What’s wrong with your pa$$w0rd?
-
0:01 - 0:04I am a computer science and engineering
professor here at Carnegie Mellon, -
0:04 - 0:08and my research focuses on
usable privacy and security, -
0:08 - 0:11and so my friends like to give me examples
-
0:11 - 0:13of their frustrations with computing systems,
-
0:13 - 0:17especially frustrations related to
-
0:17 - 0:21unusable privacy and security.
-
0:21 - 0:23So passwords are something that I hear a lot about.
-
0:23 - 0:26A lot of people are frustrated with passwords,
-
0:26 - 0:28and it's bad enough
-
0:28 - 0:31when you have to have one really good password
-
0:31 - 0:32that you can remember
-
0:32 - 0:35but nobody else is going to be able to guess.
-
0:35 - 0:37But what do you do when you have accounts
-
0:37 - 0:39on a hundred different systems
-
0:39 - 0:41and you're supposed to have a unique password
-
0:41 - 0:44for each of these systems?
-
0:44 - 0:46It's tough.
-
0:46 - 0:48At Carnegie Mellon, they used to make it
-
0:48 - 0:49actually pretty easy for us
-
0:49 - 0:51to remember our passwords.
-
0:51 - 0:53The password requirement up through 2009
-
0:53 - 0:56was just that you had to have a password
-
0:56 - 0:58with at least one character.
-
0:58 - 1:01Pretty easy. But then they changed things,
-
1:01 - 1:04and at the end of 2009, they announced
-
1:04 - 1:06that we were going to have a new policy,
-
1:06 - 1:08and this new policy required
-
1:08 - 1:11passwords that were at least eight characters long,
-
1:11 - 1:12with an uppercase letter, lowercase letter,
-
1:12 - 1:14a digit, a symbol,
-
1:14 - 1:16you couldn't use the same
character more than three times, -
1:16 - 1:19and it wasn't allowed to be in a dictionary.
-
1:19 - 1:21Now, when they implemented this new policy,
-
1:21 - 1:23a lot of people, my colleagues and friends,
-
1:23 - 1:25came up to me and they said, "Wow,
-
1:25 - 1:27now that's really unusable.
-
1:27 - 1:28Why are they doing this to us,
-
1:28 - 1:29and why didn't you stop them?"
-
1:29 - 1:31And I said, "Well, you know what?
-
1:31 - 1:32They didn't ask me."
-
1:32 - 1:36But I got curious, and I decided to go talk
-
1:36 - 1:38to the people in charge of our computer systems
-
1:38 - 1:41and find out what led them to introduce
-
1:41 - 1:42this new policy,
-
1:42 - 1:44and they said that the university
-
1:44 - 1:46had joined a consortium of universities,
-
1:46 - 1:49and one of the requirements of membership
-
1:49 - 1:51was that we had to have stronger passwords
-
1:51 - 1:53that complied with some new requirements,
-
1:53 - 1:56and these requirements were that our passwords
-
1:56 - 1:57had to have a lot of entropy.
-
1:57 - 1:59Now entropy is a complicated term,
-
1:59 - 2:02but basically it measures the strength of passwords.
-
2:02 - 2:04But the thing is, there isn't actually
-
2:04 - 2:06a standard measure of entropy.
-
2:06 - 2:09Now, the National Institute
of Standards and Technology -
2:09 - 2:10has a set of guidelines
-
2:10 - 2:13which have some rules of thumb
-
2:13 - 2:14for measuring entropy,
-
2:14 - 2:17but they don't have anything too specific,
-
2:17 - 2:19and the reason they only have rules of thumb
-
2:19 - 2:23is it turns out they don't actually have any good data
-
2:23 - 2:24on passwords.
-
2:24 - 2:26In fact, their report states,
-
2:26 - 2:29"Unfortunately, we do not have much data
-
2:29 - 2:32on the passwords users
choose under particular rules. -
2:32 - 2:34NIST would like to obtain more data
-
2:34 - 2:36on the passwords users actually choose,
-
2:36 - 2:39but system administrators
are understandably reluctant -
2:39 - 2:42to reveal password data to others."
