And finally, 69 passwords had variants of the actual word ‘password’, with no less than 29 exact matches.
What’s more interesting is the fact that using this information, diligent mischiefs hacked into tens of thousands of email and Facebook accounts, which indicates that a high percentage of the people in our sample uses the same (trivial) password for different websites. It also refutes arguments that people carelessly entered an easy password because they didn’t care much for their account on that particular website.
Lastly, I looked at the spreadsheet with Pizza Hut’s users credentials hoping something will catch my eye and help me gain a better insight into password selection. I didn’t have to look for long, as roughly 200 people (out of around 70K accounts, I must mention) chose ‘pizza’ or something similar as password. This got me thinking, and I suspect that password selection might be influenced by cognitive availability. I went back to the original data and found that 89 had the name of the website as part of their password. Other passwords (though much more rare) were nouns like ‘coffee’ and brand names like ‘samsung’, ‘acer’, ‘cocacola’, ‘nokia’ and others, all of which can be attributed to physical objects just in front of the user’s eyes or in his hand. Add this to the 2,000 or so patterned passwords I mentioned earlier (visual availability on the keyboard), and you get a plausible explanation in my view.
2. Explaining the Findings
So what can account for this password picking behavior? A few possible explanations come to mind. Let me describe them by using John, an imaginary typical internet user, as an example.
One explanation is that when John first embarks on setting up a new account at a website, he knows he’ll get a blank profile when the registration process is done. Since his profile will contain no information, the ‘price’ (in terms of lost information, contacts, time, etc.) John will pay in case that an amicable hacker takes over his account is close to zero. Hence, he is reluctant to strain himself making up, and remembering, a truly unique password.
The problem starts a while later, when John’s email box is already full with valuable correspondences, and his Facebook page is populated with hundreds of friends (including a few flirtatious Janes). Then, a more difficult to decipher password is of true value, but John irrationally sticks to the password he already has. It can be because he’s a terrible procrastinator, forgetful, or even due to the Sunk Cost bias – in his mind John already “paid” the price (in terms of mental resources and time spent) for setting a password, and that’s why he refrains from going through the process again. As time passes the incentive to change password becomes greater and greater, but try telling that to John.
3. Conclusion
When I first put my hands on the coveted files, I did not expect to find such interest in password selection, but the more I go over the data, and the more I think about it, I see the value of studying the way people choose passwords. As you see from the above analysis, it’s an example of a decision making problem where behavioral and cognitive processes, and biases, come into play. Since it’s a one-shot game and the decision is kept in strict confidentiality (until, of course, someone picks up on security breaches), the setting is rather simplified and the observed behavior is of research value. In a way, we have here a form of a natural experiment; it’s just unfortunate the way the data were obtained.
If you have any other theories explaining password selection, please feel free to share them in the comments below. Don’t worry, no registration is required ….
The Upside of Irrationality, explores some positive and some negative ways that irrationality plays out in our lives.
Be careful when making this analysis. Sometimes the “cyber-attack” is just brute-forcing these passwords one-by-one, instead of breaking into the sites themselves and retrieving these passwords (indeed, many sites do not know the passwords, only a non-reversible hash of the password.
So, there could be a huge selection effect in that the passwords which were retrieved were in fact brute-forced, which means the password combinations this algorithm tried were the simple passwords. That is, a lot of users may have had complex passwords but they were not hacked, and only the ones with simplistic passwords were hacked.
Sunny – thanks for your comment, but I assure you that this wasn’t the case. This lack of security measures was the main complaint against those sites’ owners.
Saw your post on twitter…
In my experience as a web developer/system administrator. I’ve noticed people usually base password selection on something which could easily be remembered (i.e. birth dates, pet names, spouses). And also younger users tend to have a bit more complex password combination compared to older users(40ish up). Although, In my opinion I don’t think this trend could be attributed to age, but rather on their technology savvy. I think the more people learn about internet security/privacy the harder the more complex their passwords become.
here’s some links to some password strength estimators, as with all things online trust at your own risk…
http://www.passwordmeter.com/
http://www.hackosis.com/brute-force-attack/
At passwordmeter.com:
“Tr0ub4dor&3″ scores 100%
“correct horse battery staple” scores 40%
“Tr0ub4dor&3″ has ~28 bits of entropy
“correct horse battery staple” has ~44 bits of entropy
A brute force attack on “correct horse battery staple” will take more than 65,000 times as long as an attack on “Tr0ub4dor&3″
The real problem with passwords is that we’re taught they need to be these ridiculous sets of random characters that are impossible to remember, but those are actually far less secure than simple easily remembered phrases.
