Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Geezers Pick Stronger Passwords Than Young'uns

timothy posted more than 2 years ago | from the as-many-characters-as-the-post-it-will-hold dept.

Security 189

McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

cancel ×

189 comments

Sorry! There are no comments related to the filter you selected.

as a geezer (-1)

Anonymous Coward | more than 2 years ago | (#40195019)

Let's be honest, the younglings have it right.

I'm Happy to Explain This (5, Funny)

RobotRunAmok (595286) | more than 2 years ago | (#40195467)

Back in the Day -- as we geezers like to begin the sentences we use to talk down to you -- having that box on your desk prompt you for a password was a much more rare and curious thing than it is today. Our computer-y crap sat right there in the box by our legs, or maybe down the hall in that cold room with the raised floor with the fat bastard in it. And we would have li'l whispered conversations with the fat bastard as we passed him in the Break Room, like "I know you know my password, you fat bastard, and if I ever think for a heartbeat that you're going through my crap I will key your car and beat you like a baby seal." Our passwords were the things meant to keep our crap from the prying eyes of the sinister-but-clever sociopaths in Marketing and Accounting who would indeed rifle our desks for clues, like children's and pet names, in order to look at our computer-y crap. So selecting a password like P*/34_##FuK-U-Joey!!39* had real value. So today, when industry insists we store our computer-y crap -- which now includes bank account access, photo albums, our music collections, and christ-knows what else -- on servers spread around the world operated by even fatter bastards whom we don't see and can't effectively intimidate, it should come as no surprise the habit has stayed with us, despite being prompted for passwords every twenty minutes...

Use case differences... (4, Interesting)

DrEldarion (114072) | more than 2 years ago | (#40195027)

It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords. Older users are more likely to have a Yahoo address as their primary email, etc.

Re:Use case differences... (2)

Squiddie (1942230) | more than 2 years ago | (#40195111)

Maybe, or maybe we're forgetting that it's also more likely for those geezers to forget their passwords.

Re:Use case differences... (5, Funny)

Anonymous Coward | more than 2 years ago | (#40195173)

username: OldGeezr
pwd: G3t0ffMyL4wn!

Re:Use case differences... (0)

Anonymous Coward | more than 2 years ago | (#40195577)

Aww dammit...

Re:Use case differences... (4, Funny)

OldGeezr (2653529) | more than 2 years ago | (#40195589)

Dammit...

Re:Use case differences... (1)

Macrat (638047) | more than 2 years ago | (#40195713)

Maybe, or maybe we're forgetting that it's also more likely for those geezers to forget their passwords.

Even when their password is 123456 they can't remember it.

No, I'm not making a joke. I know a user that has difficulty with this password and I can't convince her to use a phrase instead.

Re:Use case differences... (5, Funny)

ShanghaiBill (739463) | more than 2 years ago | (#40195129)

Older users are more likely to have a Yahoo address as their primary email, etc.

Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

Re:Use case differences... (0, Informative)

Anonymous Coward | more than 2 years ago | (#40195269)

Ya 'cause TELNET is so secure.

Re:Use case differences... (4, Funny)

mrclisdue (1321513) | more than 2 years ago | (#40195363)

...and the Concorde just flew an inch over yer head....

Re:Use case differences... (5, Insightful)

perpenso (1613749) | more than 2 years ago | (#40195317)

Older users are more likely to have a Yahoo address as their primary email, etc.

Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client.

For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-)

(*) Substitue alpine, mutt, whatever if you prefer.

Re:Use case differences... (2)

93 Escort Wagon (326346) | more than 2 years ago | (#40195581)

Joking aside, ssh and pine(*) work really well.

For sufficiently loose definitions of "work really well".

Re:Use case differences... (1)

vigour (846429) | more than 2 years ago | (#40195721)

Older users are more likely to have a Yahoo address as their primary email, etc.

Real geezers telnet into the server and read their email using MH. If the command line was good enough in 1982, then it is good enough today.

Joking aside, ssh and pine(*) work really well. If the content of the email is heavily using some sort of markup language and graphics it is probably not an email I need or want. On some days I think ssh/pine would be more efficient than a modern GUI-based client. For those unfamiliar with text email clients think of them as twitter without a 140 character limit. ;-) (*) Substitue alpine, mutt, whatever if you prefer.

