Return to Video

What’s wrong with your pa$$w0rd?

  • 0:01 - 0:04
    I am a computer science and engineering
    professor here at Carnegie Mellon,
  • 0:04 - 0:08
    and my research focuses on
    usable privacy and security,
  • 0:08 - 0:11
    and so my friends like to give me examples
  • 0:11 - 0:13
    of their frustrations with computing systems,
  • 0:13 - 0:17
    especially frustrations related to
  • 0:17 - 0:21
    unusable privacy and security.
  • 0:21 - 0:23
    So passwords are something that I hear a lot about.
  • 0:23 - 0:26
    A lot of people are frustrated with passwords,
  • 0:26 - 0:28
    and it's bad enough
  • 0:28 - 0:31
    when you have to have one really good password
  • 0:31 - 0:32
    that you can remember
  • 0:32 - 0:35
    but nobody else is going to be able to guess.
  • 0:35 - 0:37
    But what do you do when you have accounts
  • 0:37 - 0:39
    on a hundred different systems
  • 0:39 - 0:41
    and you're supposed to have a unique password
  • 0:41 - 0:44
    for each of these systems?
  • 0:44 - 0:46
    It's tough.
  • 0:46 - 0:48
    At Carnegie Mellon, they used to make it
  • 0:48 - 0:49
    actually pretty easy for us
  • 0:49 - 0:51
    to remember our passwords.
  • 0:51 - 0:53
    The password requirement up through 2009
  • 0:53 - 0:56
    was just that you had to have a password
  • 0:56 - 0:58
    with at least one character.
  • 0:58 - 1:01
    Pretty easy. But then they changed things,
  • 1:01 - 1:04
    and at the end of 2009, they announced
  • 1:04 - 1:06
    that we were going to have a new policy,
  • 1:06 - 1:08
    and this new policy required
  • 1:08 - 1:11
    passwords that were at least eight characters long,
  • 1:11 - 1:12
    with an uppercase letter, lowercase letter,
  • 1:12 - 1:14
    a digit, a symbol,
  • 1:14 - 1:16
    you couldn't use the same
    character more than three times,
  • 1:16 - 1:19
    and it wasn't allowed to be in a dictionary.
  • 1:19 - 1:21
    Now, when they implemented this new policy,
  • 1:21 - 1:23
    a lot of people, my colleagues and friends,
  • 1:23 - 1:25
    came up to me and they said, "Wow,
  • 1:25 - 1:27
    now that's really unusable.
  • 1:27 - 1:28
    Why are they doing this to us,
  • 1:28 - 1:29
    and why didn't you stop them?"
  • 1:29 - 1:31
    And I said, "Well, you know what?
  • 1:31 - 1:32
    They didn't ask me."
  • 1:32 - 1:36
    But I got curious, and I decided to go talk
  • 1:36 - 1:38
    to the people in charge of our computer systems
  • 1:38 - 1:41
    and find out what led them to introduce
  • 1:41 - 1:42
    this new policy,
  • 1:42 - 1:44
    and they said that the university
  • 1:44 - 1:46
    had joined a consortium of universities,
  • 1:46 - 1:49
    and one of the requirements of membership
  • 1:49 - 1:51
    was that we had to have stronger passwords
  • 1:51 - 1:53
    that complied with some new requirements,
  • 1:53 - 1:56
    and these requirements were that our passwords
  • 1:56 - 1:57
    had to have a lot of entropy.
  • 1:57 - 1:59
    Now entropy is a complicated term,
  • 1:59 - 2:02
    but basically it measures the strength of passwords.
  • 2:02 - 2:04
    But the thing is, there isn't actually
  • 2:04 - 2:06
    a standard measure of entropy.
  • 2:06 - 2:09
    Now, the National Institute
    of Standards and Technology
  • 2:09 - 2:10
    has a set of guidelines
  • 2:10 - 2:13
    which have some rules of thumb
  • 2:13 - 2:14
    for measuring entropy,
  • 2:14 - 2:17
    but they don't have anything too specific,
  • 2:17 - 2:19
    and the reason they only have rules of thumb
  • 2:19 - 2:23
    is it turns out they don't actually have any good data
  • 2:23 - 2:24
    on passwords.
  • 2:24 - 2:26
    In fact, their report states,
  • 2:26 - 2:29
    "Unfortunately, we do not have much data
  • 2:29 - 2:32
    on the passwords users
    choose under particular rules.
