Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT Technology

Smarter People Don't Have Better Passwords, Study Finds (bleepingcomputer.com) 110

An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
This discussion has been archived. No new comments can be posted.

Smarter People Don't Have Better Passwords, Study Finds

Comments Filter:
  • by Anonymous Coward
    Why does this still work? I would think we would have adjusted things years ago so that once a wrong password is tried like, oh, I don't know, say 50 times the account is locked. Or don't allow more than one attempt per second. Something along those lines.
    • Database hash dumps don't care about what online-attack rules you put in place.

      Once they have the hashed-password database, it's just a matter of time before the attacker gets somebody's password. The goal is to make sure it's not yours, by using a long and totally-unique password... precisely what a password manager is good at generating and handling.

      • >"Database hash dumps don't care about what online-attack rules you put in place. Once they have the hashed-password database"

        But how did they get such a database in the first place? It seems that is a pretty big feat on most systems. But brute-forcing most certainly is a thing, apparently, since my ssh ports get hammered constantly, all day long, 24x7. However, with fail-to-ban (or similar) installed, it is a 100% useless effort by those brute-forcers, regardless of password strength.

        If one already

        • But how did they get such a database in the first place?

          SQL injection, malware, physical compromise, buffer overflow, side-channel attack, credential reuse, DNS hijacking, ARP spoofing, unpatched vulnerabilities... Pretty much for any attack vector you can think of, a password database is one of the potential targets.

          As an example, let's consider the credentials to a web service, stored in a RDBMS. If that web service is insecure in particular ways, SQL injection can be used to dump the entirety of the database contents to an attacker's screen (which can then be

      • by thsths ( 31372 )

        True, but if your most precious database got compromised, what are you still protecting?

        If you leak password hashes, you have a problem, and you cannot blame it on the user.

        • I'm not blaming the user. I'm advocating defense in depth.

          If a password database is published, clearly the person operating that database's associated services has failed somehow and the world should be aware of it... but dragging a company through a PR nightmare isn't going to make the password hashes secret again, or undo any damage done to the users.

          However, while it is still the service operator's responsibility to protect that database, the security of the password itself is almost entirely controlled

    • Yes! As the other poster said, account database dumps are commonly broken through brute force attempts. The tools to reverse hashes are not some "super secret cracker-only-thing either, hashcat [hashcat.net] is the best password-hash reversing brute force tool. It's free and open source and on the right hardware can have amazingly, absurdly, performant performance.

      • Yes! As the other poster said, account database dumps are commonly broken through brute force attempts. The tools to reverse hashes are not some "super secret cracker-only-thing either, hashcat [hashcat.net] is the best password-hash reversing brute force tool. It's free and open source and on the right hardware can have amazingly, absurdly, performant performance.

        sounds like too much work, can't we just extract them from system logs. For some reason (god knows why), writing passwords into logs seem to be a trend now.

    • Why does this still work? I would think we would have adjusted things years ago so that once a wrong password is tried like, oh, I don't know, say 50 times the account is locked. Or don't allow more than one attempt per second. Something along those lines.

      That's a nice account you've got there. Would be a pity if it got locked after, uh, someone tried a wrong passwords 50 times, wouldn't it?

    • Why does this still work? I would think we would have adjusted things years ago so that once a wrong password is tried like, oh, I don't know, say 50 times the account is locked. Or don't allow more than one attempt per second. Something along those lines.

      Of course, locking the account after some number of tries is handy if you want to just cause denial of access/service attacks. Then you get perturbed users who can't log into their accounts, and have to reset passwords/keys which requires time and effort.

      I prefer to just block the offending IP after about 3 attempts.

  • I wouldn't expect intelligence to factor into strength of passwords. Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...

    Or maybe it's just that no-one likes using hard passwords and even the paranoid will not bother.

    • by Anonymous Coward

      This assumes that higher GPA means smarter. While this may generally be the case, this is far from a foregone conclusion. Smartness or intelligence is a complex subject, and the measurement of intelligence is not something that is trivial and universally accepted. A different study that has access to other measures of intelligence – such as standardized aptitude tests – to combine with GPA may yield further insightful result.