*examples blatantly stolen from xkcd.com/936*
I use lastpass to manage all my passwords. But I do use different passwords depending on how important the account is to me. Email/Banks/commerce get very complex passwords. Forums, commenting, one time use type sites all get simple passwords.
Me too, Matthew D. Also, my “simple” password is the same for all the “simple” sites. Cheers Maddy.
Well, that’s true for you, me, and other readers here, but the fact of the matter is that many used the same passwords for their email and facebook accounts as well.
Same here. Simple passwords for ‘throw-away’ sites that I’ll never have personal information on. More complex, unique passwords for sites on which I’ll have any personal information.
The problem is that almost every website now requires some sort of log-in and password. If I want a recipe, I need to log in. If I want some news, I need to log in. If I want this or that, I need to log in. I think I must have up to 30 or more sites to keep track of…which is more cognitive overhead than I can deal with…whereas, I have less than 7 of those which actually have personal info. I can remember 7 unique passwords.
I think you’re over-analyzing the way people approach choosing their passwords. People who choose weak passwords probably give zero thought about how bad it would be for them if someone else broke into their accounts. If they were that conscientious about the registration process, they’d probably realize that the cost would be very high (at least in the case of email or bank accounts) compared to the cognitive cost of inventing* and remembering a strong password.
* When someone re-uses a password, there’s practically no invention cost.
My feeling is that the lazy view the password field an annoying formality that one has to jump through in order to start using whatever website they’re signing up for. In some cases, they’d be right; some sites have no reason to demand that people setup their own accounts. I think sites do this for tracking and marketing purposes. In those cases, accounts really have no value to account holders. This could lead people to give little weight to accounts that they setup in the future with other sites.
In any case, it’s really hard to get people to use strong passwords. Most sites know there are lots of lazy people out there are when it comes to passwords. That’s why reputable sites go through so much trouble to force people to set strong passwords and/or provide immediate feedback on the quality of a proposed password (to encourage people).
One thing that these sites did wrong (other than not having any kind of strong password policy) is to store unobfuscated passwords. Even if a hacker breaks in, there should be no way to read off people’s passwords. Unfortunately, many sites do not know how to properly obfuscate passwords, because this requires a little bit of extra knowledge about what best practices a site should have in place to protect people’s passwords.
As in the case of someone setting up a password, someone designing an authentication system for a website needs to put in extra effort to make it as strong as reasonably possible, and it’s just too easy to do things wrong. One of the things that makes this more challenging than coming up with a good password is that someone building an authentication system probably doesn’t realize where his system is more vulnerable than it should be. Practically speaking, it’s hard to fault someone for that.
Of course, if a site isn’t doing a good job of protecting passwords, the benefit of having a strong password is obviated. In that case, why bother using a strong password? This example illustrates my point perfectly. Even if I’d chose a long password of random characters, it wouldn’t help me, because hackers can easily get around a weak security system where my strong password is stored. Unfortunately, security is one of those cases where the chain is only as strong as its weakest link. In this case, there seems to be several of them.
That’s a good analysis, and indeed the website had a very poor password policy & protection. However, that’s actually a good thing in our case, since it allows us to see what people really choose, without being forced to use a strong password.
I don’t think people take into account how secure the website is, nor does the average person knows about securing websites. I believe people just assume that a large enough website would keep their data secured.
One thing that freaks me out is when I get email back from a site with my password in clear text. That tells me the site has no concern at all for security.
Judging from people’s comments to this blog post, many people do use stronger passwords for more important sites. Of course, readers of this blog probably aren’t a good cross-section of web users.
I think allyourcode has a point here.
Especially when analyzing user credentials on apartment-listing sites and Pizza Hut. I can imagine me putting very little or no effort into choosing strong username/password for such service.
Although it’s true that later this can become a problem if the site you are interacting with becomes filled with sensitive data. Changing a password is a must and that can be annoying.
Very interesting analysis nonetheless.
Thanks.
Not only did tens of thousands used the same passwords for email and facebook, a true inconvenience can be caused if they lost control of their account on the mentioned sites. For instance, I believe the Pizza website has a person’s full names, address, phone number etc. on file. Not the info you’d like ominous strangers to have.