-
2:42 - 2:45So this is a problem, but our research group
-
2:45 - 2:47looked at it as an opportunity.
-
2:47 - 2:50We said, "Well, there's a need
for good password data. -
2:50 - 2:52Maybe we can collect some good password data
-
2:52 - 2:55and actually advance the state of the art here.
-
2:55 - 2:57So the first thing we did is,
-
2:57 - 2:58we got a bag of candy bars
-
2:58 - 2:59and we walked around campus
-
2:59 - 3:02and talked to students, faculty and staff,
-
3:02 - 3:04and asked them for information
-
3:04 - 3:05about their passwords.
-
3:05 - 3:08Now we didn't say, "Give us your password."
-
3:08 - 3:11No, we just asked them about their password.
-
3:11 - 3:12How long is it? Does it have a digit?
-
3:12 - 3:13Does it have a symbol?
-
3:13 - 3:15And were you annoyed at having to create
-
3:15 - 3:18a new one last week?
-
3:18 - 3:21So we got results from 470 students,
-
3:21 - 3:22faculty and staff,
-
3:22 - 3:25and indeed we confirmed that the new policy
-
3:25 - 3:26was very annoying,
-
3:26 - 3:28but we also found that people said
-
3:28 - 3:31they felt more secure with these new passwords.
-
3:31 - 3:33We found that most people knew
-
3:33 - 3:36they were not supposed to
write their password down, -
3:36 - 3:38and only 13 percent of them did,
-
3:38 - 3:40but disturbingly, 80 percent of people
-
3:40 - 3:43said they were reusing their password.
-
3:43 - 3:44Now, this is actually more dangerous
-
3:44 - 3:46than writing your password down,
-
3:46 - 3:50because it makes you much
more susceptible to attackers. -
3:50 - 3:53So if you have to, write your passwords down,
-
3:53 - 3:55but don't reuse them.
-
3:55 - 3:57We also found some interesting things
-
3:57 - 4:00about the symbols people use in passwords.
-
4:00 - 4:02So CMU allows 32 possible symbols,
-
4:02 - 4:05but as you can see, there's only a small number
-
4:05 - 4:07that most people are using,
-
4:07 - 4:10so we're not actually getting very much strength
-
4:10 - 4:12from the symbols in our passwords.
-
4:12 - 4:15So this was a really interesting study,
-
4:15 - 4:17and now we had data from 470 people,
-
4:17 - 4:18but in the scheme of things,
-
4:18 - 4:21that's really not very much password data,
-
4:21 - 4:22and so we looked around to see
-
4:22 - 4:25where could we find additional password data?
-
4:25 - 4:27So it turns out there are a lot of people
-
4:27 - 4:29going around stealing passwords,
-
4:29 - 4:32and they often go and post these passwords
-
4:32 - 4:33on the Internet.
-
4:33 - 4:35So we were able to get access
-
4:35 - 4:39to some of these stolen password sets.
-
4:39 - 4:41This is still not really ideal for research, though,
-
4:41 - 4:43because it's not entirely clear
-
4:43 - 4:45where all of these passwords came from,
-
4:45 - 4:48or exactly what policies were in effect
-
4:48 - 4:50when people created these passwords.
-
4:50 - 4:53So we wanted to find some better source of data.
-
4:53 - 4:55So we decided that one thing we could do
-
4:55 - 4:57is we could do a study and have people
-
4:57 - 5:00actually create passwords for our study.
-
5:00 - 5:03So we used a service called
Amazon Mechanical Turk, -
5:03 - 5:05and this is a service where you can post
-
5:05 - 5:08a small job online that takes a minute,
-
5:08 - 5:09a few minutes, an hour,
-
5:09 - 5:12and pay people, a penny, ten cents, a few dollars,
-
5:12 - 5:13to do a task for you,
-
5:13 - 5:15and then you pay them through Amazon.com.