      • This assumes that higher GPA means smarter

        That's a pretty excellent point really, the ability to get good grades is possibly an indicator of intelligence, but I don't think lack of good grades is a negative indicator for intelligence... I seem to remember reading lots of really intelligent people got bad grades, in part because they were bored or grades were not what they cared about in studying.

    • by El Cubano ( 631386 ) on Tuesday May 15, 2018 @04:00PM (#56617128)

      I wouldn't expect intelligence to factor into strength of passwords.

      I agree with you up to here.

      Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...

      While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden. That is, while some people likely use the paranoia factor to motivate them to use/remember long and complex passwords, I suspect that most people think along the lines of, "I am just not willing to burden my brain with yet another long and complex password for blah blah blah."

      That is not to say that cognitive burden is the only determinant, since things like organizational policy (e.g., in a school or business) might set and enforce minimum complexity with which the user must cope. Rather, in the absence of a forced minimum, users will employ the simpleest password they can comfortably get away with. Where comfortable is different for each individual.

      • by Lije Baley ( 88936 ) on Tuesday May 15, 2018 @04:15PM (#56617210)

        A similar phenomena would be "security fatigue" -- the sense that it's either all pointless, or that as security measures grow more complicated, the costs exceed the benefits for more and more situations.

        • by Anonymous Coward

          Password cannot be less than 8 letters
          Password cannot be more than 16 letters
          You failed to enter the captcha
          Password cannot contain a dictionary word
          Your email provider is banned on this site
          You failed to enter the captcha
          You failed to enter the captcha
          Password cannot contain a name
          You failed to enter the captcha
          Password cannot contain consecutive letters
          Password must have a special character
          You failed to enter the captcha
          Password must contain uppercase letters
          Password must not contain special character
          You

      • That is, while some people likely use the paranoia factor to motivate them to use/remember long and complex passwords, I suspect that most people think along the lines of, "I am just not willing to burden my brain with yet another long and complex password for blah blah blah."

        Too true.

        Which is why my PasswordSafe remembers all those passwords for me. With two exceptions - my computer and my PasswordSafe. So, I have to remember two (2) "long and complex" passwords while, at the same time, using as many as

      • While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden

        I think this is probably a better take on it than I had. I agree that cognitive load is a large factor on what I personally end up using for password strength, after the fiftieth password you are just like "screw this, using password pattern 1".

        things like organizational policy (e.g., in a school or business) might set and enforce minimum complexity

        The funny thing about this to me is

        • The funny thing about this to me is that it greatly increases cognitive load of passwords, making the password a little stronger because it enforces say a special character, but across the board makes it VASTLY more likely I will choose the same password across multiple sites because otherwise I cannot remember what I chose and don't want to have to think of a new complex password.

          Like many others around here, I use a password manager. So things like every website having a slightly different set of password requirements is nothing more than a minor annoyance to me. However, I can recall before I started using a password manager. It was maddeningly frustrating trying to remember the different policies. One site requires an uppercase, a lowercase, a number, a special character, and a length of 8-20. Another site requires a letter, a number, a special character (but not %, ~, =, or |),

          • Bottom line, with the way things stand today, a password manager is the only viable option for anybody that has even the slightest concern about security.

            What happened to a gool ol' plaintext file with logins and passwords, stored in an encrypted container?

          • I don't like password managers...

            I've settled on sets of passwords with patterns based on the name of the sites, different patterns for different levels of security (so about three or so possible patterns). I then can have pretty complex passwords with special characters and mixed case, but the passwords are just different enough between sites to foil re-use of the password in a breach. This is a pretty secure setup, almost I would say more secure than a password manager since there is no master password

            • by j-beda ( 85386 )

              I don't like password managers...

              I've settled on sets of passwords with patterns based on the name of the sites, different patterns for different levels of security (so about three or so possible patterns). I then can have pretty complex passwords with special characters and mixed case, but the passwords are just different enough between sites to foil re-use of the password in a breach.

              That seems pretty good, but maybe the people who write password cracking software use the collected breach data as the starting point for their brute forcing of other websites. If so, then perhaps the patterns that you are using might not give as much protection as you might think. Even unique email addresses/logins for each website might not give much protection if the pattern for creating them is not to hard to discern.