Very interesting article, it seems likely to me that people would choose a password based on something within in view or related to the site they were signing up to.
It might be interesting to test this by offering something attractive to passer-bys in a mall, with the only condition that they create a simply account with you there and then. Taking only a username and password, it would fun to do so next to vivid eye catching things like a man in a banana suit or something of out place in a mall.
I’d expect when having to come up with a password live with all the extra pressure that adds, peoples choices might tend towards the bait item.
If this worked it would interesting to experiment on reducing the bait to see how subtle you could get away with while still taking a good percentage of related passwords.
Another experiment could be done on a site with an extra vivid ad banner that pops up only when the customer visits the password field.
But I think adding a time pressure would help, it makes sense that when filling out a password field we’re often imposing our own time frame, wanting to get on the next stage we make the password part an obstacle rather than the focus.
I think an important reason people choose simplistic passwords is that they’re afraid they’re going to forget the more complex ones. That would explain why people use the same password on multiple websites.
Lucky us there’s Facebook Connect, Google Accounts, Yahoo, Twitter or MySpace – services that allow you to login to new websites using an API. Websites that support this API don’t require new users to choose a password.
Also found the link to your post on twitter – very good discussion here.
First I want to mention: I´m German and in Germany people heavily fear what we call “Pishing” (the hacking of pin-numbers) – pin- and tan-numbers that should make banking easy but makes it dangerous. So most people I know do no online-banking or similar at all. People here seem to be quite careful with such data.
Furthermore: Although we have that Pirate-Party and try to fight Google-Streetview there seems to get around a feeling like “finally you´re a data-naked anyway” (see facebook etc.)
And least: How much work will I have to put on this protection-problem in the future and is it worth while? We know that hackers often are highly qualified but poor (young) people somewhere out in Russia or China or somewhere else. As long as somebody is paid, as long as people do not act morally, as long as poorness is a problem of even highly qualified, this whole caroussel probably will go on and on.
Using the internet seems a thing where everyone must balance out himself the use-damage-balance.
Passwords that are hard to hack are also hard to remember. Even people under 40 forget their passwords. As Darius cel Tulbure says (two comments above), people don’t want to have to remember a lot of different hard-to-remember passwords. They also may not realize that there’s any risk in having their Pizza Hut account hacked (other than that someone else will be getting their mediocre pizza).
Years ago, I read a short piece by an IT guy who had to check all the passwords at the company where he worked. I can’t remember all the findings, but men tended to choose self-aggrandizing words (sometimes aggrandizing not so much the self but part of the body). I wish I could find that “study” or a similar one.
Very amusing
. I wonder if one reason for this is that, as I mentioned, people are also influenced in their password choice by objects they see near them 
.
Personally, I have a terrible memory, and I have many many user accounts on different websites. I found a way to still manage to keep everything secure despite my bas memory.
Thanks for your comment!
Weak passwords can’t happen with decent filters – the person must choose something harder to hack. If a site allows weak passwords it’s probably because it’s low stakes stuff. Banks etc. would never allow them. There are other protections to high stakes sites as well, for example – you only get 3 tries to get it right before the system shuts you out. So even if I could pick Marie369 as my password, the hacker has to guess it right in 3 tries. It tends to make a hacker look elsewhere for low hanging fruit.
Another concept: NOT all passwords are created equal. We don’t expect people treat their Wall Street Jounal or Facebook password with the same diligence as their network access. That’s why company password articles talk about a 3 tier strategy of categorizing one’s passwords. In fact we tell people certain kinds of passwords CAN BE written down – but not their network password. Sometimes we joke to make a point: if you’re smart enough to work here, you’re smart enough to memorize your network access password.
Another concept to keep people safe is understanding about password reset questions: don’t answer them honestly!
This article is a good discussion starter, but treats all passwords equally and they’re not.
It was mentioned very far down the list, but I think the “I forget” plus “three tries lockout” phenomena do a lot to explain bad passwords. There _is_ a high cost to choosing a complicated password, or changing your password for every site: the time ti takes to get unlocked may be longer than you care to spend on the site in the first place.
All the banking websites I use have three levels of security: username, password, and “other”, where other is a location check (have you used this IP address before?), a visual key check, or a second password that requires a mouse.
Hey,
If you take a look at my site, you’ll see that I do a lot of password research myself:
http://www.skullsecurity.org/blog/?p=538
(among others)
Apparently, I suck at google because I can’t find that list. Because it’s public anyways, any chance you can send me the list?
