Some of the biggest company names have been affected by security breaches, meaning that vast numbers of users’ login names and passwords have been stolen. This has led to researchers studying how people pick passwords.
The result? Well if you are a red-head then you are likely to pick the best type of password but unfortunately if you have a bushy beard or unkempt hair then you are likely to have rubbish passwords. The same study has shown that women prefer length and men prefer diversity, in relation to passwords.
But the overall discovery by the researchers was that people in general are rubbish at picking passwords.
Security researcher Per Thorsheim says: “You have to remember we are all human and we all make mistakes.”
He adds that the best passwords use a combination of characters or a phrase that has little if not no connection at all to the user. But in practice, what often happens is people use words or number that are linked to them intimately, like birthdays or names of children or pets.
This becomes especially apparent when it comes to selecting a four-digit pin. The study showed that in some cases, up to 80 percent of choices come from just 100 different numbers.
Password security used to depend on computer power never getting to the point where billions of those sequential combinations could be tried in a reasonable amount of time. The mathematics (time multiplied by tries) defeated the crackers.
“But”, says security researcher Yiannis Chrysanthou from KPMG, “it’s not about mathematics any more because it’s people that select the passwords.”
Hackers will often scour social media in order to find words, names and dates that are important to targeted victims. Once they have this information, it can help unpick a password far quicker and easier.
Another fact that criminals bank on is that, according to one study, 70 percent of passwords associated with an email address on one site will be used to log in on other online services too. In other words, they know people get lazy when it comes to passwords.
Security researcher Bruce Marshall says: “If a criminal is cracking passwords then most likely they gathered them from a specific site and are trying to gain access to additional accounts.”
“If an attacker can’t gain access to the targeted site’s password database then they may resort to an online password guessing attack where they try common usernames, email addresses and password combinations,” he says.
So what can we all learn from this? If you want a strong password that will not be unpicked by an unsavoury character, then do not use simple word and number combinations. Instead pick words that are barely connected to you. When it comes to on-line banking, make sure the password you use is not used for any other onlne services.
[Image via Mc Alester News]