Skip to main content

Largest-ever password study: We are all idiots

password-security-idiots

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


password-security-idiots

The largest-ever study on user-selected password security shows that no matter how old you are or what language you speak, your password probably sucks.

The study, conducted by Joseph Bonneau at the University of Cambridge, analyzed the password strength of about 70 million Yahoo users. While the data was protected with hashing and Bonneau was unable to see individual account info, he was still able to measure relative strength of passwords across various demographics like age, gender, and nationality.

“We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution,” Bonneau wrote.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

What’s also funny in the study is that when users are prompted to give a debit or credit card number, that had no effect on whether the password associated with the card would be stronger. People with cards associated with their accounts avoid extremely weak passwords like “1234,” but they don’t do much beyond that. We’re sure hackers love that data point.

Another fascinating bit is that no matter what language you speak, your password is almost always weaker than security experts suggest.

“More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists,” Bonneau wrote.

The study indicates that the people who have the strongest passwords are also in the same category as folks who change their passwords occasionally. Most people simply keep the same password associated with an account for years, significantly increasing the likelihood of the account being hacked.

Bonneau suggests people chose a randomly selected number at least nine digits long because it will be easy enough to remember like a phone number and still provide a an above-average level of security. He also says that businesses that make people create passwords should make users pick tougher passcodes. “A stricter password selection policy might produce distributions with significantly higher resistance to guessing,” Bonneau wrote.

All this talk of passwords and security is admittedly making me a bit nervous. I’m going to change some passwords today. You should too.

Photo credit: Dino O./Shutterstock

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.