Thanks!
Ron
My reason for using a variant of the same three passwords is because I have only so many brain cells to devote to this. My view is similar to what allyourcode states: if the password server gets hacked, my 13 digit password with at least one upper case letter, one lower case letter, one number and/or one special character is essentially useless.
Yes, but a decent website shouldn’t keep usernames and passwords in the same place.
In accordance with Nancy Edwards:
We have limited memory and if we create many “complex” passwords, it s hard to remember which was for which site. An easy categorization is: Complex passwords for important sites, simple passwords for unimportant sites. Once we are to remember a password, we can easily decide if the website is important or not and search the box in our memory for the simple password variants. That’s what I do.
Very interesting, but as a simplistic-easy-to-hack-password owner, I think you are missing a few important points:
Most things that I am asked to password, I don’t actually care if anyone hacks into. Quite the contrary, I feel rather annoyed that everything from a one-time purchase online to professional organizations are requiring me to password, thus doing nothing for me except making it difficult to get back where i need to be next time.
Looked at a certain way, simplistic passwords are VERY rational. Easy to use and who cares if someone hacks my membership to the American Association of Agricultural Engineers, for example?
Even in the work setting, I would argue that the majority of employees have nothing to protect (or nothing that THEY PERSONALLY care about protecting), and so view passwords as nothing but a burden. My personal finances are the exception. There, I agree, we need to get much more savvy about passwords. But until someone puts the brakes on all the unnecesary passwording, I think people will continue to operate this way.
If you purchase something online, and need to create an account for that – you can incur financial losses if someone gets your credentials.
Tell me Giulia, do you have one strong password to all of your important accounts (banks, etc.) or several? It’s an interesting question.
It’s weird people do it, considering how cheap and easily available more secure options are. Instead of using your current phone number, why not use the one from when you were a kid? Best friend’s date of birth. Your first car’s license plate number. There are plenty of sequences that you remember anyway and others are unlikely to guess.
Taking into account the low cost of potential loss, you can then use the same password on all unimportant websites, but if it’s your mom-in-law’s dog’s name, you’ll still be safer than with 12345, and you’ll not have to memorize anything new.
I think people just think that their case is different. They’ve heard of hackers doing bad stuff to other people, but they believe it will never happen to them. So that’s why they don’t make the effort of choosing a better password.
Everytime ive had to fix a person’s computer or help them with a website and have been told their password ive always thought “what a stupid password” to myself.. Most of the time its just the name of a person’s favorite sports team LOL. The next game changer is when passwords wont be necessary at all… I dont know what the invention will be (maybe a voice identifier, fingerprint scanner) but these days a person has to remember WAY TOO MANY passwords.
Dan, at the beginning you asked why wouldn’t people incorporate a bit of randomness into their password selection. My guess – random things are hard to comprehend, there are a lot of choices involved. Let’s say we are choosing from a typical keyboard, that’s 26 letters and 10 numbers, assuming no repeats and no upper case or symbols, that’s nearly 2mil combinations of 6-character passwords (my math is very rusty and might or might not be wrong).
I would consider picking “random” characters a very hard exercise…actually there’s a way to calculate just how hard it would be in terms of cognitive load, but that’s for another time.
On the other hand, if a random set was given to us, perhaps we would be able to easily remember it; not many, but a few. I know for myself, I am still using a password that was issued to me over 10 years ago by a random generator. Why? Because the letter sequence kind-of rhymes, and it was easy for me to remember, even tho it was longer than 6 characters.
Furthermore, judging by how my parents and grandparents use technology, some people out there don’t have a clue what ‘password’ is for and why one should have it. Likewise, I doubt non-academic minds know just how easy it is to pick a password when it’s not a hard one.
My two cents.
Alon/Dan
A few observations on this very interesting analysis
1. Its a pizza hut website. I guess these users are not too bothered about their privacy there and would have only logged in a couple of times probably to redeem coupons or something. My guess is their hotmail passwords won’t be “hotmail” or “12345″
2. Maybe you should consider the possibility of developers beta testing their product with dummy usernames and passwords (I have done a similar thing once and set up tens of dummy accounts on a database, all of which had “qwerty” as passwords). A large quality assurance team might have easily set up 500 such dummies.
However, one thing is of interest here. What you could try (at the risk of being in serious trouble though) is to try logging into the users’ emails with the pizza hut passwords provided. I suspect a lot of people use the same password everywhere (I did too, till I learnt the hard way).
