Cybersecurity Passwords contribute to online insecurity
One percent of passwords can be cracked within ten guesses; German and Korean speakers also had passwords which were more difficult to crack, while Indonesian-speaking users’ passwords were the least secure
Online passwords are so insecure that 1 percent can be cracked within ten guesses, according to the largest ever sample analysis.
The research was carried out by Gates Cambridge scholar Joseph Bonneau and will be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers in May.
A University of Cambridge release reports that Bonneau was given access to seventy million anonymous passwords through Yahoo! — the biggest sample to date — and, using statistical guessing metrics, trawled them for information, including demographic information and site usage characteristics.
He found that for all demographic groups password security was low, even where people had to register to pay by a debit or credit card. Proactive measures to prompt people to consider more secure passwords did not make any significant difference.
There was some variation, however. Older users tended to have stronger online passwords than their younger counterparts. German and Korean speakers also had passwords which were more difficult to crack, while Indonesian-speaking users’ passwords were the least secure.
Even people who had had their accounts hacked did not opt for passwords which were significantly more secure.
The release notes that the main finding, however, was that passwords in general only contain between ten and twenty bits of security against an online or offline attack.
Bonneau, whose research was featured in the Economist, concludes that there is no evidence that people, however motivated, will choose passwords that a capable attacker cannot crack. “This may indicate an underlying problem with passwords that users aren’t willing or able to manage how difficult their passwords are to guess,” he says.
