Η Lorrie Faith Cranor she is a professor of computer science and engineering and she had a very interesting TED talk. Topic of the speech: “What's wrong with your pa$$w0rd?”
Watch the TED video. The translation into English has been made by Chryssa Rapessi and edited by Nikolao Benia
I am a professor of computer science and engineering here in Carnegie Melon, and my research focuses on utilitarian privacy and security, and so I like my friends to give me examples of their problems with computer systems, particularly problems that have to do with non-utilitarian privacy and security.
So, I hear a lot about the passwords. Many are nervous about the passwords and it's pretty ugly when you have to have a very good password that you can remember, but nobody can guess it. But what do you do when you have accounts in hundreds of different systems and must you have a unique password for each of these systems? It's hard. At Carnegie Melon, it made it easy for us to remember our passwords.
The requirement for the password to 2009 was simply that you need to have a password with at least one character. Pretty easy. But then things changed, and at the end of 2009 they announced they would have a new policy and this new policy required passwords of at least eight characters in capital and lower case letters, numbers, symbols, the same character was not allowed more than three times it was allowed to exist in a dictionary. Now, when they implemented this new policy, many, my colleagues and my friends came and told me: "Wow, that is not at all useful. Why did they do that, and why did not you stop them? "And I said," Do you know anything? They did not ask me. " But I was surprised and decided to go and talk to those responsible for our computing systems and find out what made them apply this new policy. They said the university took part in a consortium of universities and one of the requirements for participation was to have stronger passwords to meet the new requirements.
These requirements were that our passwords had to have high entropy. Entropy is a complex concept, but it basically measures the strength of passwords. But the thing is, there really isn't one index finger entropy measurement. The National Institute of Standards and Technology has set out some guidelines that have some rules of thumb for measuring entropy, but are not very specific. The reason they only have rules of thumb is that they ultimately don't have any good password data. In fact, their report says, “Unfortunately, we don't have much data on the passwords that users choose under certain rules.
NIST would like to get more data on the passwords users choose, but system administrators are reluctant to disclose password data to others. " So this is a problem, but our research team saw it as an opportunity. We said: "There is a need for good password data. Maybe we can collect some good data and evolve this technology. So the first thing we did was get a bag of sweets and go back to the campus where we talked with students, teachers and staff and asked for information about their passwords. We did not say, "Give us your password". No, we just asked them for their password. What size does it have? Contains numbers? Does it contain symbols? Did it bother you that you had to change it last week? So we got the results from 470 students, teachers and staff, and we actually confirmed that the new policy was very annoying, but we also found that people were saying that they felt safer with these new passwords. We found that most knew they should not write their passwords and only 13 percent of them did, but alarmingly, 80 percent of people said they reused their password. This is more dangerous than writing your password because it makes you much more vulnerable to intruders. So, if you need to, write your passwords, but do not reuse them.
We also found some interesting things about the symbols people use in their passwords. So the university allows 32 possible symbols, but as you can see, there is only a small number that most people use, so we do not get much power from the symbols in our slogans. So this was a very interesting study and now we have data from 470 individuals, but de facto, there are not so many password data. So, we looked to see where we can find more password data? In the end, it seems that there are many who steal passwords and often post those passwords on the Internet. So we could have access to some of the stolen passwords. Again, however, it is not ideal for research, because it is not entirely clear where these passwords came from or what policies were in place when these passwords were created. So we wanted to find a better data source. We decided that we could do research and get people to create passwords for our research. We used a service called Amazon Mechanical Turk where you can post a small job on the Internet that takes a minute, a few minutes, an hour, and pay a cent, ten cents, a few dollars to do a job for you and you pay through Amazon.com. So we paid people with about 50 cents to create a password with our rules and respond to a survey, and then we paid them again to return two days later and connect with their password and respond to another survey. So we did this, and we collected 5.000 passwords and applied users a few different policies to create their passwords. So some have a fairly easy policy, we call it Basic 8, and the only rule was that your password should have at least eight characters.