+1 for pine/alpine. I'm a big fan of that, especially when visiting China where I can still ssh to my old university account and use alpine from there. Plus it's much faster to load than mutt when dealing with huge IMAP inboxes.

Re:Use case differences... (4, Insightful)

rubycodez (864176) | more than 2 years ago | (#40195351)

bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.

we use stronger passwords because we've been around the block enough times to know there are bad people out there

Re:Use case differences... (4, Interesting)

AliasMarlowe (1042386) | more than 2 years ago | (#40195685)

bullshit, I"m half a century old and I ssh or use https in browser with ShellInABox to read my mail with mutt.

we use stronger passwords because we've been around the block enough times to know there are bad people out there

Yup. And it galls me to see some places sending a confirmation message to your email address with your chosen username and password in cleartext when you register. Maybe that's why the kids don't bother with decent passwords, but to me it's another good reason to use a unique password for every site, and to then tailor the password strength to the weakness of password protection (cleartext, the mind boggles). Luckily, sites with personal and/or financial data (Amazon, banks, etc.) are a bit better, but it's still worth keeping their passwords strong and unique per site.

BTW, I beat you in the greybeard stakes by a few years...

Re:Use case differences... (4, Insightful)

Anonymous Coward | more than 2 years ago | (#40195181)

Yeah people who create throwaway yahoo accounts are unlikely to use very strong passwords.

IIRC there was a time when you had to go through a drop down to select the birth year, and who is going to bother to scroll to geezer age for their throwaway account?

Re:Use case differences... (0)

Anonymous Coward | more than 2 years ago | (#40195191)

It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords.

And you really expect that those users have a strong password for other, more important sites? It is more likely that they have their one password, which is weak, and is used on every site they frequent.

Re:Use case differences... (0)

Anonymous Coward | more than 2 years ago | (#40195325)

It's probably more likely that younger users don't use Yahoo for anything important

First, as a Yahoo! user, let me say FUCK YOU YAHOO for analyzing my password without my permission. Second, it laughable that anyone takes seriously any age information that I gave on-line. I'm 18 on one service and 118 on another. I don't remember what I gave to Yahoo, but it is anything but correct.

Re:Use case differences... (1)

ark1 (873448) | more than 2 years ago | (#40195369)

Young people take more risks -> select weaker passwords.

Re:Use case differences... (4, Insightful)

Presto Vivace (882157) | more than 2 years ago | (#40195537)

It is just possible that geezers have learned a thing or two.

How did he analyse it? (4, Interesting)

Hentes (2461350) | more than 2 years ago | (#40195045)

Did Yahoo give him its user password database or what?

Re:How did he analyse it? (2)

marcello_dl (667940) | more than 2 years ago | (#40195105)

Hopefully they collected only the strength calculated before hashing salting and storing the result.

Hopefully.

Re:How did he analyse it? (1)

Hentes (2461350) | more than 2 years ago | (#40195141)

Hopefully they did hash and salt the result before storing.

Re:How did he analyse it? (2)

Surt (22457) | more than 2 years ago | (#40195179)

False hope, making people feel better about reality since 6000 BC.

Re:How did he analyse it? (1)

thatotherguy007 (1021257) | more than 2 years ago | (#40195257)

Hey! Now I'm craving some salty corned beef hash.

Re:How did he analyse it? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40195107)

What's really frightening is the implication that Yahoo stores passwords. There's really no justification for ever storing a password unhashed. You'd think Yahoo of all places would have the competence to know that.

TFA says they were hashed (4, Informative)

Fred Ferrigno (122319) | more than 2 years ago | (#40195169)

The original paper [cam.ac.uk] includes even more details. Yahoo set up a server in the middle of its login process to record login attempts which hashed passwords with a salt, then produced a histogram of the hashes for demographic subgroups. The researcher did his analysis on the histograms, not the hashes themselves.

Re:TFA says they were hashed (1)

Hentes (2461350) | more than 2 years ago | (#40195389)

Interesting read, but in this case they couldn't really measure password strength, only password uniqueness which isn't exactly the same.

Re:How did he analyse it? (5, Informative)

Joe Loughry (525975) | more than 2 years ago | (#40195305)

The methodology is explained in the paper "The science of guessing: analyzing an anonymized corpus of 70 million passwords" available at http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf [cam.ac.uk] Plain text passwords were captured at login time in coöperation with Yahoo! under ethics and legal-approved rules. The experimental design contains technical measures to ensure that user IDs were not associated with passwords and further measures to protect against passwords that might be used in more than one place.

