Smarter People Don't Have Better Passwords, Study Finds (bleepingcomputer.com) 110
An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
Is brute-forcing still a thing? (Score:2, Insightful)
Re: (Score:3)
Database hash dumps don't care about what online-attack rules you put in place.
Once they have the hashed-password database, it's just a matter of time before the attacker gets somebody's password. The goal is to make sure it's not yours, by using a long and totally-unique password... precisely what a password manager is good at generating and handling.
You might need to read about rainbow tables (Score:5, Informative)
> Read about rainbow tables
Good advice. You should take that advice. Maybe even try using one.
Let's look at your claim regarding the length of the password. Back in the early 1990s, MD5 was the recommended algorithm. It had a short 128-bit hash. That's roughly the same entropy as an 18-20 character password. As long as two passwords were both at least 20 characters, a longer password wasn't better because they'd both get reduced to a 128-bit hash anyway. By the late 1990s weaknesses had been found in MD5 and we started recommending SHA-1 instead. I personally distributed sample code showing how to convert your MD5 password hashes to SHA1, something that sounds impossible at first.
Then about 15 years ago MD5 was completely broken. Anyone with a clue moved to SHA1 or, later, SHA2. IF your web application is using an algorithm that has been broken for 15 years, AND your pass is at least 20 characters, longer than 20 isn't much more secure.
You might be thinking "there is a four character password with the same hash". No, there isn't, in all likelihood. There are very few 4-character passwords, and very many possible 128-bit hashes. For any given long password, there probably is no short password with the same hash.
SHA-1 is a 160-bit hash. It's even less likely that a short password of say 36 bits entropy is going to have the same 160-bit hash as a longer password. ALL possible 36-bit passwords combined only cover 1/2^124 of the outputs. In other words, the odds against getting a match, even trying ALL of the short passwords, are far less than the odds that you will win the lottery without even playing, by finding a winning ticket.
SHA-2 came out in 2001. There are no rainbow tables for SHA2, because the key space is too large. So if your application has been *properly* updated in the last 10-15 years, rainbow tables simply do not apply.
Hashes: ...and still very breakable. (Score:3)
Yes, I get your point.
- Parent poster points about rainbow table (tables that point hashes back to strings that can generate the same hash).
- You point that a well designed (=non borked design) hashing function should give two different hash for two dissimilar short passwords. Thus you would need a giant rainbow table that gives a password for *every single possible 160bit hash* (that's ~10^48 entries, i.e.: within an order or two from the number of atoms on earth [fnal.gov]). Fat chance.
BUT!
Even if the hash->passw
Agree with your conclusion. A little more info (Score:3)
> do NOT use SHA2 for your password database.
use bcrypt/scrypt/argon2 instead.
Brypt is indeed designed as a *password* hashing function, so it's better for passwords than sha-2 is. I think sha-2 is also acceptable.
> Thus you would need a giant rainbow table that gives a password for *every single possible 160bit hash
That's actually the difference between a rainbow table and a simple lookup table. The rainbow table can be as big or small as you want. Larger tables allow faster "unhashing". While BUILD
/.er vs normal people (Score:2)
Answer trashed by miss-typing, I'll try to rewrite my reply again.
Brypt is indeed designed as a *password* hashing function, so it's better for passwords than sha-2 is. I think sha-2 is also acceptable.
Bcrypt, Scrypt, Argon2 (and the older PBKDF2, for completeness) were all designed for password and are designed with resistance to bruteforce in mind.
sha{n} family were designed for speed (and sha-3/keccak also because a sponge function is an interesting new concept) and are only acceptable if you don't mind brute forcing.
Definitely don't use a common password. Using "password" as your password will suck no matter what else you do. Therefore it's a mistake to say:
Doing X won't help if the passwords suck. Therefore don't do X.
The problem isn't simply people using "password" or "123456" for password. The problem is general approach to security.
We
Re: (Score:3)
>"Database hash dumps don't care about what online-attack rules you put in place. Once they have the hashed-password database"
But how did they get such a database in the first place? It seems that is a pretty big feat on most systems. But brute-forcing most certainly is a thing, apparently, since my ssh ports get hammered constantly, all day long, 24x7. However, with fail-to-ban (or similar) installed, it is a 100% useless effort by those brute-forcers, regardless of password strength.
If one already
Re: (Score:3)
But how did they get such a database in the first place?
SQL injection, malware, physical compromise, buffer overflow, side-channel attack, credential reuse, DNS hijacking, ARP spoofing, unpatched vulnerabilities... Pretty much for any attack vector you can think of, a password database is one of the potential targets.