  • 2:32 - 2:34
    NIST would like to obtain more data
  • 2:34 - 2:36
    on the passwords users actually choose,
  • 2:36 - 2:39
    but system administrators
    are understandably reluctant
  • 2:39 - 2:42
    to reveal password data to others."
  • 2:42 - 2:45
    So this is a problem, but our research group
  • 2:45 - 2:47
    looked at it as an opportunity.
  • 2:47 - 2:50
    We said, "Well, there's a need
    for good password data.
  • 2:50 - 2:52
    Maybe we can collect some good password data
  • 2:52 - 2:55
    and actually advance the state of the art here.
  • 2:55 - 2:57
    So the first thing we did is,
  • 2:57 - 2:58
    we got a bag of candy bars
  • 2:58 - 2:59
    and we walked around campus
  • 2:59 - 3:02
    and talked to students, faculty and staff,
  • 3:02 - 3:04
    and asked them for information
  • 3:04 - 3:05
    about their passwords.
  • 3:05 - 3:08
    Now we didn't say, "Give us your password."
  • 3:08 - 3:11
    No, we just asked them about their password.
  • 3:11 - 3:12
    How long is it? Does it have a digit?
  • 3:12 - 3:13
    Does it have a symbol?
  • 3:13 - 3:15
    And were you annoyed at having to create
  • 3:15 - 3:18
    a new one last week?
  • 3:18 - 3:21
    So we got results from 470 students,
  • 3:21 - 3:22
    faculty and staff,
  • 3:22 - 3:25
    and indeed we confirmed that the new policy
  • 3:25 - 3:26
    was very annoying,
  • 3:26 - 3:28
    but we also found that people said
  • 3:28 - 3:31
    they felt more secure with these new passwords.
  • 3:31 - 3:33
    We found that most people knew
  • 3:33 - 3:36
    they were not supposed to
    write their password down,
  • 3:36 - 3:38
    and only 13 percent of them did,
  • 3:38 - 3:40
    but disturbingly, 80 percent of people
  • 3:40 - 3:43
    said they were reusing their password.
  • 3:43 - 3:44
    Now, this is actually more dangerous
  • 3:44 - 3:46
    than writing your password down,
  • 3:46 - 3:50
    because it makes you much
    more susceptible to attackers.
  • 3:50 - 3:53
    So if you have to, write your passwords down,
  • 3:53 - 3:55
    but don't reuse them.
  • 3:55 - 3:57
    We also found some interesting things
  • 3:57 - 4:00
    about the symbols people use in passwords.
  • 4:00 - 4:02
    So CMU allows 32 possible symbols,
  • 4:02 - 4:05
    but as you can see, there's only a small number
  • 4:05 - 4:07
    that most people are using,
  • 4:07 - 4:10
    so we're not actually getting very much strength
  • 4:10 - 4:12
    from the symbols in our passwords.
  • 4:12 - 4:15
    So this was a really interesting study,
  • 4:15 - 4:17
    and now we had data from 470 people,
  • 4:17 - 4:18
    but in the scheme of things,
  • 4:18 - 4:21
    that's really not very much password data,
  • 4:21 - 4:22
    and so we looked around to see
  • 4:22 - 4:25
    where could we find additional password data?
  • 4:25 - 4:27
    So it turns out there are a lot of people
  • 4:27 - 4:29
    going around stealing passwords,
  • 4:29 - 4:32
    and they often go and post these passwords
  • 4:32 - 4:33
    on the Internet.
  • 4:33 - 4:35
    So we were able to get access
  • 4:35 - 4:39
    to some of these stolen password sets.
  • 4:39 - 4:41
    This is still not really ideal for research, though,
  • 4:41 - 4:43
    because it's not entirely clear
  • 4:43 - 4:45
    where all of these passwords came from,
  • 4:45 - 4:48
    or exactly what policies were in effect
  • 4:48 - 4:50
    when people created these passwords.
  • 4:50 - 4:53
    So we wanted to find some better source of data.
  • 4:53 - 4:55
    So we decided that one thing we could do
  • 4:55 - 4:57
    is we could do a study and have people
  • 4:57 - 5:00
    actually create passwords for our study.