Re:How did he analyse it? (0)

icebike (68054) | more than 2 years ago | (#40195521)

Plain text passwords were captured at login time in coöperation with Yahoo! under ethics and legal-approved rules.

I'm sorry, but that just hurts my brain. The internal contradiction is epic.

Sadly, it doesn't surprise me that Yahoo would be party to this.

Easy to remember? (1)

Anonymous Coward | more than 2 years ago | (#40195063)

There's a good chance that the "younguns" passwords are easy to remember while the older folks have very secure passwords that also happen to be written down on post-its stuck on a monitor. Which one is *really* more secure?

the geezer's, obviously (4, Insightful)

mbkennel (97636) | more than 2 years ago | (#40195089)

If it's at home, somebody needs to break in physically, commit a felony, risk their life, and know to obtain one single password from a monitor.

Other passwords are compromised in mass dictionary attack and hacking invisibly, in foreign jurisdictions, and never get compromised.

I have another theory about the results: older people are more responsible.

Re:the geezer's, obviously (2)

Surt (22457) | more than 2 years ago | (#40195205)

I have a theory that says young people have a better grasp of cost-benefit analysis.

Re:the geezer's, obviously (0)

Anonymous Coward | more than 2 years ago | (#40195287)

My theory says that either younger people are just stupid (er, less experienced), or they just have less to protect - ie nothing in their bank account yet, etc.

Re:the geezer's, obviously (4, Interesting)

dgatwood (11270) | more than 2 years ago | (#40195353)

The latter. They know that the worst that could happen would be somebody impersonating them, and given how unlikely it is for someone to bother cracking their account to do so (SMTP is completely without security, for all practical purposes), they consider their email passwords to be unimportant. Now their Facebook passwords, they will protect. After all, that's where they do most of their communication.

Re:the geezer's, obviously (0)

Anonymous Coward | more than 2 years ago | (#40195373)

I have a theory that says young people have a better grasp of cost-benefit analysis.

Well, yes, in that they are generally not doing anything worthwhile and their address book is full of e-friends they don't really know. So compromise or loss is of little consequence. :-)

Re:the geezer's, obviously (1)

Rob the Bold (788862) | more than 2 years ago | (#40195409)

I have a theory that says young people have a better grasp of cost-benefit analysis.

You might think so from just this one data point. Or you might think that the perceived costs and benefits are different for different people.

Re:Easy to remember? (3, Insightful)

icebike (68054) | more than 2 years ago | (#40195221)

Which one is *really* more secure?

The one written on the monitor obviously.

Education (2)

bdrees (1015815) | more than 2 years ago | (#40195067)

I tend to believe that its a difference in education between the generations. I know the vocabulary in my family is completly different in the older generations of my family. Half the time my teenagers dont understand the conversations when my grandparents are around, and there always asking "what did they mean" later on.

Re:Education (4, Funny)

CptNerd (455084) | more than 2 years ago | (#40195139)

Newspeak FTW. LOL.

Not so surprising (3, Informative)

Narrowband (2602733) | more than 2 years ago | (#40195071)

This one seemed pretty intuitive to me. If you've lived a longer life, you probably have a bigger list of personal experiences to pick from where there are words/phrases to build passwords around that are meaningful to you.

Change passwords from time to time? (2)

gQuigs (913879) | more than 2 years ago | (#40195075)

From the article: Unsurprisingly, people who change their password from time to time tend to select the strongest ones.

That actually is surprising to me... Although I guess storing passwords in Firefox (w/ Sync), and having them be very long (32 random characters+), might not be a common demographic...

Geezers have more experience (1)

kawabago (551139) | more than 2 years ago | (#40195077)

Geezers have more memorable life experience from which to draw good passwords. Which doesn't exactly explain why all geezer passwords are some version of DamnTeenagers!

The older you are ... (5, Insightful)

jabberwock (10206) | more than 2 years ago | (#40195081)

... the more likely it is that you actually have an identity worth stealing.

Re:The older you are ... (3, Interesting)

swillden (191260) | more than 2 years ago | (#40195393)

... the more likely it is that you actually have an identity worth stealing.