As an example, let's consider the credentials to a web service, stored in a RDBMS. If that web service is insecure in particular ways, SQL injection can be used to dump the entirety of the database contents to an attacker's screen (which can then be
Re: (Score:2)
+1 informative. Thanks!
Re: (Score:2)
True, but if your most precious database got compromised, what are you still protecting?
If you leak password hashes, you have a problem, and you cannot blame it on the user.
Re: (Score:2)
I'm not blaming the user. I'm advocating defense in depth.
If a password database is published, clearly the person operating that database's associated services has failed somehow and the world should be aware of it... but dragging a company through a PR nightmare isn't going to make the password hashes secret again, or undo any damage done to the users.
However, while it is still the service operator's responsibility to protect that database, the security of the password itself is almost entirely controlled
Re: (Score:2)
The other problem is that if your computer is compromised the attacker can install a keylogger and get your master key.
You're conflating two different threat models. If your computer is compromised, everything you do from it is already vulnerable, because the malware can adjust what you're seeing and hijack activities as it likes. The attacker can already access your email account, reset service passwords, and do what they like without caring about your old passwords.
To protect against malware, my advice is an antivirus suite (even Windows Defender), pulling updates from the vendor as frequently as possible. Ad-blockers als
Re: (Score:2)
Backups, backups, backups.
This is one of the cases where having cloud-synced backups is absolutely wonderful. Even if someone else has access to your password manager's database, it's fully encrypted, and with a decently-strong password (the only one you should ever have to memorize), it'll be safe from brute-force attacks.
I keep my database synced with Google, and open it right from the synced folder. When I change the database, it's immediately backed up, and will sync to my other computers, as well.
Re: (Score:2)
Salting really just makes rainbow tables nearly-useless, but does not impact security against brute-force attacks. A long and unique password is still exponentially more secure than a short one.
For example, let's say I have "1234" as a password. It's wonderfully simple, and shows up in every rainbow table and password list.
I go put that in a service, which adds its own salt of "ABC". Effectively, my password is now "ABC1234", and the salt is stored alongside my password hash.
If an attacker gets that databas
Re: (Score:2)
Yes! As the other poster said, account database dumps are commonly broken through brute force attempts. The tools to reverse hashes are not some "super secret cracker-only-thing either, hashcat [hashcat.net] is the best password-hash reversing brute force tool. It's free and open source and on the right hardware can have amazingly, absurdly, performant performance.
Re: (Score:1)
Yes! As the other poster said, account database dumps are commonly broken through brute force attempts. The tools to reverse hashes are not some "super secret cracker-only-thing either, hashcat [hashcat.net] is the best password-hash reversing brute force tool. It's free and open source and on the right hardware can have amazingly, absurdly, performant performance.
sounds like too much work, can't we just extract them from system logs. For some reason (god knows why), writing passwords into logs seem to be a trend now.
Re: (Score:3)
Why does this still work? I would think we would have adjusted things years ago so that once a wrong password is tried like, oh, I don't know, say 50 times the account is locked. Or don't allow more than one attempt per second. Something along those lines.
That's a nice account you've got there. Would be a pity if it got locked after, uh, someone tried a wrong passwords 50 times, wouldn't it?
Re: (Score:2)
Depends on the situation. An account shouldn't really be blocked without informing the admin. It's up to him to see what it is all about and unblock it. The login being blocked for the night while someone is trying to bruteforce it is usually not that big of a deal.
That's a nice company you've got there. Would be a pity if your admins got swamped with requests to unblock accounts when a botnet in a different country tries 50 passwords for all of your 2000 users.
/. says "obviously, they should just try this", this says more about the AC than the problem.
I think all good solutions to this problem have been found already. When an AC on
Re: (Score:2)
Why does this still work? I would think we would have adjusted things years ago so that once a wrong password is tried like, oh, I don't know, say 50 times the account is locked. Or don't allow more than one attempt per second. Something along those lines.
Of course, locking the account after some number of tries is handy if you want to just cause denial of access/service attacks. Then you get perturbed users who can't log into their accounts, and have to reset passwords/keys which requires time and effort.
I prefer to just block the offending IP after about 3 attempts.
Don't look at intelligence, look at paranoia (Score:2)
I wouldn't expect intelligence to factor into strength of passwords. Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...
Or maybe it's just that no-one likes using hard passwords and even the paranoid will not bother.