              All of this is doubly true if you are being specifically targeted.

              Of course being speci

      • by Falos ( 2905315 )

        I advocate passphrases for their reduced burden. Increased complexity will statistically cause a variety of other behaviors. Any low entropy (patternlike) behavior can be emulated, and we spent 10-20 years teaching poorly, increasing the complexity tax for tiny entropy gains.

        superman is weak. We get that.
        Superman1! is just as weak. Fuck everything that has ever suggested otherwise.
        $up3rm@n is almost as bad.
        zxcvbnm is not strong. Neither is qrafzvwtsgxb. We see what you did there. Obviously, anything using t

    • I wouldn't expect intelligence to factor into strength of passwords.

      Especially if the strength of a password is defined by whether some random company where you used it got hacked.

      Also, if you know it has been exposed, continuing to use it might be a de facto indicator that you're not a bright one.

    • I wouldn't expect intelligence to factor into strength of passwords.

      You would be correct. I'm probably the smartest person any of you will ever meet, and my password for everything is "passw0rD". See, I changed the "o" to a "0" and made the "d" upper case so that it's impossible to break. Also, because the password nazis insist on my including a number and a mix of upper and lower case.

  • Look at password rules and if they have 5+ different systems to deal with.

    • Use a password manager, and you never need to remember what rules were in use where.

  • Judge intelligence based on password strength.
    • no, study only proved the students don't give a shit about the security of their school's email accounts. maybe smart people give even less of a shit about things that are extraneous in life than "normal people"....
  • A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.

    This conforms that password quality is an irrelevant metric when looking at folks with better grades as compared to those without.

    Question though is why they used the Philippines and not the USA, where my bias assumes the USA has more avenues where folks would be exposed to the need of a password [as a percentage] of the whole population.

    • The college that conducted the study is in the Philippines. The experiments were run against the college's student email accounts... which does raise a few easily-dismissed ethical concerns, but I digress...

      There's really no reason to assume the USA would be involved at all, other than the reference to NIST, which isn't too surprising. Many places refer to NIST standards, just to avoid a certain standardization problem [xkcd.com].

      • The experiments were run against the college's student email accounts

        Did they run a brute force attack against their own email system, or does the college store passwords in plain text?

    • Most people in "simple countries" like Philippines simply use the "use facebook to log on" option to everything.
      As soon as they lose the password they are locked out of everything.
      I know dozens of people like that. New mobile phone or SIM card -> new facebook account, and dozens of new other accounts (because you can obviously not log on to the other accounts with your new FB account).

  • by Jon.Burgin ( 1136665 ) on Tuesday May 15, 2018 @04:01PM (#56617132)
    they looked at grades, which is a dubious measurement of intelligence at best.
    • Wish I could mod this up, but I already commented basically the same thing myself...
    • Also, "smarter people don't have better passwords" isn't what was measured. "Filipino College students with higher grades don't have better passwords" is really what was measured.
  • My password predicament went away when I changed all mine to correcthorsebatterystaple !
  • >"Smarter People Don't Have Better Passwords, Study Finds"
    >"students with better grades use bad passwords in the same proportion as students with bad ones"

    Um, students with better grades are not necessarily "smarter." Just saying...

    >"because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools."

    Any system that allows fast, unlimited login attempts (which is necessary for brute force) is BROKEN. Even weak passwords can't be "brute

    • Sounds like a creative DoS. Spoof different IPs and spam the login to the site with known accounts. Lock everybody out.

      That's useful on poorly set up Windows domains. Is there a public pc somewhere in the building. 'Log on' as you least liked co-worker to get their account locked. IT needs something to do that is less boring than the toner in the LJ4 up on third floor east.

      • >"Sounds like a creative DoS. Spoof different IPs and spam the login to the site with known accounts. Lock everybody out."

        If not carefully set up, you are correct that things like "fail to ban" can, indeed, lead to what is like a denial of service attack. Generally, accounts are not completely locked out, but the IP trying to break in is locked out... for a while, at least. An account lockout would only occur on some configurations, perhaps if it is being sensed as being attacked from many different IP

  • by omnichad ( 1198475 ) on Tuesday May 15, 2018 @04:09PM (#56617176) Homepage

    verifying if the password is also listed in previous public breaches

    So does NIST recommend maintaining an offline archive of every breach ever or are they recommending you transmit the password in cleartext to a 3rd party?