  • 5:00 - 5:03
    So we used a service called
    Amazon Mechanical Turk,
  • 5:03 - 5:05
    and this is a service where you can post
  • 5:05 - 5:08
    a small job online that takes a minute,
  • 5:08 - 5:09
    a few minutes, an hour,
  • 5:09 - 5:12
    and pay people, a penny, ten cents, a few dollars,
  • 5:12 - 5:13
    to do a task for you,
  • 5:13 - 5:15
    and then you pay them through Amazon.com.
  • 5:15 - 5:18
    So we paid people about 50 cents
  • 5:18 - 5:20
    to create a password following our rules
  • 5:20 - 5:22
    and answering a survey,
  • 5:22 - 5:24
    and then we paid them again to come back
  • 5:24 - 5:26
    two days later and log in
  • 5:26 - 5:29
    using their password and answering another survey.
  • 5:29 - 5:33
    So we did this, and we collected 5,000 passwords,
  • 5:33 - 5:36
    and we gave people a bunch of different policies
  • 5:36 - 5:37
    to create passwords with.
  • 5:37 - 5:39
    So some people had a pretty easy policy,
  • 5:39 - 5:41
    we call it Basic8,
  • 5:41 - 5:43
    and here the only rule was that your password
  • 5:43 - 5:47
    had to have at least eight characters.
  • 5:47 - 5:49
    Then some people had a much harder policy,
  • 5:49 - 5:51
    and this was very similar to the CMU policy,
  • 5:51 - 5:53
    that it had to have eight characters
  • 5:53 - 5:56
    including uppercase, lowercase, digit, symbol,
  • 5:56 - 5:58
    and pass a dictionary check.
  • 5:58 - 5:59
    And one of the other policies we tried,
  • 5:59 - 6:01
    and there were a whole bunch more,
  • 6:01 - 6:03
    but one of the ones we tried was called Basic16,
  • 6:03 - 6:05
    and the only requirement here
  • 6:05 - 6:09
    was that your password had
    to have at least 16 characters.
  • 6:09 - 6:11
    All right, so now we had 5,000 passwords,
  • 6:11 - 6:15
    and so we had much more detailed information.
  • 6:15 - 6:17
    Again we see that there's only a small number
  • 6:17 - 6:19
    of symbols that people are actually using
  • 6:19 - 6:21
    in their passwords.
  • 6:21 - 6:24
    We also wanted to get an idea of how strong
  • 6:24 - 6:26
    the passwords were that people were creating,
  • 6:26 - 6:29
    but as you may recall, there isn't a good measure
  • 6:29 - 6:31
    of password strength.
  • 6:31 - 6:33
    So what we decided to do was to see
  • 6:33 - 6:35
    how long it would take to crack these passwords
  • 6:35 - 6:37
    using the best cracking tools
  • 6:37 - 6:39
    that the bad guys are using,
  • 6:39 - 6:41
    or that we could find information about
  • 6:41 - 6:42
    in the research literature.
  • 6:42 - 6:45
    So to give you an idea of how bad guys
  • 6:45 - 6:47
    go about cracking passwords,
  • 6:47 - 6:49
    they will steal a password file
  • 6:49 - 6:51
    that will have all of the passwords
  • 6:51 - 6:54
    in kind of a scrambled form, called a hash,
  • 6:54 - 6:57
    and so what they'll do is they'll make a guess
  • 6:57 - 6:58
    as to what a password is,
  • 6:58 - 7:00
    run it through a hashing function,
  • 7:00 - 7:02
    and see whether it matches
  • 7:02 - 7:06
    the passwords they have on
    their stolen password list.
  • 7:06 - 7:09
    So a dumb attacker will try every password in order.
  • 7:09 - 7:13
    They'll start with AAAAA and move on to AAAAB,
  • 7:13 - 7:15
    and this is going to take a really long time
  • 7:15 - 7:17
    before they get any passwords
  • 7:17 - 7:19
    that people are really likely to actually have.
  • 7:19 - 7:22
    A smart attacker, on the other hand,
  • 7:22 - 7:23
    does something much more clever.
  • 7:23 - 7:25
    They look at the passwords
  • 7:25 - 7:27
    that are known to be popular
  • 7:27 - 7:28
    from these stolen password sets,
  • 7:28 - 7:29
    and they guess those first.
  • 7:29 - 7:32
    So they're going to start by guessing "password,"
  • 7:32 - 7:34
    and then they'll guess "I love you," and "monkey,"
  • 7:34 - 7:37
    and "12345678,"
  • 7:37 - 7:38
    because these are the passwords
  • 7:38 - 7:40
    that are most likely for people to have.