And the more likely it is that you'll have a wealth of background to draw on when coming up with obscure-but-memorable (to you) bits of information you can combine and tweak to make a good password. I definitely notice this when comparing passwords my wife chooses with passwords my kids choose. She uses bits of old but important dates, parts of names of people she knew decades ago, etc. and comes up with some pretty good ones. I can mostly recognize where she got the pieces but doubt I'd ever be able to guess her password if she didn't tell it to me.

My kids, on the other hand, tend to pick simple names of favorite entertainment characters. Even when I try to get them to pick something more complex, they just don't seem to have much else to draw on. When I pointed out not long ago that one son's choice of his favorite pokemon's name as a password wasn't very hard to guess, he proceeded to pick a another pokemon with a longer name. When I talked him through the idea of picking several and using pieces of their names, the result was still not very good.

Perhaps all of this is just a result of not caring as much, but I think there's more to it.

(BTW, some are undoubtedly wondering why I force my family to give me their passwords. I don't. In fact I harp at them all regularly about how they shouldn't ever tell me their password. They roll their eyes and just blurt it out when I ask them to type it so that I can fix something on their account. I also find out their password when they forget their old password and I have to reset it for them. I used to change it to "changeme", but then I found out that just meant that my kids, at least, always had "changeme" as their password. So they actually have better security if I make them come up with something and tell it to me so I can set it. It also gives me a chance to make them think about whether or not they can remember the new password so I don't end up having to reset it again tomorrow.)

Re:The older you are ... (1)

arose (644256) | more than 2 years ago | (#40195601)

The way the young'uns name their kids today it stands to reason that geezers picking their grandkids name and adding their birthday makes a reasonably strong (i.e. not detected as kinda crappy by computer analysis) password. In short, I'm with you on the wealth of obscure-ish information, but I'm not sure how many would actually stand up to real analysis.

The younger you are .... (1)

McGruber (1417641) | more than 2 years ago | (#40195607)

....the more likely it is that you actually have nude photos (of yourself) worth stealing.

pass word rules?? (1)

Joe_Dragon (2206452) | more than 2 years ago | (#40195085)

The older people had less carp to put up with over the years then younger ones.

Memory? (0)

Anonymous Coward | more than 2 years ago | (#40195093)

They also write their passwords down on a pad of paper right next to the computer. Just you try to remember that super secure password, bluehair.

Re:Memory? (4, Insightful)

spire3661 (1038968) | more than 2 years ago | (#40195137)

Every password I have is written down in a Red & Black notebook in my office at home. If you are clever/powerful enough to get a look at it without my permission, I have bigger problems then worrying about my passwords.

Re:Memory? (3, Interesting)

ShanghaiBill (739463) | more than 2 years ago | (#40195217)

They also write their passwords down on a pad of paper right next to the computer.

That is what I do. All my passwords have the same initial six characters. So I only write down what comes after those six, and make them as long and secure as each site will allow. If a burglar steals the list, it will be useless because they don't know the common prefix, nor do they even know that there is a prefix. They just see "correct horse battery staple" and have no idea that the real password is "R5u7qPcorrect horse battery staple".

Re:Memory? (0)

Anonymous Coward | more than 2 years ago | (#40195329)

I have the same password on my luggage

Re:Memory? (1)

dgatwood (11270) | more than 2 years ago | (#40195365)

They just see "correct horse battery staple" and have no idea that the real password is "R5u7qPcorrect horse battery staple".

Now they do.

How many passwords? And can they remember them? (4, Interesting)

Faizdog (243703) | more than 2 years ago | (#40195117)

1) Can the older folks actually remember all their passwords? Or are they writing them down?

2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.

On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.

Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.

Re:How many passwords? And can they remember them? (1)

Anonymous Coward | more than 2 years ago | (#40195343)

Older people are less tech savy, blacks are lazy, jews are greedy, muslims are terrorists- Blah, blah, blah. Generalizations suck.

I'm a 51 year-old "geezer" and work with other geezers as technically competent as myself, you insensitive clod(s). While we're admittedly statistical outliers, we do just as well if not better in many technical endeavors as our younger counterparts, while managing to avoid denigrating those younger guys and girls as "young idiots" if they're lacking in a particular skillset. We work together with them, enjoying better results by capitalizing on the strengths of each group.