I once read somewhere that in websites where people are forced to enter complex alphanumeric strings as passwords, the most common choice is “”
I really like Prithwiraj’s idea of trying the same username/password combinations on sites with high value accounts such as Hotmail. Many of the comments so far have hypothesized about people using stronger passwords for more important services such as email. Extrapolating from my own behavior, it seems quite likely that people put more thought into their more important passwords. Trying the same username + password combinations on other sites would be a great way to get a sense of whether people actually do this.
It’s also possible that such a study would find that the stronger passwords on these lists are more vulnerable, because those people might be thinking, “I already know a strong password, which I use for email or banking. I’ll just use the same one, because it’s hard to guess, and I already have it memorized.”. If that were the case, we might be looking at more counter-intuitive result: people with strong passwords on these sites are worse off than people with weak passwords. In that case, we might say the weak password people were actually smarter, because they their low confidence in these sites’ ability to keep their password secret was well-placed.
As much as I’d be interested to find out what such a study could tell us, it sounds really tedious, unless there was a programmatic way to automate the testing of these username + password combinations on other sites. I guess it wouldn’t be too hard for people who work for other sites to do this on themselves, but they’re not likely to release the results even if they took the time for fear of user outrage and possibly legal issues. Even if they did release their results, it wouldn’t be ideal, because we’d want to have similar results for many sites, not just a few piecemeal results sets.
Woops! I just went back and reread part of this post. Apparently some very patient people did try these username + password combination on other sites with great success. I still wonder if they found a difference in success rate between weak and strong passwords. My guess is that those hackers would have also published those results, but I can’t seem to find them, because news pages are crowding the top results.
@allyourcode – if only those Turks were inquisitive enough to run a little STATA analysis, or at the very least excel
.
Obviously, Facebook user credentials are very interesting from the researcher’s standpoint because you also get a lot of demographic data. On the other hand, FB won’t let you choose too weak of a password. Do you happen to know if any FB accounts ever leaked to the web? I suspect that if I innocently search for it I might get more torjans than passwords
.
-
I’ll mention one more thing that might be of interest. I isolated all the accounts that belonged to bankers (according to their email addresses, n=~200). The distribution of weak passwords was the same as in the general population, give or take.
Thanks for all your comments & feedback!
that would be name+birth yr+surname.
somehow the last few words in the “” did not register in my last comment
I think your sunk cost bias analysis doesn’t completely account for the costs of changing passwords. Consider that the user not only has to create a new password, but has to remember to use that one rather than the one that he has been associating with the website since he began using it. After using a password for a long time, it becomes habitual, and breaking that habit is hard.
As an example, suppose on average you log in to Facebook 25 times between adding new friends. That is, if you’ve logged into facebook 100 times, you’ve on average added 4 friends during that same period. Now each friend makes it more important to choose a secure password, since it adds valuable private information to your account. But those 100 logins have also made it more costly to change your password, since the habit of using the current insecure password has become more ingrained.
Additionally, if the user forgets the new password after changing it, the cost of loss of access (frustration at not being able to login, the hassle of password reset systems, etc) can be high.
So if the cost of breaking the habit increases faster than the value of the account, and you don’t think about your account growing in value in the future, then it’s rational to keep an insecure password.
You are correct about accommodation issues, I have a simple password for simple sites which turned out eventually being quite important to me, and yet for the sake of remembering it, I keep it the same.
I mentioned that I’m a web professional so it’s not the case of internet savvy or not.
Still, after this message, I wouldn’t bother to change it. Why? Don’t know! They don’t show up as a great risk after all I guess.
One reason why people choose the same password is that there are so many sites requiring passwords. My work computer has 38 passwords stored in the browser and my primary home browser has 67. The good news is that Firefox stores them encrypted in a database.
But, this is also the reason why someone might not change the password. First, in many cases, a site will leave a cookie when you log in, and if it is a long term cookie, or a session cookie and you leave your browser running, you won’t be prompted to log back in very often. The only sites that I regularly use that expire the cookie with any frequency are my on-line banking (15 minutes) and my frequent flier (60 minutes.) So, you might not even remember that you need a password.
When you do log back in, if you’ve saved the password in your browser, then when you are prompted to log back in, the site will show the password as a string of bullets — you don’t need to remember the password and don’t even need to remember if you’ve made it strong or not.