  • 7:40 - 7:43
    In fact, some of you probably have these passwords.
  • 7:45 - 7:46
    So what we found
  • 7:46 - 7:50
    by running all of these 5,000 passwords we collected
  • 7:50 - 7:54
    through these tests to see how strong they were,
  • 7:54 - 7:57
    we found that the long passwords
  • 7:57 - 7:58
    were actually pretty strong,
  • 7:58 - 8:01
    and the complex passwords were pretty strong too.
  • 8:01 - 8:04
    However, when we looked at the survey data,
  • 8:04 - 8:07
    we saw that people were really frustrated
  • 8:07 - 8:09
    by the very complex passwords,
  • 8:09 - 8:12
    and the long passwords were a lot more usable,
  • 8:12 - 8:13
    and in some cases, they were actually
  • 8:13 - 8:16
    even stronger than the complex passwords.
  • 8:16 - 8:17
    So this suggests that,
  • 8:17 - 8:19
    instead of telling people that they need
  • 8:19 - 8:20
    to put all these symbols and numbers
  • 8:20 - 8:23
    and crazy things into their passwords,
  • 8:23 - 8:25
    we might be better off just telling people
  • 8:25 - 8:28
    to have long passwords.
  • 8:28 - 8:30
    Now here's the problem, though:
  • 8:30 - 8:32
    Some people had long passwords
  • 8:32 - 8:33
    that actually weren't very strong.
  • 8:33 - 8:35
    You can make long passwords
  • 8:35 - 8:37
    that are still the sort of thing
  • 8:37 - 8:39
    that an attacker could easily guess.
  • 8:39 - 8:42
    So we need to do more than
    just say long passwords.
  • 8:42 - 8:44
    There has to be some additional requirements,
  • 8:44 - 8:47
    and some of our ongoing research is looking at
  • 8:47 - 8:49
    what additional requirements we should add
  • 8:49 - 8:52
    to make for stronger passwords
  • 8:52 - 8:54
    that also are going to be easy for people
  • 8:54 - 8:57
    to remember and type.
  • 8:57 - 8:59
    Another approach to getting people to have
  • 8:59 - 9:01
    stronger passwords is to use a password meter.
  • 9:01 - 9:02
    Here are some examples.
  • 9:02 - 9:04
    You may have seen these on the Internet
  • 9:04 - 9:07
    when you were creating passwords.
  • 9:07 - 9:09
    We decided to do a study to find out
  • 9:09 - 9:12
    whether these password meters actually work.
  • 9:12 - 9:13
    Do they actually help people
  • 9:13 - 9:15
    have stronger passwords,
  • 9:15 - 9:17
    and if so, which ones are better?
  • 9:17 - 9:19
    So we tested password meters that were
  • 9:19 - 9:22
    different sizes, shapes, colors,
  • 9:22 - 9:23
    different words next to them,
  • 9:23 - 9:26
    and we even tested one that was a dancing bunny.
  • 9:26 - 9:28
    As you type a better password,
  • 9:28 - 9:30
    the bunny dances faster and faster.
  • 9:30 - 9:33
    So this was pretty fun.
  • 9:33 - 9:34
    What we found
  • 9:34 - 9:38
    was that password meters do work.
  • 9:38 - 9:40
    (Laughter)
  • 9:40 - 9:43
    Most of the password meters were actually effective,
  • 9:43 - 9:46
    and the dancing bunny was very effective too,
  • 9:46 - 9:49
    but the password meters that were the most effective
  • 9:49 - 9:51
    were the ones that made you work harder
  • 9:51 - 9:53
    before they gave you that thumbs up and said
  • 9:53 - 9:54
    you were doing a good job,
  • 9:54 - 9:56
    and in fact we found that most
  • 9:56 - 9:58
    of the password meters on the Internet today
  • 9:58 - 9:59
    are too soft.
  • 9:59 - 10:01
    They tell you you're doing a good job too early,
  • 10:01 - 10:03
    and if they would just wait a little bit
  • 10:03 - 10:05
    before giving you that positive feedback,
  • 10:05 - 10:08
    you probably would have better passwords.
  • 10:08 - 10:12
    Now another approach to better passwords, perhaps,
  • 10:12 - 10:15
    is to use pass phrases instead of passwords.