Some had a much more difficult policy that was similar to university policy, where it must have eight characters including capitals, pedestals, numbers, symbols and pass the control of the dictionary. Another policy than the ones we tested, and many were one of those we tried was called Basic 16, and the only requirement here was that your password should have at least 16 characters. Ok, we now have 5.000 passwords, and much more detailed information. Again we see that there is only a small number of symbols the world uses in its passwords. We also wanted to get an idea of how powerful the user-generated passwords were, but, as you remember, there is no good measure of password strength. So we decided to see how much we need to break those slogans using the best tools the bad guys use or for which we could find information in the research literature.
To give you an idea of how bad guys break passwords, they steal a password file that has all the passwords in an encoded form, called a hash, and they'll guess what the password is, run it through a hash function, and see if it matches the passwords they have on their stolen list. So a dumb attacker will try each password in turn. They will start with AAAAA and continue with AAAAB and it will take a long time before they come up with a password that someone can actually use. On the other hand, a smart attacker does something more subtle. They look at the passwords they know are popular from these sets of stolen passwords and guess those first. So they start by guessing "password" and then they'll guess "iloveyou" and "monkey" and "12345678', because those are the passwords people are most likely to have. In fact, some of you probably have such passwords.
So what we found running all these 5.000 passwords that we collected in these controls to see how powerful they were, we found that the big passwords were really powerful and the complex passwords were too powerful. But when we looked at the survey data, we saw that people were really disappointed with the very complex passwords and the big passwords were much more useful and at times they were more powerful than complex passwords. This suggests that instead of telling the world that they have to put all these symbols and numbers and crazy things in their passwords, maybe it would be better to tell them to have big passwords. The problem is, however: Some people had big passwords that were not really strong. You can make big passwords that continue to be something that an intruder could easily guess. So we have to do more than simply ask for big passwords. There must be additional demands, and part of our current research looks at what extra requirements we need to add to make stronger passwords that will be easy to remember and write. Another approach to making the world more powerful passwords is to use a meter.
Here are some examples. You may have seen them online when creating passwords. We decided to do a study to find out if these password counters actually work. Do they really help people have stronger passwords, and if so, which ones are better? So we tested password counters with various sizes, shapes, Colourτα, διάφορες λέξεις δίπλα τους, δοκιμάσαμε ακόμη και ένα με ένα λαγουδάκι που χόρευε. Καθώς γράφατε ένα ισχυρότερο συνθηματικό, το λαγουδάκι χορεύει όλο και γρηγορότερα. Είχε πλάκα. Αυτό που βρήκαμε ήταν ότι οι μετρητές συνθηματικών λειτουργούν. (Γέλια) Οι περισσότεροι μετρητές συνθηματικών είναι όντως αποτελεσματικοί και το λαγουδάκι που χόρευε ήταν πολύ αποτελεσματικό, αλλά οι πιο αποτελεσματικοί μετρητές συνθηματικών ήταν αυτοί που σας έκαναν να δουλέψετε πιο σκληρά πριν σας δώσουν το ΟΚ και πουν ότι τα πάτε καλά και στην πραγματικότητα βρήκαμε ότι οι περισσότεροι μετρητές στο Διαδίκτυο σήμερα παραείναι χαλαροί.
They tell you that you're doing well too soon, and if they just waited a bit before giving you a positive feedback, you might have got better passwords. Another approach for better passwords, perhaps, is to use slogans instead of words. This is a cartoon from xkcd a few years ago, and the cartoonist suggests that we use all of our passwords, and if you see in the second series of cartoons, you can see that the cartoonist suggests that the passphrase "right horse staple battery" will was a very strong passphrase and something very easy to remember. It says, in fact, you already remember it. So, we decided to do a research study to see if this is true.