I don’t save passwords in my browser at work that are not related to my employment — and this is good advice for anyone. A while back, I was laid off (me, and a few million other Americans.) I had saved my gmail password on the work computer… A week later, I saw at the bottom of the gmail screen “This account is open in 1 other location (IP-address.)” The IP address was the former employer, they were looking at my gmail account! Naturally, I changed the password immediately, but this was certainly a surprise.
I’d like to reverse the argument and express my surprise at how many people *do* use secure passwords; the percentages of really bad passwords you mention seem very low. Any theory as to why?
If you add up the frequency of the cases that Alon tried, you get ~10.3%. That may not be large according to some people, but imho, that figure should raise alarm bells. The other thing you have to consider is that this is an underestimate. Alon probably didn’t consider every class of weak password for this study. This means that we don’t know how many of the remaining 89.7% of accounts also had weak passwords. All we know is that *at least* 10.3% of all accounts have weak passwords. I’d bet that a little more digging would reveal a significantly larger number of weak passwords, although 10.3% seems bad enough for me.
What would you suggest?
I thought that I might be missing passwords that are patterns on the keyboard I didn’t look at, but figured that if the frequency of patterns like zxc was only in the few dozens, I’m probably not missing much here. I wish I had a script that would look for dictionary words (maybe urban-dictionary words) etc.
And yes, that is in itself an alarmingly high number.
I agree with allyourcode – that number is not at all low.
However, and in addition to what allyourcode said and my reply to him, there are instances of weak passwords I couldn’t trace. If someone uses his birthday, or kid’s birthday, I wouldn’t pick it up and it would seem rather random string of numerals. Same goes for using your dog’s name or any other easy – yet unique to a single person – passwords.
So, you can expect the % to be much higher.
Actually, now that I think about it, if I had a way to isolate those occurrences, I could better understand why people use easy passwords. You see, some people consider only the memory aspect, while others take security issues into account. So I guess a more insightful analysis would divide weak passwords to two:
1. objectively weak
2. subjectively weak
Very interesting.
I’m sure you could come up with a many tiers for password strength. When I say “weak” it might not mean the same thing as what someone else means; it’s pretty subjective. It also depends on the application e.g. Banks would tend to have a much higher bar when it comes to what’s considered a “strong” password. Similarly, I consider a password that can be generated using a list of common words + a script to be pretty weak (e.g. dog123), even though some would not consider this to be weak. The reason I think of such passwords as weak is that this what any hacker is going to try first. Even a low-level hacker would have little trouble doing this.
I work for a data security company, and I am a huge fan of Dan Ariely (so no I am not plugging my co here).
Our team recently published an article, on a breach of much greater magnitude. In December 2009, a major password breach occurred that led to the release of 32 million passwords. Here is a quick synopsis of our analysis:
» About 30% of users chose passwords whose length is equal or below six characters.
» Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric
Characters.
» Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive
digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com
account owners is “123456”.
Alon, I am really interested in the “why” factor. The most obvious ones are key board locations, anchors around subjects and topics of proximity. But I believe this is closer to what Dan discusses as our distance from the “cash”. Obviously I don’t view pizza hut as an equivalent to cash. But my password to a bank is a wallet where I put my money. Off the internet, I put my wallet in the purse; hide it under a seat when I am in the city – so my car won’t get broken into, etc, etc. My passwords from websites are SO MANY layers removed from cash; it’s nowhere near the WALLET I would take extra measure to protect. How do we change this irrational behavior? Feel free to write me directly.
Very interesting thought! Any chance I could have your data?
I have a few more explanations that didn’t make it to this post.
please do contact me. It’s alonnirs on gmail.
Thanks
BTW, if anyone was interested – I have many user accounts (lots of email addresses, websites, blogs, FTPs, and the usual suspects such as FB and Twitter) and to all of which I have a pretty strong password.
What’s my secret? I use the ‘remember password’ feature and back them up in a notebook that never leaves the house. If anyone gets hold of my notebook, I probably have bigger things to worry about…
If you have access to a posix system (UNIX, and Mac both qualify) you may want to consider pwman3. It creates an encrypted database of your passwords.
http://freshmeat.net/projects/pwman3/
Even better, if you have access to UNIX, there is a program “apg” (a password generator) that will create some very strong passwords for you, based on different algorithms and sizes. Here’s the output of a purely random password of 12 characters including punctuation, 2 passwords requested:
m)jky<2=Du_p
,2G\hZj;&=K#
You can ask for "pronounceable" passwords with no special characters:
RojIgDuijEn9
vigcujbaHob8
I generally create multiple passwords and use the one that "looks" more secure.