  • 10:15 - 10:18
    So this was an xkcd cartoon
    from a couple of years ago,
  • 10:18 - 10:20
    and the cartoonist suggests
  • 10:20 - 10:22
    that we should all use pass phrases,
  • 10:22 - 10:26
    and if you look at the second row of this cartoon,
  • 10:26 - 10:27
    you can see the cartoonist is suggesting
  • 10:27 - 10:31
    that the pass phrase "correct horse battery staple"
  • 10:31 - 10:33
    would be a very strong pass phrase
  • 10:33 - 10:35
    and something really easy to remember.
  • 10:35 - 10:38
    He says, in fact, you've already remembered it.
  • 10:38 - 10:40
    And so we decided to do a research study
  • 10:40 - 10:43
    to find out whether this was true or not.
  • 10:43 - 10:45
    In fact, everybody who I talk to,
  • 10:45 - 10:47
    who I mention I'm doing password research,
  • 10:47 - 10:48
    they point out this cartoon.
  • 10:48 - 10:50
    "Oh, have you seen it? That xkcd.
  • 10:50 - 10:51
    Correct horse battery staple."
  • 10:51 - 10:53
    So we did the research study to see
  • 10:53 - 10:55
    what would actually happen.
  • 10:55 - 10:58
    So in our study, we used Mechanical Turk again,
  • 10:58 - 11:03
    and we had the computer pick the random words
  • 11:03 - 11:04
    in the pass phrase.
  • 11:04 - 11:05
    Now the reason we did this
  • 11:05 - 11:06
    is that humans are not very good
  • 11:06 - 11:08
    at picking random words.
  • 11:08 - 11:09
    If we asked a human to do it,
  • 11:09 - 11:12
    they would pick things that were not very random.
  • 11:12 - 11:14
    So we tried a few different conditions.
  • 11:14 - 11:16
    In one condition, the computer picked
  • 11:16 - 11:18
    from a dictionary of the very common words
  • 11:18 - 11:20
    in the English language,
  • 11:20 - 11:21
    and so you'd get pass phrases like
  • 11:21 - 11:23
    "try there three come."
  • 11:23 - 11:25
    And we looked at that, and we said,
  • 11:25 - 11:28
    "Well, that doesn't really seem very memorable."
  • 11:28 - 11:30
    So then we tried picking words
  • 11:30 - 11:33
    that came from specific parts of speech,
  • 11:33 - 11:35
    so how about noun-verb-adjective-noun.
  • 11:35 - 11:38
    That comes up with something
    that's sort of sentence-like.
  • 11:38 - 11:40
    So you can get a pass phrase like
  • 11:40 - 11:41
    "plan builds sure power"
  • 11:41 - 11:44
    or "end determines red drug."
  • 11:44 - 11:47
    And these seemed a little bit more memorable,
  • 11:47 - 11:49
    and maybe people would like those a little bit better.
  • 11:49 - 11:52
    We wanted to compare them with passwords,
  • 11:52 - 11:55
    and so we had the computer
    pick random passwords,
  • 11:55 - 11:57
    and these were nice and short, but as you can see,
  • 11:57 - 12:00
    they don't really look very memorable.
  • 12:00 - 12:01
    And then we decided to try something called
  • 12:01 - 12:03
    a pronounceable password.
  • 12:03 - 12:05
    So here the computer picks random syllables
  • 12:05 - 12:06
    and puts them together
  • 12:06 - 12:09
    so you have something sort of pronounceable,
  • 12:09 - 12:11
    like "tufritvi" and "vadasabi."
  • 12:11 - 12:14
    That one kind of rolls off your tongue.
  • 12:14 - 12:16
    So these were random passwords that were
  • 12:16 - 12:19
    generated by our computer.
  • 12:19 - 12:22
    So what we found in this study was that, surprisingly,
  • 12:22 - 12:25
    pass phrases were not actually all that good.
  • 12:25 - 12:28
    People were not really better at remembering
  • 12:28 - 12:31
    the pass phrases than these random passwords,
  • 12:31 - 12:34
    and because the pass phrases are longer,
  • 12:34 - 12:35
    they took longer to type
  • 12:35 - 12:38
    and people made more errors while typing them in.
  • 12:38 - 12:41
    So it's not really a clear win for pass phrases.