If you keep learning and stay out of safe, comfortable ruts encouraged by age and society, you're just fine.

It -is- sort of distressing that I honestly don't like people walking on my lawn, however.

Re:How many passwords? And can they remember them? (1)

93 Escort Wagon (326346) | more than 2 years ago | (#40195633)

Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

Yeah, yeah - mnemonics like "this password rhymes with cuppy"

Seriously, just use a secure password manager so you can use unique passwords everywhere, but only really need to remember one password. OS X's Keychain Access works great for this. Gnome's had a similar tool available for a while, and there are third-party Windows solutions as well. They all encrypt the information, so five years from now you won't have to worry about remembering what some obscure mnemonic actually meant. And if someone compromises one of your accounts... they've only got one of your accounts.

Re:How many passwords? And can they remember them? (1)

RespekMyAthorati (798091) | more than 2 years ago | (#40195663)

1) Can the older folks actually remember all their passwords? Or are they writing them down?

2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. .

I'm an old geezer and I use LastPass. My LastPass password is a very long sequence that I generated with a random number generator and memorized. Problem solved.

Re:How many passwords? And can they remember them? (1)

Macrat (638047) | more than 2 years ago | (#40195723)

1) Can the older folks actually remember all their passwords? Or are they writing them down?

Some are writing them down and even with the password sitting there in front of them, they have trouble typing it in.

Older people take the time to read (1)

Anonymous Coward | more than 2 years ago | (#40195121)

Maybe it's because older people are more likely to take the time to read the instructions on choosing your password.

Post it notes make for stronger passwords (1)

erice (13380) | more than 2 years ago | (#40195131)

If you don't think you can remember a password, you may write it down. If it is going to be written down, then it is pretty easy to select a strong password.
Of course, this isn't helpful if someone else gets access to the post-it note. But end to end security wasn't the subject of the survey, was it?

Re:Post it notes make for stronger passwords (2)

Todd Knarr (15451) | more than 2 years ago | (#40195245)

And of course, how many attackers will have access to my desk? For my desk at home I can count them on my fingers and not run out, and I know where they live. For my desk at work, that's why one drawer has a lock on it and the key's on my key-ring. Sure Security or Facilities could open it, but if they're compromised they've got access to far more lucrative places in the building without needing to mess with my desk.

Re:Post it notes make for stronger passwords (1)

arose (644256) | more than 2 years ago | (#40195627)

Does your drawer lock take more than 30 seconds for an experienced lock picker? It's not altogether bad, but would probably be even better if you only wrote down half of it and locked it up there, together with regular (every 6 months or so) password changes it probably is quite good if you are diligent.

young != geek (5, Insightful)

tverbeek (457094) | more than 2 years ago | (#40195145)

....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means. Young people appear to be more tech-savvy mostly because they have grown up around it and are not intimidated by it; it isn't because they have an innately better understanding of computer science and follow tech news more closely.

In fact, that lack of intimidation is also a better explanation of why they choose weaker passwords: they don't take it as seriously as older people, who both have had more (bad) experiences in life to make them more cautious, and are less comfortable with computers out of unfamiliarity

Re:young != geek (0)

Anonymous Coward | more than 2 years ago | (#40195185)

I wish I could rate something deeply insighful.

Re:young != geek (3, Interesting)

AthanasiusKircher (1333179) | more than 2 years ago | (#40195435)

....or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

I seriously doubt that most young people (i.e. the ones who aren't tech majors) even understand what this means.

Yeah, seriously, who wrote the summary crap? Does anyone really think that most Yahoo mail users under 25 have conversations like this:

-- Reginald, I'm signing up for a new Yahoo account. I must design a new password.

-- Well, Theodore, I read in my issue of Network Security Weekly that lots of account information is compromised everywhere.

-- You know, Reginald, I never thought about thought about it that way. I am feeling rather cynical about strong passwords, given this era of large-scale user-database compromises. As an existential protest against the very concept of password protection in such an age, I think I'll just make my password "password" or maybe "123."

-- Good show, Theodore! Let's celebrate the anarchy of the internet by joining in a medley of Gilbert and Sullivan tunes from HMS Pinafore. Tally ho!

Umm, no. Actual conversations are more like:

-- Yo, Bob, I need a new email. Gonna go with Yahoo, even though it's kinda crap. Damn... I need a password.

