US study: People over 55 pick safest passwords

People over 55 have been found to pick the most secure passwords, with their passwords twice as strong as those of people under 25 years old.

 

This was the finding of a study by Joseph Bonneau, a computer scientist at the University of Cambridge who studied the passwords of some 70 million Yahoo users.

 

"A comparison of different nationalities found that German and Korean speakers choose the strongest passwords, whereas Indonesians pick the weakest," the study said, according to a report on New Scientist.

 

Bonneau presented the findings at the Symposium on Security and Privacy in San Francisco, California, last May 23, New Scientist said.

 

The report said that in Bonneau's study, he calculated the password strengths for different demographic groups and compared the results.

 

He found people with a credit card stored on their account do little to increase their security other than avoiding very weak passwords such as "123456."

 

Also, the study showed people who change their password from time to time tend to select the strongest ones.

 

Bonneau said he looked at more realistic attacker scenarios.

 

"Maybe an attacker is happy to only break oneper cent of accounts they have access to, or 50 or even 90 percent. Those are all very different than 100 percent," he said.

 

Another important factor is whether attackers are trying to guess the password of a particular user by typing it onto a login screen, or attempting to crack an entire leaked database of passwords.

 

On average, Bonneau found user-chosen passwords offer less than 10 bits of security against online attacks.

 

This means it would only take around 1,000 attempts to try every possible password, and around 20 bits of security against offline attacks.

 

While even a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security, Bonneau noted people pick much easier passwords than those theoretically allowed.

 

He suggested assigning people randomly chosen nine-digit numbers instead, which would offer 30 bits of security against every type of attack.

 

This would be a 1,000-fold increase in security on average.

 

"I think it's reasonable to expect people to have the capacity to remember that, because they do it for phone numbers," he said.

 

Lujo Bauer, who studies passwords at Carnegie Mellon University in Pittsburgh, Pennsylvania, noted this was one of the rare studies based on a large set of passwords that are actively used and have been obtained legitimately. — RSJ, GMA News