  • 12:41 - 12:45
    Sorry, all of you xkcd fans.
  • 12:45 - 12:46
    On the other hand, we did find
  • 12:46 - 12:48
    that pronounceable passwords
  • 12:48 - 12:50
    worked surprisingly well,
  • 12:50 - 12:52
    and so we actually are doing some more research
  • 12:52 - 12:55
    to see if we can make that
    approach work even better.
  • 12:55 - 12:57
    So one of the problems
  • 12:57 - 12:59
    with some of the studies that we've done
  • 12:59 - 13:01
    is that because they're all done
  • 13:01 - 13:02
    using Mechanical Turk,
  • 13:02 - 13:04
    these are not people's real passwords.
  • 13:04 - 13:06
    They're the passwords that they created
  • 13:06 - 13:09
    or the computer created for them for our study.
  • 13:09 - 13:10
    And we wanted to know whether people
  • 13:10 - 13:12
    would actually behave the same way
  • 13:12 - 13:15
    with their real passwords.
  • 13:15 - 13:18
    So we talked to the information
    security office at Carnegie Mellon
  • 13:18 - 13:22
    and asked them if we could
    have everybody's real passwords.
  • 13:22 - 13:24
    Not surprisingly, they were a little bit reluctant
  • 13:24 - 13:25
    to share them with us,
  • 13:25 - 13:27
    but we were actually able to work out
  • 13:27 - 13:28
    a system with them
  • 13:28 - 13:30
    where they put all of the real passwords
  • 13:30 - 13:33
    for 25,000 CMU students, faculty and staff,
  • 13:33 - 13:36
    into a locked computer in a locked room,
  • 13:36 - 13:37
    not connected to the Internet,
  • 13:37 - 13:39
    and they ran code on it that we wrote
  • 13:39 - 13:41
    to analyze these passwords.
  • 13:41 - 13:43
    They audited our code.
  • 13:43 - 13:44
    They ran the code.
  • 13:44 - 13:46
    And so we never actually saw
  • 13:46 - 13:48
    anybody's password.
  • 13:48 - 13:50
    We got some interesting results,
  • 13:50 - 13:52
    and those of you Tepper students in the back
  • 13:52 - 13:55
    will be very interested in this.
  • 13:55 - 13:58
    So we found that the passwords created
  • 13:58 - 14:00
    by people affiliated with the
    school of computer science
  • 14:00 - 14:03
    were actually 1.8 times stronger
  • 14:03 - 14:07
    than those affiliated with the business school.
  • 14:07 - 14:09
    We have lots of other really interesting
  • 14:09 - 14:11
    demographic information as well.
  • 14:11 - 14:13
    The other interesting thing that we found
  • 14:13 - 14:15
    is that when we compared
    the Carnegie Mellon passwords
  • 14:15 - 14:17
    to the Mechanical Turk-generated passwords,
  • 14:17 - 14:20
    there was actually a lot of similarities,
  • 14:20 - 14:22
    and so this helped validate our research method
  • 14:22 - 14:24
    and show that actually, collecting passwords
  • 14:24 - 14:26
    using these Mechanical Turk studies
  • 14:26 - 14:29
    is actually a valid way to study passwords.
  • 14:29 - 14:31
    So that was good news.
  • 14:31 - 14:34
    Okay, I want to close by talking about
  • 14:34 - 14:36
    some insights I gained while on sabbatical
  • 14:36 - 14:39
    last year in the Carnegie Mellon art school.
  • 14:39 - 14:40
    One of the things that I did
  • 14:40 - 14:42
    is I made a number of quilts,
  • 14:42 - 14:43
    and I made this quilt here.
  • 14:43 - 14:45
    It's called "Security Blanket."
  • 14:45 - 14:48
    (Laughter)
  • 14:48 - 14:51
    And this quilt has the 1,000
  • 14:51 - 14:53
    most frequent passwords stolen
  • 14:53 - 14:56
    from the RockYou website.
  • 14:56 - 14:58
    And the size of the passwords is proportional
  • 14:58 - 15:00
    to how frequently they appeared
  • 15:00 - 15:02
    in the stolen dataset.
  • 15:02 - 15:05
    And what I did is I created this word cloud,
  • 15:05 - 15:07
    and I went through all 1,000 words,
  • 15:07 - 15:08
    and I categorized them into
  • 15:08 - 15:11
    loose thematic categories.