-- Woah, Sam, who cares? Pass me a beer.

-- Yeah, you're right. Hell... I'm just gonna type "123." Pass me a beer, too.

-- Awesome, Sam. LOL. Where did that keg go?

Excuse me. (-1)

Anonymous Coward | more than 2 years ago | (#40195151)

But why would Yahoo (or anyone else) be sharing passwords *and* demographic information for their customers with any outside entity? And the guy publishes a paper about this? Seriously?

The old saying goes "The stronger the password... (-1)

Anonymous Coward | more than 2 years ago | (#40195153)

...the weaker the knees and prostate.

Hacksy prof (-1)

Anonymous Coward | more than 2 years ago | (#40195159)

Why did he get access to 70 million password?

Perhaps it's like other 'yoof' items (4, Insightful)

Gonoff (88518) | more than 2 years ago | (#40195167)

Younger people are known (by insurers and police anyway) to be prone to driving faster. They seem to work on the principle that nothing bad happens to them.

Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

With less experience, people do not believe things will happen to them We older codgers know it does and take precautions.

,

Re:Perhaps it's like other 'yoof' items (1)

TemperedAlchemist (2045966) | more than 2 years ago | (#40195301)

Pff, won't happen to me.

Re:Perhaps it's like other 'yoof' items (1)

swillden (191260) | more than 2 years ago | (#40195401)

Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

But... 30-somethings are young'uns.

Re:Perhaps it's like other 'yoof' items (0)

Anonymous Coward | more than 2 years ago | (#40195461)

Stories of wartime included the 30somethings diving into cover at every event. People 10-15 years younger mocked them.

But... 30-somethings are young'uns.

Not in a warzone. Young'uns are straight out of high school. 30-somthings tend to have 10+ years experience. In the old days, 30+ in the army meant you knew what was happening around you.

Re:Perhaps it's like other 'yoof' items (0)

Anonymous Coward | more than 2 years ago | (#40195629)

Maybe it's because when you're younger, you realize... shit happens... and you realize you shouldn't give a shit so much. Then when you get older you start getting paranoid as your mind goes. Age doesn't really matter, life has its own ideas. Shit will happen to you whether you want it to or not, regardless of how much you try to prevent it and how much of a senior citizen discount you get. I'm not saying having a password of password is a good idea.

Re:Perhaps it's like other 'yoof' items (1)

jpapon (1877296) | more than 2 years ago | (#40195689)

Here in Germany the old drive just as fast as the young. Getting passed while going 160 (like you're standing still) by some grey-hairded fella in an M5 is a daily occurrence on the autobahn. Maybe old Americans are just sissies.

The current password convention is wrong (1)

Karmashock (2415832) | more than 2 years ago | (#40195175)

A8%l+$mr is a terrible password. The security experts like passwords like that but they're stupid. It's impossible to remember.

The convention I follow and what I think most people should follow is "JustTypingASentenceOutMinusSpaces". That is very easy to remember. You can do cool things like quote a line from a play, song, poem, or movie that you like. What's the likelihood a dictionary attack is going to crack "hastalavistababy!"...

Humans are very good at remembering sentences. It works into our neumonic memory. Many people that couch study habits encourage students to turn complex study concepts into such phrases. And why? Because we don't forget them.

Stupid lines like "I before e but not after c."... regardless of whether that's grammatically correct, I'll never forget that stupid little rhyme. It's in my head... forever.

That is how people should make passwords. Not their children's birthdays plus the name of their dog with a pound sign at the end. "ToBeOrNotToBeThatIsTheQuestion" is a great password. It's long but you'll never forget it.

I know what some people are saying. What about those *** that block out what you're typing making it so you have to retype everything if you make a mistake? Well, how often are those even required? They're pretty stupid. 99 percent of the time I'm typing in a password no one is there is to see it. And even if there were someone just ask him to stare at his feet for two seconds.

Using this system we could all have dozens of uncrackable passwords that we never had to write down.

Re:The current password convention is wrong (0)

Anonymous Coward | more than 2 years ago | (#40195285)

You're young aren't you?

"What's the likelihood a dictionary attack is going to crack "hastalavistababy!"..."

Pretty damn fucking HIGH I'd say.