Another way to be slightly more secure is to use an illogical answer to the challenge question. One place asked for a security question, and being a college hoops fan, I made the question, "What was the score of the 2010 NCAA Championship game?" But, I instead put as the answer the final of a cricket match in the 1980's… Since the system is only doing a database lookup, if someone hacks in to this point, they'll say "Ah! Duke 61 Butler 59" and assume that is the answer… They'd then get kicked out… Yet, when I provide the score of a certain county cricket match, the program will match the answer and let me in.
If that level of misdirection is too much, if it is one that has multiple questions, you could try switching the answers:
Where were you born? Spot
What was the name of your first pet? Memorial Hospital
Being a bit concerned about misuse of data, I natually would give incorrect answers to these challenge questions, but answers that I know… It also means that if I am a target of the security attack, doing the background research on who I am will lead to misleading challenge answers (which might slow down a determined hacker by a second or two.)
I would like to propose an explanation for those who used the password “pizza”, which comes from my personal irrational choices.
As you suggest, the lower the importance of the site you register, the sloppy you tend to be. As such, in my case, at some point I initiated a pattern of using passwords that were practically indicating the name or the function I used the site I was logging into.
So if it would have been Pizza Hut, I would have used the password “Pizza”
For an internet travel agency I would have used “travel”
For sites dedicated to my knitting hobby I would have used “knitting” aso.
Like I said, this pattern was only applied for sites where my interest of protecting the password would have been low. I couldn’t care less if someone hack my knitting account and finds there the projects I am saving for the future, or the travel packages that I am saving as interesting – I do not pay for them using that account (in cases when I do pay though, I use a stronger password)
To sum up, I suppose the ‘pizza’ password guys had the same thinking…They would not mind someone else knowing their penchant for Pepperoni or Prosciutto and extra Funghi pizza
The average person either has no knowledge about password management or just doesn’t want to spend the time on it. Some people have hundreds of accounts – which is difficult to manually manage. A Microsoft researcher even argues that it is a rational choice to follow poor password management practices:
http://blogs.techrepublic.com.com/security/?p=3275
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf
Nobody has yet mentioned the Sophos study in the comments – though small (586 users), it seems to be pretty relevant to this discussion, indicating that only 19% of users use a different password for each site, and 33% use the same password for EVERY site:
http://www.sophos.com/pressoffice/news/articles/2009/03/password-security.html
I think the way most organizations go about teaching password management is far to complicated, confusing, and difficult to implement for an average person, especially given that there is a simple way to secure passwords:
Use a password manager to assign unique, random 15 characters for all accounts, protecting them with a strong master password. Once you get into the habit of it, its actually faster than how most people login to various accounts each day.
I recently posted a series on password management that highlights this simple solution to the problem, while also giving more background to those who want it (how attackers steal passwords, which password managers are best, etc.):
http://www.filterjoe.com/2010/05/14/password-management-for-the-average-joe/
People tend to choose simple passwords because complex combinations of letters and digits are hard to remember and associate with anything. Most people have lots of information in their heads and last thing they want to do is to complicate their life even further with a crazy password combination for every website they log on to. When people order pizza, they want to get food and get the process over with asap ( to Dan’s point they paid the dues for the thinking process , lets eat now).
Real example: I have to have 6 different corporate accounts to use 6 different services ( Windows log on, company website, PC exchange account, mobile exchange account, corporate credit card system, corporate support system, etc.). Here is the disconnect :
This is at the bottom of my priorities trying to remember all 6 (besides my personal bank/email accounts, etc). At the same time one of the top ten call drivers to our support is (you guessed it) -forgotten passwords!. I think we all realize that this is the most insecure way of managing information by having a simple password, however we are ready to pay the price for simplicity (Isn’t it what most people do?)
Very interesting post indeed. It explains why Facebook and Hotmail accounts get hacked a lot.
For important accounts (where the owner is a reputed company) I use a system to create a password. If someone had two of the passwords and enough time they could figure the system.
For all other sites I use a single generic password.
Interesting though that all comments here are focusing around the anonymous cyber-hacker. It’s the jealous lover or the snoopy friend who also poses a very real danger.
Thanks for the comment Mat.
