

Largest-ever password study: We are all idiots - neilkelty
http://venturebeat.com/2012/06/01/when-it-comes-to-passwords-we-are-idiots/

======
gee_totes
I wonder if the researchers realize that people sometimes intentionally
maintain weak password, since they are easy to remember and it's an acceptable
risk for the account to get compromised.

For example, if my Gawker commenting password is 'hello1234', and it gets
compromised, what's the worst that can happen? My Gawker commenting account
turns into a spam feed? Oh noes my life is over!! </s>

For some applications, weak passwords are perfectly acceptable.

~~~
hello_asdf
I use layered passwords. For simple things I've used the same password for
years with only slight variations on it. For things like my email account or
servers, I use randomly generated passwords managed through LastPass. Although
my personal favourite password system is XKCD's password algorithm:
<http://xkcd.com/936/>

------
dhx
Troy Hunt analysed the passwords of the Sony and Gawker compromises and shared
the results in July 2011[1]. The analysis is worth reading and contains pretty
plots that can be digested in a glance. His other blog posts at [2] relating
to password security are also worth reading.

[1] [http://www.troyhunt.com/2011/07/science-of-password-
selectio...](http://www.troyhunt.com/2011/07/science-of-password-
selection.html)

[2] <http://www.troyhunt.com/search/label/Passwords>

------
alan_cx
Isn't the problem that people see passwords as "access" rather than
"security"? General public see complex user-names and passwords as an
impediment to access, which they are.

I rather think the people who run sites, etc see it the same since often
passwords are allowed to be simple by design. Where real security is required
users are given passwords like "we%W%G^&FGH344N" to use. Or there s a strictly
enforced policy that the user is made to follow.

------
nollidge
> Bonneau suggests that people chose a randomly selected number at least nine
> digits long

I've been working on a program that generates passwords that are (1) English-
sounding by nonsense words of a specified length, and (2) where the letters
alternate hands when typed.

So (1) makes a password that's pronounceable and therefore easier to remember
semantically, while (2) makes it quick-to-type and therefore easier to
"remember" via muscle memory. This should make frequently changing one's
passwords less painful.

Is there any reason this is a bad idea? Obviously it's not as secure compared
to a purely random string of the same length, but my thought is it would
encourage people to change their passwords more often since there'd be less
friction involved in doing so.

EDIT: I should note that a password manager is a far better idea. But for
places where that's not practical (OS login, or the password to your password
database), I feel this might be useful.

EDIT ALSO: While I like the XKCD idea in theory, I think it sucks in practice.
You're typing four words without the benefit of screen feedback, so typos are
more likely, plus it takes a relatively long time to type them.

------
vph
People are not idiots. Those who say we are just don't understand how human
behaves. You expect most people will remember a 8-letter random strings
consisting of letters, numbers and underscore?

------
b0rsuk
I try to use this method: find a password that is very abstract, but
meaningful to you. For example, one of my passwords included my exact
motherboard model.

~~~
stevewillows
I once had a large chunk of my user group using acronyms followed by a symbol
and the three letters of the previous month.

Not the best, but better than 'qqqqq' followed by 'wwwww'.

------
WalterSear
>analyzed the password strength of about 70 million _Yahoo_ users.

Ahem.