Re:The current password convention is wrong (3, Informative)

PsychoSlashDot (207849) | more than 2 years ago | (#40195613)

You're young aren't you?

"What's the likelihood a dictionary attack is going to crack "hastalavistababy!"..."

Pretty damn fucking HIGH I'd say.

How do you figure? While each of the constituent words will likely be in a dictionary, the concatenated string is much less likely to be. Realistically an attacker will have to try low-hanging fruit passwords (such as "password") first, then try brute-forcing short combinations (such as "123abc"), then try a dictionary attack (such as "elephantine"), move back to brute-forcing slightly longer possibilities (such as "1234password#1") and finally start combinations of dictionary words in the desperate hope they might stumble upon a passphrase (such as "pluckmypubichairwithyourteeth").

While yes, phrases consisting of dictionary words are technically a group of tokens, in practice hacking an unknown password isn't trivial. You can think a phrase using five words is equivalent to a five-letter password, but it's really not. By extending the length of the password, you force the attacker to try other combinations first, for efficiency's sake. And if you introduce a single spelling error you screw the attacker right over.

Re:The current password convention is wrong (1)

Anonymous Coward | more than 2 years ago | (#40195303)

While I agree with your argument, the examples you listed are terrible passwords. If you think "hastalavistababy" and "tobeornottobe" in various permutations are not part of a normal, run-of-the-mill dictionary attack you'd better think again.

Sentences are easy to remember, but please use something that isn't part of 90% of the populations common culture.

"MyAuntyClementineSureDoesSmellWeird" is a great password. "WhatsTheFrequencyKenneth", not so much.

Re:The current password convention is wrong (1)

93 Escort Wagon (326346) | more than 2 years ago | (#40195649)

You can also just change one word of a common phrase, or insert one that doesn't belong.

"WhatsthefrequencyBillBixby"

"hastalavistaclementinebaby"

Re:The current password convention is wrong (1)

cashman73 (855518) | more than 2 years ago | (#40195345)

The best password ever is the one used by Rodney McKay of Stargate Atlantis: 16431879196842. The birth years of Isaac Newton, Albert Einstein, and himself, plus the number 42. ;-)

Re:The current password convention is wrong (0)

Anonymous Coward | more than 2 years ago | (#40195555)

16431879196842 ?

That's the combination on my luggage !

Re:The current password convention is wrong (0)

Anonymous Coward | more than 2 years ago | (#40195385)

1. Pick a memorable date, say 2012-06-02
2. Pick two memorable, not too short words, say "Slashdot" and "story".
3. Replace the dashes in the date by the words: 2012Slashdot06story02; you now have a 21-character password that will be easy to remember.
4. Do a simple Caesar shift to reduce dictionary attack vulnerability.

A great deal better than just a simple sentence.

Geezers Pick Stronger Passwords Than Young'uns (0)

Anonymous Coward | more than 2 years ago | (#40195177)

Since the study was done at U of Cambridge geezers and young'uns would be the same group.Hence old geezers in popular usage to refer to those of advanced years if not experience.

I wouldn't be surprised (2)

Todd Knarr (15451) | more than 2 years ago | (#40195201)

I wouldn't be surprised if that's the case. I know I use "strong" passwords mainly out of habit, and a bit of laziness (it's easier to get random sequences past password rules). I'm well aware that at best the only protection that gives me is the possibility that whoever compromised the password database will be satisfied with the results of a dictionary attack and not bother doing a brute-force attack on what's left. I'm also aware that I get more protection from a site locking my account out after repeated failures than from the password being hard to guess (the likely failure limit being a lot less than the number needed to guess even a "weak" password). And I find it amusing that a site classifies "kwo5*f(2n" as a weak password (no upper-case letters) (no, that's not one of my actual passwords) while "Jn4thon!" is considered strong (mix of upper-case, lower-case, numbers and symbols, no dictionary words present).

It's because.. (0)

Anonymous Coward | more than 2 years ago | (#40195223)

Older folks have accounts that have already been compromised.

Obligatory xkcd (-1)

Exitar (809068) | more than 2 years ago | (#40195247)

I bet it's because... (0)

Anonymous Coward | more than 2 years ago | (#40195297)

... of reasons like these:

* More years of being forced to remember hard passwords forced on them.
* More years spent inventing a better password.

And the big one...

