Study: Password Security Improves with Age

Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:32:07


PasswordBaby Boomers may not be perceived as tech savvy as Millenials, but they apparently are better at protecting their digital assets. A new British study believed to be the largest of its kind shows those 55 and older tend to pick passwords with twice the strength of those under 25. It also indicates those who prefer to use German and Korean languages chose the strongest passwords; Indonesian speakers, the weakest.

But that’s still not saying much since weak passwords were prevalant across every demographic from a data set that included 70 million anonymized Yahoo accounts analyzed with the Internet giant’s permission.

“We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution,” wrote computer science researcher Joseph Bonneau of the University of Cambridge in an abstract.

Many research projects measure password security by the sophistication of dictionary attacks involved in data breaches. Bonneau’s study involved mathematical analytics on active accounts. Because the Yahoo passwords were hashed, Bonneau could not access individual accounts but did cull useful demographic data.

How weak were these passwords? The average secret code offered less than 10 bits of security against an online attack and 20 bits for an offline attack. The recommendation for those with a password policy is 32 bits. Even those with credit or debit cards tied to their account did little to up the ante on crackability — even when prompted. This calls into question the theory that users pick harder-to-crack passwords for important accounts, such as those linked to their financial data.

“Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality,” Bonneau said. “Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference.”

Gender did not play much of a role, though the study notes that men’s passwords were slightly more vulnerable to offline attacks. Age was more of a differentiator.

“There is a general trend towards better password selection with users’ age, particularly against online attacks, where password strength increases smoothly across different age groups by about a bit between the youngest users and the oldest users,” according to the researcher.

Bonneau noted that the Yahoo passwords were set with minimal requirements, and that had there been a stricter password policy in place, the average combination likely would have been harder to guess. “Still, these numbers represent a minimal benchmark which any serious password replacement scheme should aim to decisively clear.”