SuperKendall touched my junk liberally (Score:2, Funny)
This assumes that higher GPA means smarter. While this may generally be the case, this is far from a foregone conclusion. Smartness or intelligence is a complex subject, and the measurement of intelligence is not something that is trivial and universally accepted. A different study that has access to other measures of intelligence – such as standardized aptitude tests – to combine with GPA may yield further insightful result.
Well we know liberals are all about touching junk (Score:2)
This assumes that higher GPA means smarter
That's a pretty excellent point really, the ability to get good grades is possibly an indicator of intelligence, but I don't think lack of good grades is a negative indicator for intelligence... I seem to remember reading lots of really intelligent people got bad grades, in part because they were bored or grades were not what they cared about in studying.
Re:Don't look at intelligence, look at paranoia (Score:5, Interesting)
I wouldn't expect intelligence to factor into strength of passwords.
I agree with you up to here.
Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...
While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden. That is, while some people likely use the paranoia factor to motivate them to use/remember long and complex passwords, I suspect that most people think along the lines of, "I am just not willing to burden my brain with yet another long and complex password for blah blah blah."
That is not to say that cognitive burden is the only determinant, since things like organizational policy (e.g., in a school or business) might set and enforce minimum complexity with which the user must cope. Rather, in the absence of a forced minimum, users will employ the simpleest password they can comfortably get away with. Where comfortable is different for each individual.
Re:Don't look at intelligence, look at paranoia (Score:4, Interesting)
A similar phenomena would be "security fatigue" -- the sense that it's either all pointless, or that as security measures grow more complicated, the costs exceed the benefits for more and more situations.
Re: (Score:1)
Password cannot be less than 8 letters
Password cannot be more than 16 letters
You failed to enter the captcha
Password cannot contain a dictionary word
Your email provider is banned on this site
You failed to enter the captcha
You failed to enter the captcha
Password cannot contain a name
You failed to enter the captcha
Password cannot contain consecutive letters
Password must have a special character
You failed to enter the captcha
Password must contain uppercase letters
Password must not contain special character
You
Re: (Score:2)
Too true.
Which is why my PasswordSafe remembers all those passwords for me. With two exceptions - my computer and my PasswordSafe. So, I have to remember two (2) "long and complex" passwords while, at the same time, using as many as
Re: (Score:3)
While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden
I think this is probably a better take on it than I had. I agree that cognitive load is a large factor on what I personally end up using for password strength, after the fiftieth password you are just like "screw this, using password pattern 1".
things like organizational policy (e.g., in a school or business) might set and enforce minimum complexity
The funny thing about this to me is
Re: (Score:2)
The funny thing about this to me is that it greatly increases cognitive load of passwords, making the password a little stronger because it enforces say a special character, but across the board makes it VASTLY more likely I will choose the same password across multiple sites because otherwise I cannot remember what I chose and don't want to have to think of a new complex password.
Like many others around here, I use a password manager. So things like every website having a slightly different set of password requirements is nothing more than a minor annoyance to me. However, I can recall before I started using a password manager. It was maddeningly frustrating trying to remember the different policies. One site requires an uppercase, a lowercase, a number, a special character, and a length of 8-20. Another site requires a letter, a number, a special character (but not %, ~, =, or |),
Re: (Score:3)
Bottom line, with the way things stand today, a password manager is the only viable option for anybody that has even the slightest concern about security.
What happened to a gool ol' plaintext file with logins and passwords, stored in an encrypted container?
Re: (Score:2)
I don't like password managers...
I've settled on sets of passwords with patterns based on the name of the sites, different patterns for different levels of security (so about three or so possible patterns). I then can have pretty complex passwords with special characters and mixed case, but the passwords are just different enough between sites to foil re-use of the password in a breach. This is a pretty secure setup, almost I would say more secure than a password manager since there is no master password
Re: (Score:2)
I don't like password managers...
I've settled on sets of passwords with patterns based on the name of the sites, different patterns for different levels of security (so about three or so possible patterns). I then can have pretty complex passwords with special characters and mixed case, but the passwords are just different enough between sites to foil re-use of the password in a breach.
That seems pretty good, but maybe the people who write password cracking software use the collected breach data as the starting point for their brute forcing of other websites. If so, then perhaps the patterns that you are using might not give as much protection as you might think. Even unique email addresses/logins for each website might not give much protection if the pattern for creating them is not to hard to discern.
All of this is doubly true if you are being specifically targeted.
