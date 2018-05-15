Smarter People Don't Have Better Passwords, Study Finds (bleepingcomputer.com) 33
An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
Re: (Score:3)
Database hash dumps don't care about what online-attack rules you put in place.
Once they have the hashed-password database, it's just a matter of time before the attacker gets somebody's password. The goal is to make sure it's not yours, by using a long and totally-unique password... precisely what a password manager is good at generating and handling.
Re: (Score:2)
Yes! As the other poster said, account database dumps are commonly broken through brute force attempts. The tools to reverse hashes are not some "super secret cracker-only-thing either, hashcat [hashcat.net] is the best password-hash reversing brute force tool. It's free and open source and on the right hardware can have amazingly, absurdly, performant performance.
Don't look at intelligence, look at paranoia (Score:2)
I wouldn't expect intelligence to factor into strength of passwords. Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...
Or maybe it's just that no-one likes using hard passwords and even the paranoid will not bother.
SuperKendall touched my junk liberally (Score:1)
This assumes that higher GPA means smarter. While this may generally be the case, this is far from a foregone conclusion. Smartness or intelligence is a complex subject, and the measurement of intelligence is not something that is trivial and universally accepted. A different study that has access to other measures of intelligence – such as standardized aptitude tests – to combine with GPA may yield further insightful result.
Well we know liberals are all about touching junk (Score:2)
This assumes that higher GPA means smarter
That's a pretty excellent point really, the ability to get good grades is possibly an indicator of intelligence, but I don't think lack of good grades is a negative indicator for intelligence... I seem to remember reading lots of really intelligent people got bad grades, in part because they were bored or grades were not what they cared about in studying.
Re: (Score:2)
I wouldn't expect intelligence to factor into strength of passwords.
I agree with you up to here.
Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...
While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden. That is, while some people likely use the paranoia factor to motivate them to use/remember long and complex passwords, I suspect that most people think along the lines of, "I am just not willing to burden my brain with yet another long and complex password for blah blah blah."
That is not to say that cognitive burden is the only determinant, s
Re: (Score:2)
A similar phenomena would be "security fatigue" -- the sense that it's either all pointless, or that as security measures grow more complicated, the costs exceed the benefits for more and more situations.
Re: (Score:2)
Too true.
Which is why my PasswordSafe remembers all those passwords for me. With two exceptions - my computer and my PasswordSafe. So, I have to remember two (2) "long and complex" passwords while, at the same time, using as many as
Re: (Score:2)
While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden
I think this is probably a better take on it than I had. I agree that cognitive load is a large factor on what I personally end up using for password strength, after the fiftieth password you are just like "screw this, using password pattern 1".
things like organizational policy (e.g., in a school or business) might set and enforce minimum complexity
The funny thing about this to me is
Re: (Score:2)
I wouldn't expect intelligence to factor into strength of passwords.
Especially if the strength of a password is defined by whether some random company where you used it got hacked.
Also, if you know it has been exposed, continuing to use it might be a de facto indicator that you're not a bright one.
Look at password rules and if they have 5+ diffent (Score:2)
Look at password rules and if they have 5+ different systems to deal with.
Re: (Score:2)
Use a password manager, and you never need to remember what rules were in use where.
Maybe Password Strength should be a Data Point (Score:1)
Re: (Score:2)
Password quality is an irrelevant metric (Score:2)
A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.
This conforms that password quality is an irrelevant metric when looking at folks with better grades as compared to those without.
Question though is why they used the Philippines and not the USA, where my bias assumes the USA has more avenues where folks would be exposed to the need of a password [as a percentage] of the whole population.
Re: (Score:3)
The college that conducted the study is in the Philippines. The experiments were run against the college's student email accounts... which does raise a few easily-dismissed ethical concerns, but I digress...
There's really no reason to assume the USA would be involved at all, other than the reference to NIST, which isn't too surprising. Many places refer to NIST standards, just to avoid a certain standardization problem [xkcd.com].
Re: (Score:2)
Most people in "simple countries" like Philippines simply use the "use facebook to log on" option to everything.
As soon as they lose the password they are locked out of everything.
I know dozens of people like that. New mobile phone or SIM card -> new facebook account, and dozens of new other accounts (because you can obviously not log on to the other accounts with your new FB account).
They didn't look at intelligence... (Score:3)
Life is so much better (Score:2)
smarter? (Score:2)
>"Smarter People Don't Have Better Passwords, Study Finds"
>"students with better grades use bad passwords in the same proportion as students with bad ones"
Um, students with better grades are not necessarily "smarter." Just saying...
>"because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools."
Any system that allows fast, unlimited login attempts (which is necessary for brute force) is BROKEN. Even weak passwords can't be "brute
Verifying breach status (Score:2)
verifying if the password is also listed in previous public breaches
So does NIST recommend maintaining an offline archive of every breach ever or are they recommending you transmit the password in cleartext to a 3rd party?
Better Grade != Smarter (Score:2)
Smart people are different (Score:2)
... than the 'other' people. Smart people tend to think for themselves, to ignore common beliefs and behaviors. Smart people are like cats who are difficult to herd. If the gospel among computer users is to have an obscure password, smart people will question that and may do so only for special accounts.
The 'other' people, OTOH, tend to do as they are told, to follow the rules, to behave themselves. If they are told to use safe passwords, and they can remember that rule, they will make some effort to do so.