  • 15:11 - 15:13
    And it was, in some cases,
  • 15:13 - 15:15
    it was kind of difficult to figure out
  • 15:15 - 15:17
    what category they should be in,
  • 15:17 - 15:18
    and then I color-coded them.
  • 15:18 - 15:21
    So here are some examples of the difficulty.
  • 15:21 - 15:22
    So "justin."
  • 15:22 - 15:24
    Is that the name of the user,
  • 15:24 - 15:25
    their boyfriend, their son?
  • 15:25 - 15:28
    Maybe they're a Justin Bieber fan.
  • 15:28 - 15:30
    Or "princess."
  • 15:30 - 15:32
    Is that a nickname?
  • 15:32 - 15:34
    Are they Disney princess fans?
  • 15:34 - 15:37
    Or maybe that's the name of their cat.
  • 15:37 - 15:39
    "Iloveyou" appears many times
  • 15:39 - 15:41
    in many different languages.
  • 15:41 - 15:44
    There's a lot of love in these passwords.
  • 15:44 - 15:46
    If you look carefully, you'll see there's also
  • 15:46 - 15:48
    some profanity,
  • 15:48 - 15:50
    but it was really interesting to me to see
  • 15:50 - 15:53
    that there's a lot more love than hate
  • 15:53 - 15:55
    in these passwords.
  • 15:55 - 15:56
    And there are animals,
  • 15:56 - 15:58
    a lot of animals,
  • 15:58 - 16:00
    and "monkey" is the most common animal
  • 16:00 - 16:04
    and the 14th most popular password overall.
  • 16:04 - 16:06
    And this was really curious to me,
  • 16:06 - 16:08
    and I wondered, "Why are monkeys so popular?"
  • 16:08 - 16:12
    And so in our last password study,
  • 16:12 - 16:13
    any time we detected somebody
  • 16:13 - 16:16
    creating a password with the word "monkey" in it,
  • 16:16 - 16:19
    we asked them why they had
    a monkey in their password.
  • 16:19 - 16:21
    And what we found out --
  • 16:21 - 16:23
    we found 17 people so far, I think,
  • 16:23 - 16:24
    who have the word "monkey" --
  • 16:24 - 16:26
    We found out about a third of them said
  • 16:26 - 16:28
    they have a pet named "monkey"
  • 16:28 - 16:30
    or a friend whose nickname is "monkey,"
  • 16:30 - 16:32
    and about a third of them said
  • 16:32 - 16:33
    that they just like monkeys
  • 16:33 - 16:35
    and monkeys are really cute.
  • 16:35 - 16:39
    And that guy is really cute.
  • 16:39 - 16:42
    So it seems that at the end of the day,
  • 16:42 - 16:44
    when we make passwords,
  • 16:44 - 16:46
    we either make something that's really easy
  • 16:46 - 16:49
    to type, a common pattern,
  • 16:49 - 16:51
    or things that remind us of the word password
  • 16:51 - 16:55
    or the account that we've created the password for,
  • 16:55 - 16:57
    or whatever.
  • 16:57 - 17:00
    Or we think about things that make us happy,
  • 17:00 - 17:01
    and we create our password
  • 17:01 - 17:04
    based on things that make us happy.
  • 17:04 - 17:06
    And while this makes typing
  • 17:06 - 17:09
    and remembering your password more fun,
  • 17:09 - 17:11
    it also makes it a lot easier
  • 17:11 - 17:13
    to guess your password.
  • 17:13 - 17:14
    So I know a lot of these TED Talks
  • 17:14 - 17:16
    are inspirational
  • 17:16 - 17:18
    and they make you think about nice, happy things,
  • 17:18 - 17:20
    but when you're creating your password,
  • 17:20 - 17:22
    try to think about something else.
  • 17:22 - 17:23
    Thank you.
  • 17:23 - 17:24
    (Applause)
Title:
What’s wrong with your pa$$w0rd?
Speaker:
Lorrie Faith Cranor
Description:

Lorrie Faith Cranor studied thousands of real passwords to figure out the surprising, very common mistakes that users — and secured sites — make to compromise security. And how, you may ask, did she study thousands of real passwords without compromising the security of any users? That's a story in itself. It's secret data worth knowing, especially if your password is 123456 ...
more » « less
Video Language:
English
Team:
closed TED
Project:
TEDTalks
Duration:
17:41

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.