Of course being speci
Re: (Score:3)
I advocate passphrases for their reduced burden. Increased complexity will statistically cause a variety of other behaviors. Any low entropy (patternlike) behavior can be emulated, and we spent 10-20 years teaching poorly, increasing the complexity tax for tiny entropy gains.
superman is weak. We get that.
Superman1! is just as weak. Fuck everything that has ever suggested otherwise.
$up3rm@n is almost as bad.
zxcvbnm is not strong. Neither is qrafzvwtsgxb. We see what you did there. Obviously, anything using t
Re: (Score:2)
I wouldn't expect intelligence to factor into strength of passwords.
Especially if the strength of a password is defined by whether some random company where you used it got hacked.
Also, if you know it has been exposed, continuing to use it might be a de facto indicator that you're not a bright one.
Re: (Score:2)
You would be correct. I'm probably the smartest person any of you will ever meet, and my password for everything is "passw0rD". See, I changed the "o" to a "0" and made the "d" upper case so that it's impossible to break. Also, because the password nazis insist on my including a number and a mix of upper and lower case.
Look at password rules and if they have 5+ diffent (Score:2)
Look at password rules and if they have 5+ different systems to deal with.
Re: (Score:3)
Use a password manager, and you never need to remember what rules were in use where.
Re: (Score:2)
I've run into that....sometimes it means I have to change my rules, and sometimes I can only get the rules so close and have to make multiple attempts.
And sometimes I get websites that won't let me paste in my password. Because apparently it's still 2004 wherever they live.
Re: (Score:2)
I use KeePass personally, and its built-in password generator has the following options:
It also has options to only allow characters to appear once at most, forbid look-alike characters like "O" and "0", and simple prohibit certain characters.
Maybe Password Strength should be a Data Point (Score:1)
Re: (Score:3)
Password quality is an irrelevant metric (Score:2)
A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.
This conforms that password quality is an irrelevant metric when looking at folks with better grades as compared to those without.
Question though is why they used the Philippines and not the USA, where my bias assumes the USA has more avenues where folks would be exposed to the need of a password [as a percentage] of the whole population.
Re: (Score:3)
The college that conducted the study is in the Philippines. The experiments were run against the college's student email accounts... which does raise a few easily-dismissed ethical concerns, but I digress...
There's really no reason to assume the USA would be involved at all, other than the reference to NIST, which isn't too surprising. Many places refer to NIST standards, just to avoid a certain standardization problem [xkcd.com].
Re: (Score:3)
Did they run a brute force attack against their own email system, or does the college store passwords in plain text?
Re: (Score:2)
Most people in "simple countries" like Philippines simply use the "use facebook to log on" option to everything.
As soon as they lose the password they are locked out of everything.
I know dozens of people like that. New mobile phone or SIM card -> new facebook account, and dozens of new other accounts (because you can obviously not log on to the other accounts with your new FB account).
Re: BEST SCAM EVER (Score:1)
The NIST says "send all your users' new passwords to us. So we can check if they are compromised."
They didn't look at intelligence... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Life is so much better (Score:2)
smarter? (Score:2)
>"Smarter People Don't Have Better Passwords, Study Finds"
>"students with better grades use bad passwords in the same proportion as students with bad ones"
Um, students with better grades are not necessarily "smarter." Just saying...
>"because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools."
Any system that allows fast, unlimited login attempts (which is necessary for brute force) is BROKEN. Even weak passwords can't be "brute
Re: smarter? (Score:1)
Sounds like a creative DoS. Spoof different IPs and spam the login to the site with known accounts. Lock everybody out.
That's useful on poorly set up Windows domains. Is there a public pc somewhere in the building. 'Log on' as you least liked co-worker to get their account locked. IT needs something to do that is less boring than the toner in the LJ4 up on third floor east.
Re: (Score:2)
>"Sounds like a creative DoS. Spoof different IPs and spam the login to the site with known accounts. Lock everybody out."
If not carefully set up, you are correct that things like "fail to ban" can, indeed, lead to what is like a denial of service attack. Generally, accounts are not completely locked out, but the IP trying to break in is locked out... for a while, at least. An account lockout would only occur on some configurations, perhaps if it is being sensed as being attacked from many different IP
Verifying breach status (Score:3)
verifying if the password is also listed in previous public breaches
So does NIST recommend maintaining an offline archive of every breach ever or are they recommending you transmit the password in cleartext to a 3rd party?
Re: (Score:2)
9GB for every project is a bit much.
