I wonder if the researchers realize that people sometimes intentionally maintain weak password, since they are easy to remember and it's an acceptable risk for the account to get compromised.
For example, if my Gawker commenting password is 'hello1234', and it gets compromised, what's the worst that can happen? My Gawker commenting account turns into a spam feed? Oh noes my life is over!! </s>
For some applications, weak passwords are perfectly acceptable.
I use layered passwords. For simple things I've used the same password for years with only slight variations on it. For things like my email account or servers, I use randomly generated passwords managed through LastPass. Although my personal favourite password system is XKCD's password algorithm: http://xkcd.com/936/
Troy Hunt analysed the passwords of the Sony and Gawker compromises and shared the results in July 2011[1]. The analysis is worth reading and contains pretty plots that can be digested in a glance. His other blog posts at [2] relating to password security are also worth reading.
Isn't the problem that people see passwords as "access" rather than "security"? General public see complex user-names and passwords as an impediment to access, which they are.
I rather think the people who run sites, etc see it the same since often passwords are allowed to be simple by design. Where real security is required users are given passwords like "we%W%G^&FGH344N" to use. Or there s a strictly enforced policy that the user is made to follow.
> Bonneau suggests that people chose a randomly selected number at least nine digits long
I've been working on a program that generates passwords that are (1) English-sounding by nonsense words of a specified length, and (2) where the letters alternate hands when typed.
So (1) makes a password that's pronounceable and therefore easier to remember semantically, while (2) makes it quick-to-type and therefore easier to "remember" via muscle memory. This should make frequently changing one's passwords less painful.
Is there any reason this is a bad idea? Obviously it's not as secure compared to a purely random string of the same length, but my thought is it would encourage people to change their passwords more often since there'd be less friction involved in doing so.
EDIT: I should note that a password manager is a far better idea. But for places where that's not practical (OS login, or the password to your password database), I feel this might be useful.
EDIT ALSO: While I like the XKCD idea in theory, I think it sucks in practice. You're typing four words without the benefit of screen feedback, so typos are more likely, plus it takes a relatively long time to type them.
People are not idiots. Those who say we are just don't understand how human behaves. You expect most people will remember a 8-letter random strings consisting of letters, numbers and underscore?
I try to use this method: find a password that is very abstract, but meaningful to you. For example, one of my passwords included my exact motherboard model.
For example, if my Gawker commenting password is 'hello1234', and it gets compromised, what's the worst that can happen? My Gawker commenting account turns into a spam feed? Oh noes my life is over!! </s>
For some applications, weak passwords are perfectly acceptable.