  • This study just shows that people with better grades doesn't necessarily use better password; nothing more or less.
  • by swell ( 195815 ) <jabberwock@poetic.com> on Tuesday May 15, 2018 @04:12PM (#56617196)

    ... than the 'other' people. Smart people tend to think for themselves, to ignore common beliefs and behaviors. Smart people are like cats who are difficult to herd. If the gospel among computer users is to have an obscure password, smart people will question that and may do so only for special accounts.

    The 'other' people, OTOH, tend to do as they are told, to follow the rules, to behave themselves. If they are told to use safe passwords, and they can remember that rule, they will make some effort to do so. Those 'other' people are like dogs- they will do as told if they understand and remember the rules. We all like dogs, but not everyone likes those smartass cats.

    • Smart people are also able to parse a particular field's body of knowledge and realize their own limitations, and know when and why to concede to a consensus of experts -- otherwise you get flat-Earthers.
  • Let me get this straight. So the NIST is saying that when a new user creates an account on a site, that site should immediately shuffle a copy of that password off to another site where it can be compared tona list of passwords on that site.

    That sounds a little shitty. When I sign up for an account somewhere, the password I create and give them shouldn't be passed around to other entities. It sounds like a great opportunity for somebody building a password dictionary to log a copy of everything that's bein

  • ...it helps writting titles that actually do reflect studies.
    Better grades is not the same as being "smarter".

  • Better grades != smarter

    The only thing that correlates highly with "better grades" is *effort*, not intelligence.

  • What's wrong with "54321EGAGGUL"?

  • This is completely stupid.

    I once got a B+ in my advanced-stream, enriched introduction to calculus course, so I guess my standard 11–15 character passwords (seeded from the OpenBSD apg utility) count toward the B Ark's less-than-entirely-lame password rating.

    But I guess I was pretty stupid after all, because just about any other course would have been less difficult to complete with a big fat A.

    But then again, only because I effed myself to take the hard road did I gain a full and proper understandin

  • Wisdom is knowing the right thing to do.

    IQ is then figuring how to do it effectively.

  • Richard Feynman, in his book Surely you are joking, Mr Feynman mentioned how he cracked the safe of a famous scientist.

    He was working in the Manhatten project making the first atom bomb. Place was teeming with top physicists absent minded professors and was run by the Army that had safes allocated to all top scientists. After a long and interesting story about how he got into safe cracking, he mentioned: He was challenged to crack the safe of Niel Bohr or Oppenheimer. He did it in less than two minutes. Asked how, he replied, "Physicists always use 3141, 1414, 1783, or 2245 as the code". They are PI, sqrt(2), sqrt(3), sqrt(5)

  • The headline said: Smarter People Don't Have Better Passwords, Study Finds

    The summary said: students with better grades use bad passwords in the same proportion as students with bad ones.

    Counterpoint: Better grades are not a measure of "smartness" or intelligence --- Grades are a course-specific measure of performance in class on typically assignments and tests which are bound to frequently have some level of instructor subjectivity embedded into the result: At the very least in advanced subjects,

    • Grades are also measures of conformance and memory which are both actually crutches that can reduce the degree of developed intelligence.

      It is interesting that the only intelligence required here is the intelligence to know that memorable passwords are a security risk in general and that proper password security requires the use of a well-protected password vault and automatic password generator so that no compromised site will ever reveal the password you've used on any other site.


  • When you have good test scores; in math, in literature, sports or IQ tests you have proven you are highly motivated to score well. It is not proof of intelligence.

    There is a fair amount of highly intelligent people that are demotivated and will not apply themselves in a manner that is often expected in today's society.

    The real challenge for educators, parents, friends and managers that know demotivated intelligent people is to help them get that spark to apply themselves.

    It is perhaps unthinkable that
  • Many sites require for you to register because they can. For such sites, which will contain nothing but spoofed information about me, I couldn't care less about the strength of my password.

news: gotcha

Working...