Better Grade != Smarter (Score:2)
Smart people are different (Score:3)
... than the 'other' people. Smart people tend to think for themselves, to ignore common beliefs and behaviors. Smart people are like cats who are difficult to herd. If the gospel among computer users is to have an obscure password, smart people will question that and may do so only for special accounts.
The 'other' people, OTOH, tend to do as they are told, to follow the rules, to behave themselves. If they are told to use safe passwords, and they can remember that rule, they will make some effort to do so. Those 'other' people are like dogs- they will do as told if they understand and remember the rules. We all like dogs, but not everyone likes those smartass cats.
Re: (Score:2)
Re: (Score:2)
> the guy who recently admitted that the standard password policy recommendations (expire after 3 months and all that) were something he pulled out of his ass...
paywalled article...
The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error
By Robert McMillan
Aug. 7, 2017 12:41 p.m. ET
https://www.wsj.com/articles/t... [wsj.com]
via
https://it.slashdot.org/story/... [slashdot.org]
some
Re: (Score:2)
So the NIST is compiling a list? (Score:2)
Let me get this straight. So the NIST is saying that when a new user creates an account on a site, that site should immediately shuffle a copy of that password off to another site where it can be compared tona list of passwords on that site.
That sounds a little shitty. When I sign up for an account somewhere, the password I create and give them shouldn't be passed around to other entities. It sounds like a great opportunity for somebody building a password dictionary to log a copy of everything that's bein
Re: (Score:2)
If you're bright enough to write a poem like "Jabberwocky", and include even of your own custom-made words, you can very easily have a password far longer than 14 characters that's perfectly easy to remember.
Here's an example:
"Anonymous" and "Coward"
Words identifying fools
Known for sloping, apelike foreheads
Also noseflaps shaped like tools
But at least... (Score:2)
...it helps writting titles that actually do reflect studies.
Better grades is not the same as being "smarter".
Re: (Score:2)
Bad assumption! (Score:2)
Better grades != smarter
The only thing that correlates highly with "better grades" is *effort*, not intelligence.
Smarter people don't have better passwords (Score:2)
What's wrong with "54321EGAGGUL"?
stupid, in a specific way (Score:2)
This is completely stupid.
I once got a B+ in my advanced-stream, enriched introduction to calculus course, so I guess my standard 11–15 character passwords (seeded from the OpenBSD apg utility) count toward the B Ark's less-than-entirely-lame password rating.
But I guess I was pretty stupid after all, because just about any other course would have been less difficult to complete with a big fat A.
But then again, only because I effed myself to take the hard road did I gain a full and proper understandin
"Smart" not the same as "Wise" (Score:1)
Wisdom is knowing the right thing to do.
IQ is then figuring how to do it effectively.
Not news. Richard Feynman mentioned it. (Score:3)
He was working in the Manhatten project making the first atom bomb. Place was teeming with top physicists absent minded professors and was run by the Army that had safes allocated to all top scientists. After a long and interesting story about how he got into safe cracking, he mentioned: He was challenged to crack the safe of Niel Bohr or Oppenheimer. He did it in less than two minutes. Asked how, he replied, "Physicists always use 3141, 1414, 1783, or 2245 as the code". They are PI, sqrt(2), sqrt(3), sqrt(5)
Re: (Score:2)
I always use sqrt(1) as my password.
Better grades does NOT mean smarter (Score:2)
The headline said: Smarter People Don't Have Better Passwords, Study Finds
The summary said: students with better grades use bad passwords in the same proportion as students with bad ones.
Counterpoint: Better grades are not a measure of "smartness" or intelligence --- Grades are a course-specific measure of performance in class on typically assignments and tests which are bound to frequently have some level of instructor subjectivity embedded into the result: At the very least in advanced subjects,
Re: (Score:3)
Grades are also measures of conformance and memory which are both actually crutches that can reduce the degree of developed intelligence.
It is interesting that the only intelligence required here is the intelligence to know that memorable passwords are a security risk in general and that proper password security requires the use of a well-protected password vault and automatic password generator so that no compromised site will ever reveal the password you've used on any other site.
Amusing assumption (Score:2)
When you have good test scores; in math, in literature, sports or IQ tests you have proven you are highly motivated to score well. It is not proof of intelligence.
There is a fair amount of highly intelligent people that are demotivated and will not apply themselves in a manner that is often expected in today's society.
The real challenge for educators, parents, friends and managers that know demotivated intelligent people is to help them get that spark to apply themselves.
It is perhaps unthinkable that
Not all passwords are equal (Score:2)