-
5:15 - 5:18So we paid people about 50 cents
-
5:18 - 5:20to create a password following our rules
-
5:20 - 5:22and answering a survey,
-
5:22 - 5:24and then we paid them again to come back
-
5:24 - 5:26two days later and log in
-
5:26 - 5:29using their password and answering another survey.
-
5:29 - 5:33So we did this, and we collected 5,000 passwords,
-
5:33 - 5:36and we gave people a bunch of different policies
-
5:36 - 5:37to create passwords with.
-
5:37 - 5:39So some people had a pretty easy policy,
-
5:39 - 5:41we call it Basic8,
-
5:41 - 5:43and here the only rule was that your password
-
5:43 - 5:47had to have at least eight characters.
-
5:47 - 5:49Then some people had a much harder policy,
-
5:49 - 5:51and this was very similar to the CMU policy,
-
5:51 - 5:53that it had to have eight characters
-
5:53 - 5:56including uppercase, lowercase, digit, symbol,
-
5:56 - 5:58and pass a dictionary check.
-
5:58 - 5:59And one of the other policies we tried,
-
5:59 - 6:01and there were a whole bunch more,
-
6:01 - 6:03but one of the ones we tried was called Basic16,
-
6:03 - 6:05and the only requirement here
-
6:05 - 6:09was that your password had
to have at least 16 characters. -
6:09 - 6:11All right, so now we had 5,000 passwords,
-
6:11 - 6:15and so we had much more detailed information.
-
6:15 - 6:17Again we see that there's only a small number
-
6:17 - 6:19of symbols that people are actually using
-
6:19 - 6:21in their passwords.
-
6:21 - 6:24We also wanted to get an idea of how strong
-
6:24 - 6:26the passwords were that people were creating,
-
6:26 - 6:29but as you may recall, there isn't a good measure
-
6:29 - 6:31of password strength.
-
6:31 - 6:33So what we decided to do was to see
-
6:33 - 6:35how long it would take to crack these passwords
-
6:35 - 6:37using the best cracking tools
-
6:37 - 6:39that the bad guys are using,
-
6:39 - 6:41or that we could find information about
-
6:41 - 6:42in the research literature.
-
6:42 - 6:45So to give you an idea of how bad guys
-
6:45 - 6:47go about cracking passwords,
-
6:47 - 6:49they will steal a password file
-
6:49 - 6:51that will have all of the passwords
-
6:51 - 6:54in kind of a scrambled form, called a hash,
-
6:54 - 6:57and so what they'll do is they'll make a guess
-
6:57 - 6:58as to what a password is,
-
6:58 - 7:00run it through a hashing function,
-
7:00 - 7:02and see whether it matches
-
7:02 - 7:06the passwords they have on
their stolen password list. -
7:06 - 7:09So a dumb attacker will try every password in order.
-
7:09 - 7:13They'll start with AAAAA and move on to AAAAB,
-
7:13 - 7:15and this is going to take a really long time
-
7:15 - 7:17before they get any passwords
-
7:17 - 7:19that people are really likely to actually have.
-
7:19 - 7:22A smart attacker, on the other hand,
-
7:22 - 7:23does something much more clever.
-
7:23 - 7:25They look at the passwords
-
7:25 - 7:27that are known to be popular
-
7:27 - 7:28from these stolen password sets,
-
7:28 - 7:29and they guess those first.
-
7:29 - 7:32So they're going to start by guessing "password,"
-
7:32 - 7:34and then they'll guess "I love you," and "monkey,"
-
7:34 - 7:37and "12345678,"
-
7:37 - 7:38because these are the passwords
-
7:38 - 7:40that are most likely for people to have.
-
7:40 - 7:43In fact, some of you probably have these passwords.
