[olug] [OT] Password study.

Christopher Cashell topher-olug at zyp.org
Sun Dec 17 05:29:10 UTC 2006

At Thu, 14 Dec 06, Unidentified Flying Banana Daniel Linder, said:
> Here is a interesting writeup about some research done with some real
> MySpace passwords.
> http://www.schneier.com/blog/archives/2006/12/realworld_passw.html

It's a very interesting read, but I actually think it gives people too
much credit and misses the fact that much of the password complexity
found was because of forced password restrictions.

> It's interesting that the younger population seems to have a slight
> advantage in the "complexity" of passwords, but if you know anything about
> pop-culture there's a good chance you can guess their passwords.

Again, I think the only real advantage that they have is that there's a
higher chance that they are forced to use a higher password complexity.
More application, system, and website designers are understanding that
if you don't force people to pick good passwords, they won't.  Luckily,
many of them are acting on that, and requiring better passwords.

For example, MySpace, along with being one of the most blindingly ugly
web sites I've ever seen in my life, has the following password

  Passwords must be at least 6 characters long. They must contain at
  least one letter and at least one number or punctuation character (! $
  % & * + etc.).

This is why passwords were 6+ characters and why so many of them ended
in a '1'.  People are still taking the simplest and least secure avenue
(on average), they're just having to go a little bit further.  As he
mentions, it used to be that lots of people used 'password', now they
use 'password1'.  It's not because they're trying to be more secure, but
because they're forced to tack that 1 on there to get the password form
to accept it.

Honestly, much as it pains me to say it, I think the "average user"
thinks little more about computer and password security than they did in
years past.  We still have a *long* way to go before it becomes
ingrained into people that security is important, and not just an

> Dan

| Christopher
| Here I stand.  I can do no other.              |

More information about the OLUG mailing list