People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old. That's according to the largest ever study of password security, which also found that most of us choose passwords that are less secure than security experts recommend.
Joseph Bonneau, a computer scientist at the University of Cambridge, analysed the passwords of nearly 70 million Yahoo! users. The data had been protected using a security technique called hashing, which ensured he did not have access to the individual accounts. He calculated the password strengths for different demographic groups and compared the results.
A comparison of different nationalities found that German and Korean speakers choose the strongest passwords, whereas Indonesians pick the weakest.
People with a credit card stored on their account do little to increase their security other than avoiding very weak passwords such as "123456". Unsurprisingly, people who change their password from time to time tend to select the strongest ones.
Traditionally, security researchers look at the difficulty of breaking every password in a database, but that makes the problem seem much harder than it is, because the most secure randomly-generated passwords are almost impossible to crack. Bonneau instead looked at more realistic attacker scenarios. "Maybe an attacker is happy to only break one per cent of accounts they have access to, or 50 or even 90 per cent," he says. "Those are all very different than 100 per cent." Another important factor is whether attackers are trying to guess the password of a particular user by typing it onto a login screen, or attempting to crack an entire leaked database of passwords. These are known as online and offline attacks respectively.
Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss, and each additional bit doubles the password's strength. On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password, and around 20 bits of security against offline attacks.
That's surprising, because even a randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. Bonneau says the discrepancy is due to people picking much easier passwords than those theoretically allowed. He suggests assigning people randomly chosen nine-digit numbers instead, which would offer 30 bits of security against every type of attack – a 1000-fold increase in security on average. "I think it's reasonable to expect people to have the capacity to remember that, because they do it for phone numbers," he says.
Bonneau presented the findings at the Symposium on Security and Privacy in San Francisco, California, on 23 May.
"This is one of the rare studies based on a large set of passwords that are actively used and have been obtained legitimately," says Lujo Bauer, who studies passwords at Carnegie Mellon University in Pittsburgh, Pennsylvania. Most other studies are based on leaked databases that may be incomplete.