Anyone who speaks and I am researching password is telling me the cartoon. "Oh, have you seen her? This from xkcd. Correct staple battery horse '. So we did the research study to see what would happen in reality. So, in our study, we used Mechanical Turk again and we put the computer to choose the random words in the pass phrase. We did this because people are not very good at choosing random words. If we wanted a man to do it, they would choose things that are not so random. So we tested a few different conditions. In one condition, the computer chose from a dictionary with the very common words of the English language, so you would have phrases like "try there three come". And we looked at it, and we said, "It does not seem very memorable." So then we tried to choose words that come from specific parts of speech, what would you say about noun-verb-adjective-noun. This is almost like a suggestion. So you can have a passphrase as "a project builds a certain force" or "ends a red drug". And these seemed a little more remarkable, and maybe they would like a little more in the world. We wanted to compare them with the passwords and we asked the computer to choose random passwords, which are nice and small, but as you can see, they do not look very noticeable. Then we tried something called a password that is pronounced. Here the computer selects random syllables and puts them together so you have something you can somewhat pronounce, such as "tufrivi" and "vandasambi". This somewhat flicks in the tongue.
These were random passwords generated by our computer. We were surprised to find in this research that catchphrases weren't all that good. People haven't been much better at remembering passphrases than these random passwords, and because passphrases are longer, they take more time and people make more mistakes when typing them. So it's not a clear cut win for catchphrases. Apologies to all xkcd fans. On the other hand, we found that spoken passwords worked surprisingly well and are doing further research to see if we can make this approach better. One of the problems with some of the studies we've done is because they're all done with Mechanical Turk, they're not real world passwords. They are computer generated or computer generated passwords for them for our study. We wanted to know if people would behave the same way with their real passwords. So we talked to the IT security office at Carnegie Mellon and asked them if we could have everyone's real passwords. We weren't surprised when they were a little reluctant to share it with us, but we managed to work out a system with them where they would put all the real passwords for 25.000 students, faculty and staff at the university, on a locked computer in a locked room, with no internet access , and ran code we wrote to parse those passwords. They checked our code. They ran the code. And so we never saw anyone's password. We got some interesting results, and you Tepper students back there will be very interested in this. We found that passwords created by people affiliated with the IT school were 1,8 times stronger than those with business school affiliations. We have a lot of other really interesting demographic information. The other interesting thing we found was that when we compared the Carnegie Mellon passwords to those generated on Mechanical Turk, there were many similarities, and it helped validate our research methodology and show that collecting passwords using these Mechanical Turk studies is a valid way to study passwords. So that was good news. I'd like to close by talking about a few things I learned while I was on educational leave last year at school art at Carnegie Mellon.
One of the things I've done is some quilts and I made this quilt here. It's called "Security Cover". (Laughter) And this quilt has 1.000 of the most common stolen passwords from the RockYou website. The size of the passwords is proportional to the frequency with which they appear in the stolen data set. I created this word cloud, and I went through all of those 1.000 words and categorized them into some thematic categories. And sometimes, it was kind of hard to figure out what category they should go in, and then I color-coded them. Here are some examples of the difficulty. Well, 'Justin'. Is the name of the user, their friend, their son? Maybe she's a Justin Bieber fan. The princess". Is it a nickname? Do they love Disney princesses? Or maybe it's their cat's name. "iloveyou" appears many times in many different languages. There is a lot of love in these slogans. If you look closely, you'll see that there are some swear words, but it was very interesting to see that there is much more love than hate in these slogans. And there are livestock, many animals, and "monkey" is the most common animal and the 14th most common password overall. I found it very strange, and I asked myself, "Why are monkeys so popular?" In our last password study, whenever we spotted someone making a password with the word "monkey" in it, we asked them why they had a monkey in their password. And what we found — we've found 17 people so far, I think, with the word "monkey" — we found that about a third of them said they have a pet named "monkey" or a friend nicknamed "monkey," and about a third said they just like monkeys and that they are very cute. And she is very cute. Ultimately it seems that when we make passwords, we either make something that is very easy to type, a common pattern, or something that reminds us of the word password or the account we created the password for or whatever. Or we think about what makes us happy, and create our slogan based on things that make us happy. And while this makes typing and remembering your password more fun, it also makes it much easier to guess your password.
I know many of these TED speeches are inspiring and make you think beautiful, happy things, but when you create your password, try to think something else. Thank you. (Clap)