Yes, indeed – how many of us log out of our accounts at our home computer? I certainly don’t.
When I worked for a university in the 90s, one password-analysis program we ran brought the heartening results that passwords passed on “love” “luv” or “l0ve” outweighed the number based on “sex” and variants thereof.
I remember at the time wondering why people would chose such simple passwords – and that led me to looking back at how Bell Telephone had taught customers to remember phone numbers by using exchanges. They had a rationally coordinated customer-education effort to teach phone customers how to remember phone numbers. They knew without knowing how to remember that data the network would be useless.
By contrast, without a central authority over the Internets (not that I want one!) no one had an interest in solving this problem for users – in teaching the users how to remember passwords. Thus we have an irrational system where secured access is sometimes a username, sometimes requires an email, sometimes a password is strict and often not. There are some password management techniques today that I’ve found can lead to more secure networks when the users are taught how to use them and the system enforces it.
Thanks for sharing your findings. May I ask where did your sample originate from? What was the gender distribution? I have a feeling that a certain type of sites would have more “sex” variant passwords than love…
One reason I sometimes go in for a less complicated password is because it is also easier to remember. In my company where I work there are very strict password guidelines and I have to regularly change about 4-5 internal passwords and remember them. Sometimes after a few weeks of vacation its not unusual for me to forget a password or two.
What this means is that for casual websites (NYTimes, WSJ, (perhaps Pizza hut too) and so on where I am a registered user) I tend to make up easy passwords.
Before I retired, I had to use about a dozen different logins daily. They all had different expirations for password as well as the strength requirements. Moreover, there was no room to repeat info. The best it got was to take the password from system A and use for system B, etc. Because we dealt with extremely sensitive info, it was necessary. There wasn’t even a single IT department. Everything was set up by divisions. Remembering the protocols was a nightmare. The reward was that the opportunity for hacker mischief was greatly reduced. But it still meant 15 minutes every morning just to get started . . .
So, you’re the proof our brain can handle this load
I must confess to the humor of that. As I previously mentioned, I am retired. What I didn’t mention was that I retired due to a brain injury that played total havoc with my short term memory. Becoming dependent on sticky notes for daily functioning was not career compatible.
Now I have noticed that passwords aren’t so demanding, but the login name/username requirements vary so widely. Finding a username that is both meaningful and not previously taken can be difficult. Even something as trivial as a pizza ordering database will screen out duplicate names. By the time the password is created, there is a certain amount of data input overload, at least in proportion to the importance of the overall task. It seems that every web based merchandiser wants someone to set up an account whether or not you actually will purchase anything. It makes comparison shopping difficult, no doubt on purpose.
I am so sorry. Once again I fail socially. If I had a delete button I would have deleted that comment. My apologies.
And yes, every site wants you to register these days. Some sites are user friendly and require very little information (take twitter for instance). Personally, I am running several web services and an iphone app. Neither require registration. I just believe that if the product is good enough, people would keep coming back.
Addendum: Here’s a fun, relevant comic stip
http://xkcd.com/792
perhaps less relevant, but still classic: http://xkcd.com/538/
There is a solution, that is to use Password Gorilla to manage your passwords (http://github.com/zdia/gorilla/wiki). The problem, of course, is how to get the folks who would otherwise pick simpleton passwords to start using it.
In my opinion, I think people choose passwords that they can remember easily.. Different passwords for different sites can get confusing unless you maintain the spreadsheet to track which website you register, username and password. With users visiting hordes of websites everyday, I think people choose passwords based on their close affinity to things or stuff they sure will not forget.
People’s choice of credentials is not quite this bad when people believe that a corruption of their account is bad. For example, it you look at the contents of PayPal or FaceBook dropboxes, you will see that there still are bad passwords — but they do not dominate, because people understand the consequences (loss of money, embarrassment) if their accounts are taken over.
The remarkable thing is that people do *not* realize that poor (=easily guessable) password reset questions leads to the same result.
The best way to generate a long, strong, easily-remembered password is to:
1. Select a humorous or memorable sentence spoken by a friend or a loved one, or even the first line of a favorite poem.
2. Extract the first letter of each word.
3. Substitute special characters for letters (3 for e, # for H, @ for a, etc)
4. Capitalize one or two letters.
Thus, ‘Grandma, I see your underwear’ becomes GmI$urUw
‘Why shouldn’t the soul of a mortal be proud?’ becomes w$tsoaMbp?