-
7:45 - 7:46So what we found
-
7:46 - 7:50by running all of these 5,000 passwords we collected
-
7:50 - 7:54through these tests to see how strong they were,
-
7:54 - 7:57we found that the long passwords
-
7:57 - 7:58were actually pretty strong,
-
7:58 - 8:01and the complex passwords were pretty strong too.
-
8:01 - 8:04However, when we looked at the survey data,
-
8:04 - 8:07we saw that people were really frustrated
-
8:07 - 8:09by the very complex passwords,
-
8:09 - 8:12and the long passwords were a lot more usable,
-
8:12 - 8:13and in some cases, they were actually
-
8:13 - 8:16even stronger than the complex passwords.
-
8:16 - 8:17So this suggests that,
-
8:17 - 8:19instead of telling people that they need
-
8:19 - 8:20to put all these symbols and numbers
-
8:20 - 8:23and crazy things into their passwords,
-
8:23 - 8:25we might be better off just telling people
-
8:25 - 8:28to have long passwords.
-
8:28 - 8:30Now here's the problem, though:
-
8:30 - 8:32Some people had long passwords
-
8:32 - 8:33that actually weren't very strong.
-
8:33 - 8:35You can make long passwords
-
8:35 - 8:37that are still the sort of thing
-
8:37 - 8:39that an attacker could easily guess.
-
8:39 - 8:42So we need to do more than
just say long passwords. -
8:42 - 8:44There has to be some additional requirements,
-
8:44 - 8:47and some of our ongoing research is looking at
-
8:47 - 8:49what additional requirements we should add
-
8:49 - 8:52to make for stronger passwords
-
8:52 - 8:54that also are going to be easy for people
-
8:54 - 8:57to remember and type.
-
8:57 - 8:59Another approach to getting people to have
-
8:59 - 9:01stronger passwords is to use a password meter.
-
9:01 - 9:02Here are some examples.
-
9:02 - 9:04You may have seen these on the Internet
-
9:04 - 9:07when you were creating passwords.
-
9:07 - 9:09We decided to do a study to find out
-
9:09 - 9:12whether these password meters actually work.
-
9:12 - 9:13Do they actually help people
-
9:13 - 9:15have stronger passwords,
-
9:15 - 9:17and if so, which ones are better?
-
9:17 - 9:19So we tested password meters that were
-
9:19 - 9:22different sizes, shapes, colors,
-
9:22 - 9:23different words next to them,
-
9:23 - 9:26and we even tested one that was a dancing bunny.
-
9:26 - 9:28As you type a better password,
-
9:28 - 9:30the bunny dances faster and faster.
-
9:30 - 9:33So this was pretty fun.
-
9:33 - 9:34What we found
-
9:34 - 9:38was that password meters do work.
-
9:38 - 9:40(Laughter)
-
9:40 - 9:43Most of the password meters were actually effective,
-
9:43 - 9:46and the dancing bunny was very effective too,
-
9:46 - 9:49but the password meters that were the most effective
-
9:49 - 9:51were the ones that made you work harder
-
9:51 - 9:53before they gave you that thumbs up and said
-
9:53 - 9:54you were doing a good job,
-
9:54 - 9:56and in fact we found that most
-
9:56 - 9:58of the password meters on the Internet today
-
9:58 - 9:59are too soft.
-
9:59 - 10:01They tell you you're doing a good job too early,
-
10:01 - 10:03and if they would just wait a little bit
-
10:03 - 10:05before giving you that positive feedback,
-
10:05 - 10:08you probably would have better passwords.
-
10:08 - 10:12Now another approach to better passwords, perhaps,
-
10:12 - 10:15is to use pass phrases instead of passwords.
-
10:15 - 10:18So this was an xkcd cartoon
from a couple of years ago, -
10:18 - 10:20and the cartoonist suggests
-
10:20 - 10:22that we should all use pass phrases,
-
10:22 - 10:26and if you look at the second row of this cartoon,
-
10:26 - 10:27you can see the cartoonist is suggesting
-
10:27 - 10:31that the pass phrase "correct horse battery staple"
-
10:31 - 10:33would be a very strong pass phrase
-
10:33 - 10:35and something really easy to remember.
