Computer users over the age of 55 employ passwords that are twice as secure as passwords used by those under 25 years old. A recent study conducted by Joseph Bonneau, a computer scientist at the University of Cambridge, analyzed almost 70 million passwords belonging to Yahoo users around the world. The data had been protected using a security technique called hashing, which ensured he did not have access to the individual accounts. He calculated the password strengths for different demographic groups and compared the results. Beyond the relationship between age and security, the researcher found that German and Korea speakers generally use the strongest passwords, and the presence of credit card data on a user’s account seemingly does not prompt that user to avoid weak passwords such as “123456.” Bonneau’s study was the largest of its kind, and he unveiled his findings at the Symposium on Security and Privacy in San Francisco, California earlier this month.
Traditionally, security researchers look at the difficulty of breaking every password in a database, but that makes the problem seem much harder than it is, because the most secure randomly-generated passwords are almost impossible to crack. Bonneau instead looked at more realistic attacker scenarios. “Maybe an attacker is happy to only break one per cent of accounts they have access to, or 50 or even 90 per cent,” he says. “Those are all very different than 100 per cent.” Another important factor is whether attackers are trying to guess the password of a particular user by typing it onto a login screen, or attempting to crack an entire leaked database of passwords. These are known as online and offline attacks respectively.
