Share

Related Links

  • Computer Weekly
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Millions of internet users trust weak passwords, research reveals

28 March 2012

Online passwords are so insecure that 1% can be cracked within 10 guesses, according to a researcher at Cambridge University.

Gates Cambridge Trust scholar Joseph Bonneau of the university's computer laboratory was given access to 70 million anonymous passwords through internet services firm Yahoo.

Using statistical guessing metrics, he trawled them for information, including demographic information and site usage characteristics.

Bonneau found that for all demographic groups, password security was low, even where people had to register to pay by a debit or credit card.

Proactive measures to prompt people to consider more secure passwords did not make any significant difference.

Even people who had had their accounts hacked did not opt for passwords that were significantly more secure.

The analysis did find, however, that older users tended to have stronger online passwords than their younger counterparts. German and Korean speakers also had passwords that were more difficult to crack, while Indonesian-speaking users' passwords were the least secure.

The main finding of the research was that passwords in general contain only between 10 and 20 bits of security against an online or offline attack.

In his research paper, Bonneau concludes that there is no evidence that people, however motivated, will choose passwords that a capable attacker cannot crack.

"This may indicate an underlying problem with passwords that users aren't willing or able to manage how difficult their passwords are to guess," he said.

Passwords have been argued to be “secure enough” for the web with users rationally choosing weak passwords for accounts of little importance, but the research findings may undermine this explanation, said Bonneau, as user choice does not vary greatly with changing security concerns as would be expected if weak passwords arose primarily due to user apathy.

Bonneau will present his findings at a security conference to be hosted by the Institute of Electrical and Electronics Engineers in May.

This story was first published by Computer Weekly

This article is featured in:
Identity and Access Management  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×