-
10:35 - 10:38He says, in fact, you've already remembered it.
-
10:38 - 10:40And so we decided to do a research study
-
10:40 - 10:43to find out whether this was true or not.
-
10:43 - 10:45In fact, everybody who I talk to,
-
10:45 - 10:47who I mention I'm doing password research,
-
10:47 - 10:48they point out this cartoon.
-
10:48 - 10:50"Oh, have you seen it? That xkcd.
-
10:50 - 10:51Correct horse battery staple."
-
10:51 - 10:53So we did the research study to see
-
10:53 - 10:55what would actually happen.
-
10:55 - 10:58So in our study, we used Mechanical Turk again,
-
10:58 - 11:03and we had the computer pick the random words
-
11:03 - 11:04in the pass phrase.
-
11:04 - 11:05Now the reason we did this
-
11:05 - 11:06is that humans are not very good
-
11:06 - 11:08at picking random words.
-
11:08 - 11:09If we asked a human to do it,
-
11:09 - 11:12they would pick things that were not very random.
-
11:12 - 11:14So we tried a few different conditions.
-
11:14 - 11:16In one condition, the computer picked
-
11:16 - 11:18from a dictionary of the very common words
-
11:18 - 11:20in the English language,
-
11:20 - 11:21and so you'd get pass phrases like
-
11:21 - 11:23"try there three come."
-
11:23 - 11:25And we looked at that, and we said,
-
11:25 - 11:28"Well, that doesn't really seem very memorable."
-
11:28 - 11:30So then we tried picking words
-
11:30 - 11:33that came from specific parts of speech,
-
11:33 - 11:35so how about noun-verb-adjective-noun.
-
11:35 - 11:38That comes up with something
that's sort of sentence-like. -
11:38 - 11:40So you can get a pass phrase like
-
11:40 - 11:41"plan builds sure power"
-
11:41 - 11:44or "end determines red drug."
-
11:44 - 11:47And these seemed a little bit more memorable,
-
11:47 - 11:49and maybe people would like those a little bit better.
-
11:49 - 11:52We wanted to compare them with passwords,
-
11:52 - 11:55and so we had the computer
pick random passwords, -
11:55 - 11:57and these were nice and short, but as you can see,
-
11:57 - 12:00they don't really look very memorable.
-
12:00 - 12:01And then we decided to try something called
-
12:01 - 12:03a pronounceable password.
-
12:03 - 12:05So here the computer picks random syllables
-
12:05 - 12:06and puts them together
-
12:06 - 12:09so you have something sort of pronounceable,
-
12:09 - 12:11like "tufritvi" and "vadasabi."
-
12:11 - 12:14That one kind of rolls off your tongue.
-
12:14 - 12:16So these were random passwords that were
-
12:16 - 12:19generated by our computer.
-
12:19 - 12:22So what we found in this study was that, surprisingly,
-
12:22 - 12:25pass phrases were not actually all that good.
-
12:25 - 12:28People were not really better at remembering
-
12:28 - 12:31the pass phrases than these random passwords,
-
12:31 - 12:34and because the pass phrases are longer,
-
12:34 - 12:35they took longer to type
-
12:35 - 12:38and people made more errors while typing them in.
-
12:38 - 12:41So it's not really a clear win for pass phrases.
-
12:41 - 12:45Sorry, all of you xkcd fans.
-
12:45 - 12:46On the other hand, we did find
-
12:46 - 12:48that pronounceable passwords
-
12:48 - 12:50worked surprisingly well,
-
12:50 - 12:52and so we actually are doing some more research
-
12:52 - 12:55to see if we can make that
approach work even better. -
12:55 - 12:57So one of the problems
-
12:57 - 12:59with some of the studies that we've done
-
12:59 - 13:01is that because they're all done
-
13:01 - 13:02using Mechanical Turk,
-
13:02 - 13:04these are not people's real passwords.
