Skip to content

123456, password and qwerty: Why are our passwords embarrassingly bad?

123456 is the most often breached password: 23.2 million accounts used it according to UK’s National Cyber Security Centre.

Remembering dozens of passwords for our social media, email, online banking and online shopping accounts is a burden for most of us (including me). Many people use passwords that are easy to guess or reuse passwords for different accounts even though we know better. Since I can’t explain this irrational behavior to myself, I checked what academia has to say about it.

Edward Snowden on Passwords

First, I want to present you the findings of a qualitative study with the awesome title “I Added ‘!’ at the End to Make It Secure”.

In a lab environment, 49 participants created passwords while thinking aloud. Afterwards, the scientists conducted interviews shedding even more light on thoughts (and misconceptions) of participants.

The researchers conclude that most of their participants aimed for strong passwords, they just did not know how. Moreover, participants often wrongly believe they have created a strong password.

Here is my personal highlight list of misconceptions (please, don’t do it):

  • One study participant thought it would be a good idea to build her password around her dog’s name. The fact, that her dog’s name is not on Facebook made her feel confident, that her password wouldn’t be easy to hack. Guess what? Her dog’s name is “Goldie”, a super common pet name and therefore easy to guess for attackers.
  • Another study participant claimed that he aims for a secure password for online banking. Therefore, he decided on the keyboard pattern “1qayxsw2”. Please, don’t follow this advice. I promise that keyboard patterns are on every attacker’s word list.
  • Only 3 study participants (7%!!!) stated, that they would never reuse a password. The vast majority is reusing passwords (but most of them with mixed feelings). More shockingly, some study participants thought that reusing passwords is totally okay as long as the chosen password is strong. (Not so) funny side note: Most of the participants with this misconception created passwords that were guessed by the scientists’ software tool.
  • One participant used a band’s name as a password since “this band name is hard to spell”. Sounds clever? Unfortunately, attackers use word lists. That’s why they really don’t care how difficult it is to spell a word.
  • Following a similar line of thought, a study participant (working as an English teacher) decided to build her password around long words such as “deliberation” and “likelihood”. The researchers conclude that “likelihood and deliberation are in attackers’ dictionaries, even if not in students’ lexicons“

What I liked most about the paper is that they reflect very well that it’s also a shortcoming of security experts and system administrators to assist users in creating secure passwords. Shaming users for building easy to guess passwords is not enough.

The scientists also found out that oftentimes people are sufficiently motivated to create secure passwords, they just don’t know how to do it and rely on folk models and misconceptions about secure password behaviors. A prominent example is the embedded password-security estimate that makes large jumps when adding digits or symbols. This led to the common misconception that adding a “!” or a 1 at the end of the password will make it unpredictable.

That’s why they suggest implementing more data-driven approaches, that show users how long attackers would take to guess users’ intended password. Next, data sets of leaked passwords could be used for educational purposes to explain users which patterns are predictable.

We have to keep in mind that this study was conducted in a research lab and study participants had to justify their password since they were thinking aloud while creating it. Therefore, it’s very likely that “passwords in the wild” are even worse. That’s why I searched for another study with more ecological validity taking place in a real-world setting.

Scientist Lorrie Faith Cranor, co-author of both studies presented below

Researchers of Carnegie Mellon University, UC Berkeley and Google conducted an in situ study of 154 participants for more than 20 weeks to get authentic insights on password management. They instrumented the computers of study participants to record password characteristics and use. Moreover, they recorded other computing behaviors such as the use of privacy web browser extensions.

“We found that most participants reused the majority of their passwords on multiple accounts”

– Retrieved from study by Pearman et al. (2017)

Their research revealed that 79% of participants reuse their passwords either exactly or partially. Next, they could find that number of page visits is a significant predictor of password reuse. In other words, the more sites you visit, the more likely that you reuse your passwords. This is especially alarming when we consider that internet use probably won’t decrease but instead heavy users and page visits are on the rise. Considering that the study participants needed passwords for 26.3 web domains, it doesn’t come too surprisingly that humans fall short creating and memorizing different passwords for all their accounts.

One of hundreds of memes on password management

The researchers note that modern password guidelines exceed human memory capacity. It’s unrealistic that people are able to create secure passwords containing at least eight characters and multiple character types. Moreover, guidelines point out that passwords shouldn’t contain common words and instead being created randomly and distinct for every account.

Another funny meme on the long list of modern password guidelines

Next to the common coping strategy to reuse passwords, some users rely on password managers. But the field research suggest that password managers in their current forms are not a silver bullet. Oftentimes, participants solely used password manager software to store passwords they create themselves (and therefore are easier to guess than randomly generated ones). With those insights it seems like a long way to go until humankind can rely on secure passwords.

Sources:
Pearman, S., Thomas, J., Naeini, P. E., Habib, H., Bauer, L., Christin, N., … & Forget, A. (2017, October). Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 295-310). ACM.

Ur, B., Noma, F., Bees, J., Segreti, S. M., Shay, R., Bauer, L., … & Cranor, L. F. (2015). ” I Added’!’at the End to Make It Secure”: Observing Password Creation in the Lab. In Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015)(pp. 123-140).