Many sites already show the password “strength” meter to ensure that the user would understand that he is using an unsafe password. However, most users fail to choose passwords that are strong enough.
A Cambridge University computer scientist and researcher, Joseph Bonneau has shared his findings and analysis of about 70 million users of Yahoo!. The results were presented at the 2012 IEEE Symposium on Security and Privacy. Here are some facts from it:
- People, who are 55 or older choose almost 2x stronger passwords than the young people, which are under 25 years.
- Native language affects the strength of the password that the user chooses. Koreans and Germans are the best at making strong passwords, while Indonesians are the worst.
- Users don’t learn after their account get compromised. They choose the same level of strength passwords.
- However, users, who change their passwords quite often, are the ones that choose the stronger combinations. But that is only when a user changes the password voluntary. If he is forced, the new password will be somehow related to the old one.
- Most of the credit card owners avoid the weak passwords; however, they still choose the ones, which aren’t hard to hack.
Most of the experiments that are made to encourage users to choose stronger passwords have failed. Bonneau and his team found out that 10 bits of security passwords are OK with defending an on-the-spot attack on your account, and 20 bits password is OK for an offline dictionary attack. Both of these methods are used by hackers.
As the New Scientist says, a 9 digit proposed passwords should make a huge move forward in making the passwords more difficult to crack. In addition, users should be able to remember them, because they are able to remember their phone numbers.