* Older users can only remember a few number of passwords, so they make them very strong and then use them everywhere. Crack their Yahoo password, and you'll likely have cracked their bank, ebay, paypal, billing, and porn password.

geezer != old? (1)

dwater (72834) | more than 2 years ago | (#40195311)

IINM, the term is usually 'old geezers', implying they can be young too..

Re:geezer != old? (0)

Anonymous Coward | more than 2 years ago | (#40195377)

I'm a young 50-something geezer with a DOB of 18 Feb 1992.

What amazes me is that people enter their correct date of birth for email accounts allowing these types of analysis to be correct. Oh wait ...

Password Smassword (0)

Anonymous Coward | more than 2 years ago | (#40195349)

I've always had a casual attitude toward locks, alarms and passwords. All they do is keep honest people honest, if someone is truly determined to get at some aspect of my life in that way, surely they will not be stopped. For the record I'm 23 and CAPABLE of coming up with a strong password, I CHOOSE not to.

In other news.... (1)

espiesp (1251084) | more than 2 years ago | (#40195413)

Old Geezers probably write their passwords down more often as well. Just a hunch based on casual observations of old people with stickynotes all over their monitors.

Young people ( under 26) are careless (2)

mauriceh (3721) | more than 2 years ago | (#40195425)

Ask the actuaries for the car insurance companies.
It IS their job to "do the math".

And, they tell us that people under 25 get into far more accidents, and are far more careless.
People over 45 are far more careful and get into fewer accidents.

This is not opinion or conjecture.
It is statistics.

Looking for a good password? (1)

man2525 (600111) | more than 2 years ago | (#40195439)

Search the pastebins. Plenty of good passwords. Doesn't really matter when a website is storing it as an unencrypted hash in a database with the default admin password still enabled. Maybe this is why the young'uns are cynical...

Wait, what?? (1)

mcavic (2007672) | more than 2 years ago | (#40195459)

How does someone obtain 70 million Yahoo passwords, and the associated demographic information?

On average, Bonneau found that user-chosen passwords offer less than 10 bits of security against online attacks, meaning it would only take around 1000 attempts to try every possible password

A 3-letter password would require up to 17,576 attempts, and a 4-digit pin would require up to 10,000. So I don't know what kind of passwords these people are using.

Re:Wait, what?? (1)

mcavic (2007672) | more than 2 years ago | (#40195479)

I guess it might take fewer tries than that, due to hash collisions. But that's why the hashed passwords should be unattainable.

Re:Wait, what?? (1)

jpapon (1877296) | more than 2 years ago | (#40195717)

If there's so many collisions, it just means that many many people are using the same password. The statement "it would only take around 1000 attempts to try every possible password" is misleading and ridiculous. A more accurate statement is that it would only take 1000 attempts to try the 1000 most common hashes. No shit, Sherlock.

Younger people just don't write them down (0)

Anonymous Coward | more than 2 years ago | (#40195493)

Younger people just pick passwords that are easier to remember as opposed to picking strong passwords that old people write down on a note that they put right next to their computers.

It's because they're not thinking about it (1)

tchdab1 (164848) | more than 2 years ago | (#40195561)

I work with many over 60 year old new computer users. It's my experience that they tend to use family names for passwords without regard to how long they are - they don't seem to consider how much longer or more annoying it would be to type in a longer name, for example. When I choose a password I want to find the shortest one that will do the most good; they don't think that way.

Terrible science reporting (3, Informative)

MsWhich (2640815) | more than 2 years ago | (#40195659)

As usual.

The original paper is located here. [cam.ac.uk] From the conclusion:

"The most troubling finding of our study is how little password distributions seem to vary, with all populations of users we were able to isolate producing similar skewed distributions with effective security varying by no more than a few bits."

And yet in TFA this gets transformed into "old people use strong passwords and young people use weak ones!" and everyone starts wondering what could account for this. It also makes the study sound as though it specifically focused on user age, or that user age was the most interesting result, when in fact there were several other significant (yet still small) variations in different groups in the study, e.g. Indonesian users tended to use much weaker passwords than German or Korean users. They also found that users who tend to log in from multiple locations also tend to use stronger passwords.

So why is the old people/young people thing the single takeaway that gets headlined and reported? It's not like what I just wrote would have been particularly difficult to outline or explain, even in a brief news article. I blame laziness on the part of the reporter.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>