-
13:04 - 13:06They're the passwords that they created
-
13:06 - 13:09or the computer created for them for our study.
-
13:09 - 13:10And we wanted to know whether people
-
13:10 - 13:12would actually behave the same way
-
13:12 - 13:15with their real passwords.
-
13:15 - 13:18So we talked to the information
security office at Carnegie Mellon -
13:18 - 13:22and asked them if we could
have everybody's real passwords. -
13:22 - 13:24Not surprisingly, they were a little bit reluctant
-
13:24 - 13:25to share them with us,
-
13:25 - 13:27but we were actually able to work out
-
13:27 - 13:28a system with them
-
13:28 - 13:30where they put all of the real passwords
-
13:30 - 13:33for 25,000 CMU students, faculty and staff,
-
13:33 - 13:36into a locked computer in a locked room,
-
13:36 - 13:37not connected to the Internet,
-
13:37 - 13:39and they ran code on it that we wrote
-
13:39 - 13:41to analyze these passwords.
-
13:41 - 13:43They audited our code.
-
13:43 - 13:44They ran the code.
-
13:44 - 13:46And so we never actually saw
-
13:46 - 13:48anybody's password.
-
13:48 - 13:50We got some interesting results,
-
13:50 - 13:52and those of you Tepper students in the back
-
13:52 - 13:55will be very interested in this.
-
13:55 - 13:58So we found that the passwords created
-
13:58 - 14:00by people affiliated with the
school of computer science -
14:00 - 14:03were actually 1.8 times stronger
-
14:03 - 14:07than those affiliated with the business school.
-
14:07 - 14:09We have lots of other really interesting
-
14:09 - 14:11demographic information as well.
-
14:11 - 14:13The other interesting thing that we found
-
14:13 - 14:15is that when we compared
the Carnegie Mellon passwords -
14:15 - 14:17to the Mechanical Turk-generated passwords,
-
14:17 - 14:20there was actually a lot of similarities,
-
14:20 - 14:22and so this helped validate our research method
-
14:22 - 14:24and show that actually, collecting passwords
-
14:24 - 14:26using these Mechanical Turk studies
-
14:26 - 14:29is actually a valid way to study passwords.
-
14:29 - 14:31So that was good news.
-
14:31 - 14:34Okay, I want to close by talking about
-
14:34 - 14:36some insights I gained while on sabbatical
-
14:36 - 14:39last year in the Carnegie Mellon art school.
-
14:39 - 14:40One of the things that I did
-
14:40 - 14:42is I made a number of quilts,
-
14:42 - 14:43and I made this quilt here.
-
14:43 - 14:45It's called "Security Blanket."
-
14:45 - 14:48(Laughter)
-
14:48 - 14:51And this quilt has the 1,000
-
14:51 - 14:53most frequent passwords stolen
-
14:53 - 14:56from the RockYou website.
-
14:56 - 14:58And the size of the passwords is proportional
-
14:58 - 15:00to how frequently they appeared
-
15:00 - 15:02in the stolen dataset.
-
15:02 - 15:05And what I did is I created this word cloud,
-
15:05 - 15:07and I went through all 1,000 words,
-
15:07 - 15:08and I categorized them into
-
15:08 - 15:11loose thematic categories.
-
15:11 - 15:13And it was, in some cases,
-
15:13 - 15:15it was kind of difficult to figure out
-
15:15 - 15:17what category they should be in,
-
15:17 - 15:18and then I color-coded them.
-
15:18 - 15:21So here are some examples of the difficulty.
-
15:21 - 15:22So "justin."
-
15:22 - 15:24Is that the name of the user,
-
15:24 - 15:25their boyfriend, their son?
-
15:25 - 15:28Maybe they're a Justin Bieber fan.
-
15:28 - 15:30Or "princess."
-
15:30 - 15:32Is that a nickname?
-
15:32 - 15:34Are they Disney princess fans?
-
15:34 - 15:37Or maybe that's the name of their cat.
