According to the largest-ever study conducted on user-selected password security, regardless of how old you are, where you are from or what language you speak, your password is most likely not good enough. The study was conducted by Joseph Bonneau at the University of Cambridge, and analyzed the password strength of as many as 70 million Yahoo users.
The data was protected with hashing, and Bonneau could not see individual account info. Bonneau was able, however, to measure the relative strength of passwords across various demographics such as nationality, age, and gender. "We find surprisingly little variation in guessing difficulty," wrote Bonneau. "Every identifiable group of users generated a comparably weak password distribution."
Weak Passwords, Regardless of Language
Furthermore, the study also points out that even when users are prompted to enter a debit or credit card number, the password associated with the card is only extremely marginally stronger. People with cards linked to their accounts tend to avoid extremely weak passwords such as "1234," but their efforts don't go far beyond that. Also, the study shows that regardless of users' language, their passwords are almost always weaker than security experts recommend.
"More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists," noted Bonneau.
Stronger Password with Age
The study also shows that people over age 55 choose passwords that are twice as secure as those created by people under age 25. "There is a general trend towards better password selection with age," wrote Bonneau. Moreover, according to the study, people who chose the strongest passwords are in the same category with people who change their passwords more frequently. Meanwhile, most people keep the same password associated with an account for several years, thus increasing the likelihood of having their account hacked. The overall conclusion of the study is that regardless of age, no one chooses passwords that are secure enough. "The most troubling finding of our study is how little password distributions seem to vary...with effective varying by no more than a few bits," wrote Bonneau.
How to Enhance Security
To increase the level of security, Bonneau recommends people chose a random number of at least nine digits - it will be as easy to remember as a phone number, while providing an above-average level of security. Bonneau added that businesses that make people create passwords should make sure users pick stronger ones. "A stricter password selection policy might produce distributions with significantly higher resistance to guessing," wrote Bonneau.
Bonneau's study, the largest ever on password security, was presented at the 2012 IEEE Symposium on Security and Privacy.
