Every now and then, we hear in the news that yet another website was hacked after thousands, or even millions, of their user’s account details are published online. Despite the fact that services continue to store their accounts with weakly-hashed passwords, or worse, stored in plaintext, it gives us an insight as to the state of just how bad things really are with the user’s passwords themselves. Here are some highlights from an analysis done on the exposed Sony passwords after they were hacked multiple times in 2011:
- 93% of the passwords were between 6 and 10 characters long.
- 9 out of 10 passwords consisted entirely of lowercase letters.
- About two thirds of people reused their passwords between different companies
Why should you care if your own users don’t seem to care about their own password strength and uniqueness? Here’s why:
Every time someone else’s website with weak password security gets compromised, it opens the door a bit wider for hackers to compromise your own service.
Case in point: On May 27, 2014, users of Apple’s Find My iPhone service were being locked out of their phones with a ransom message appearing on the screen. Apple determined that their services weren’t directly hacked per se, but the hacker was using the same login credentials to access their accounts as were leaked from other sites. This led to a lot of people questioning Apple’s software security.
This is 2014...shouldn’t we have figured out how to make good passwords by now? Here’s my list of reasons why people are doing it wrong:
1. Many services still don’t require strong passwords
The passwords leaked from Sony’s databases told us they didn’t enforce a minimum level of password complexity or length, as some users had passwords less than 5 characters. According to the study of leaked Sony accounts, most users created passwords between 6 and 8 characters in length, with not as many using 7 character passwords. I suspect that this stems from the trend that users tend to reuse their passwords between sites, and of the ones that do have minimum password length requirements, they ask for minimum password lengths in quantities of even numbers, such as 6, 8, or 10.
2. Users aren’t being reminded how to create strong passwords
According to a study on password strength meters published by Carnegie Mellon, passwords generated on sites that provided password strength meters or other password strength hints led to significantly longer passwords than sites that do not provide similar tools. Typical password strength meters offer a score to assess password strength, based on the number of uppercase letters, lowercase letters, numbers, special characters, and length of a password. More comprehensive ones also compare them against databases of known passwords and common dictionary words to test for uniqueness against other commonly-used passwords, or also check for the presence of two or more non-consecutive numbers or symbols. According to the study, while the presence of meters alone didn’t make a very significant difference in the passwords being cracked within 5 trillion guesses, they did change the user’s behavior by causing them to erase their first password to create another while typing, which may decrease password reuse.
3. People prefer to reuse their passwords than make new ones
It is believed that sites that handle financial data, such as banking sites, should be associated with passwords that are more closely guarded than sites that do not. However, according to a 2010 study by Trusteer that examined password reuse, about 73% of users use their banking account password with at least one other nonfinancial website, and 47% of users share both their username and their password with at least one other nonfinancial website. A study done by Carnegie Mellon on effects of password policies also found that imposing strict guidelines on users when creating passwords only increased their frustration with the process. They found the best tradeoff between usability and security was to enforce only a minimum length requirement.
4. Users aren’t as concerned about some sites getting hacked as others
Have you ever been to a news website or a blog and wanted to leave a comment on an article but had to create an account to leave a post? Many people have. It’s all too easy to create a fake account just to leave a comment. In these cases, people don’t feel like they want a permanent association to a site, but they just want to do what it takes to leave a comment about something they’re passionate about. Chances are they’ll use the first password off the top of their head just to gain access. On the other hand, people tend to trust larger brand sites like yahoo, google, or twitter, even though there’s a better chance they’ll be associated with other points of personal information such as email addresses, mailing addresses, or phone numbers.
5. People can’t keep track of all the sites they signed up for
The Trusteer study mentioned above concluded that users should at a minimum have 3 sets of passwords: one for financial websites, a second for nonfinancial websites that hold sensitive information, and a third for inconsequential websites that don’t store personal data. This improves the situation, but the reality is that an estimated 30,000 sites are being hacked every day. This means that it only takes one slip-up for a hacker to have what they want for identity theft.
6. Passwords can be hard to remember
Most users don’t like the idea of juggling multiple passwords, which is why password managers were invented. They greatly simplify the login process from a user’s perspective by keeping track of all the sites they’ve visited, or by being able to regenerate the same otherwise unique password over and over for the same inputs. With a password manager such as LastPass, Dashlane, or other alternatives, they can now have a simple way to have a different password for each site they use. The best part is that they don’t need to memorize more than one password again.
7. Credit card companies offer identity theft insurance
I know some people that don’t put a lot of thought into protecting their online accounts. They typically pay their bills through an unsecured iPad, and don’t put a lot of thought into using different passwords. The reason, they told me, was because credit card companies such as Discover have “awesome insurance policies” regarding identity theft. As it turns out, they were called that morning by Discover regarding a large purchase on their account that they didn’t make, and that the purchase was denied. They said it happens to them quite often. This also doesn’t protect them from hackers gaining enough other confidential information to set up a different line of credit under their name without them knowing it.
8. Big-name sites will probably be hacked anyway, so why bother?
Chances are that at least one website you have an account with was already hacked in 2014 alone. Companies that have large lists of users are highly targeted, especially ones that have credit card information as those records can be sold online at a higher price.
9. They don’t know how easy it is to “recover” a password in most cases
Most passwords people create follow one of the same common patterns, whether their owners know it or not. They might use a dictionary word followed by a number, or a pattern of digits or letters in the same order they’re presented on a keyboard. In fact, if a password is under ten characters long, chances are other people use it too.
10. People don’t really care about it until it affects them personally
Identity theft is an expensive wake-up call. It is likely to affect everyone you know at least sometime in their lives. According to some recent statistics on identity theft published this year, identity theft costs victims an average of $4,930, and approximately 330 hours of time repairing the damage. 61% of cyber attack victims are never able to fully recover. It is extremely aggravating and expensive ordeal to go through.
In conclusion, most people will stick to their ways of reusing passwords between sites or even using extremely simple passwords without guidance. At an absolute minimum, websites should enforce that passwords are at least 8 characters long, though I recommend requirements of 10-16 characters at this time to avoid accidentally creating passwords that are most commonly used, and because length requirements were found to be the best tradeoff between usability and password entropy, a measure of password strength. Websites designed for the general public should also provide a password strength meter along with a list of suggestions to help guide the user to make stronger passwords, but they should balance enforcing additional complexity requirements for passwords to minimize user frustration. And finally, most of the password dictionaries used in the research here came from leaked passwords stored in plaintext or with very weak hashes.