-
15:37 - 15:39"Iloveyou" appears many times
-
15:39 - 15:41in many different languages.
-
15:41 - 15:44There's a lot of love in these passwords.
-
15:44 - 15:46If you look carefully, you'll see there's also
-
15:46 - 15:48some profanity,
-
15:48 - 15:50but it was really interesting to me to see
-
15:50 - 15:53that there's a lot more love than hate
-
15:53 - 15:55in these passwords.
-
15:55 - 15:56And there are animals,
-
15:56 - 15:58a lot of animals,
-
15:58 - 16:00and "monkey" is the most common animal
-
16:00 - 16:04and the 14th most popular password overall.
-
16:04 - 16:06And this was really curious to me,
-
16:06 - 16:08and I wondered, "Why are monkeys so popular?"
-
16:08 - 16:12And so in our last password study,
-
16:12 - 16:13any time we detected somebody
-
16:13 - 16:16creating a password with the word "monkey" in it,
-
16:16 - 16:19we asked them why they had
a monkey in their password. -
16:19 - 16:21And what we found out --
-
16:21 - 16:23we found 17 people so far, I think,
-
16:23 - 16:24who have the word "monkey" --
-
16:24 - 16:26We found out about a third of them said
-
16:26 - 16:28they have a pet named "monkey"
-
16:28 - 16:30or a friend whose nickname is "monkey,"
-
16:30 - 16:32and about a third of them said
-
16:32 - 16:33that they just like monkeys
-
16:33 - 16:35and monkeys are really cute.
-
16:35 - 16:39And that guy is really cute.
-
16:39 - 16:42So it seems that at the end of the day,
-
16:42 - 16:44when we make passwords,
-
16:44 - 16:46we either make something that's really easy
-
16:46 - 16:49to type, a common pattern,
-
16:49 - 16:51or things that remind us of the word password
-
16:51 - 16:55or the account that we've created the password for,
-
16:55 - 16:57or whatever.
-
16:57 - 17:00Or we think about things that make us happy,
-
17:00 - 17:01and we create our password
-
17:01 - 17:04based on things that make us happy.
-
17:04 - 17:06And while this makes typing
-
17:06 - 17:09and remembering your password more fun,
-
17:09 - 17:11it also makes it a lot easier
-
17:11 - 17:13to guess your password.
-
17:13 - 17:14So I know a lot of these TED Talks
-
17:14 - 17:16are inspirational
-
17:16 - 17:18and they make you think about nice, happy things,
-
17:18 - 17:20but when you're creating your password,
-
17:20 - 17:22try to think about something else.
-
17:22 - 17:23Thank you.
-
17:23 - 17:24(Applause)
- Title:
- What’s wrong with your pa$$w0rd?
- Speaker:
- Lorrie Faith Cranor
- Description:
-
Lorrie Faith Cranor studied thousands of real passwords to figure out the surprising, very common mistakes that users — and secured sites — make to compromise security. And how, you may ask, did she study thousands of real passwords without compromising the security of any users? That's a story in itself. It's secret data worth knowing, especially if your password is 123456 ...
- Video Language:
- English
- Team:
- closed TED
- Project:
- TEDTalks
- Duration:
- 17:41
Morton Bast edited English subtitles for What’s wrong with your pa$$w0rd? | ||
Morton Bast edited English subtitles for What’s wrong with your pa$$w0rd? | ||
Morton Bast edited English subtitles for What’s wrong with your pa$$w0rd? | ||
Morton Bast edited English subtitles for What’s wrong with your pa$$w0rd? | ||
Morton Bast approved English subtitles for What’s wrong with your pa$$w0rd? | ||
Madeleine Aronson accepted English subtitles for What’s wrong with your pa$$w0rd? | ||
Madeleine Aronson edited English subtitles for What’s wrong with your pa$$w0rd? | ||
Madeleine Aronson edited English subtitles for What’s wrong with your pa$$w0rd? |