MISCELLANEOUS

Experiment 3: How strong is your password?

12% of the respondents proved willing to disclose their log in credentials to the surveyor, a total stranger

 

 

Premises

Most people familiar with the hacking side of computer security know how easy it is to break a password if it’s only a few characters long or if it’s based on a word in the dictionary. That’s why choosing the right (i.e. strong) password is very difficult not only for them, but also for any regular Internet user.

In addition to that, there are so many things that require passwords these days that remembering all of them can be a real problem. Consequently, a lot of people choose their passwords very badly. Not only do they set weak passwords, therefore quite easy to guess, but also they use identical passwords on different sites.

A simple search on the Internet reveals huge repositories of hackers’ “acquisitions” in this respect: lists of users who set the same password on different sites that require a login process. For example, one regular user who set weak passwords like: “brazil”, “football” or “12345”- on different sites: from e-mail to a social network account and gaming sites. 

And this is just an example. A half an hour search on the Internet revealed that hundreds of users resort to the same method when choosing their passwords. 

The Experiment

I was curious about how people choose their passwords and I wanted to find out if they think that they have picked the best ones, so I created a questionnaire that would help me find these answers. The questionnaire was taken by a sample of 1,000 persons randomly chosen to participate in this experiment. The sex ratio was ~1:1, mean age = 29.5 years, nationality: 16 countries.

The questionnaire

The questionnaire was built in such a manner as to cover 2 different aspects: how many accounts on different sites people have and whether they consider their passwords to these accounts to be “strong/secure“.

15 questions – distributed in 3 sections were formulated: Section 1 was about the number of accounts  people have, Section 2 was related to their passwords (i.e: Does your password contain special characters? Or How many characters does your password have? ), and Section 3 covered demographic details (age, sex, nationality).

The method used to apply the questionnaire was the interview and all questions were discussed individually, with each participant.

Results

The first idea was to find out how many accounts the investigated users have on different sites. The majority (67%) recognized that they have more than 5 accounts that require a password for access. The results are presented in Figure 1.

Figure 1: Number of accounts/user

Figure 1: Number of accounts/user

When asked if they use the same password for almost all their accounts, 73% of the respondents gave a positive answer. Based on these findings, it is therefore possible to assume  that someone who finds out or guesses one single password, can access all of the respective person’s accounts.

As for the complexity of their passwords, 25% of interviewed users recognized they use a simple 6-characters password. Only 1% of the total number of respondents uses a password longer than 15 characters.

Figure 2: Number of characters/password

Figure 2: Number of characters/password

However, passwords’ complexity is not determined only based on their length, but also on the type of characters they contain. The experiment showed that more than 60% of the respondents use only upper or only lower case letters in their passwords, while 21% use a combination of the two. Only 5% of the respondents use complex passwords formed of letters (upper and lower case), numbers and of special characters.

Figure 3: Type of characters used in passwords

Figure 3: Type of characters used in passwords

 

Unexpected results

As usual, unexpected results are the most interesting part of an experiment. I have to admit it: I was curious  to see what they would be this time. To my surprise, even though the interview was not very long and it took just 5 minutes to complete, when getting to  questions 7-8 –related to the password’s complexity- more than 12% of the respondents said: “ok, this is my password: $%^*(*I, it is ok, is it strong enough?”.

My advice? Use different passwords for different sites and try to choose complex passwords, containing letters (upper and lower case), numbers and special characters.

And remember: always keep your passwords to yourself!

No private information or other content arising or deriving from this inquiry has been collected. No data or confidential information pertaining to individuals or companies was or will be disclosed, used for any other purposes or against the persons who revealed it.

About the author

Sabina DATCU

Sabina Datcu, PhD has background training in Applied Informatics and Statistics, Biology and Foreign Languages and Literatures. In 2003 she obtained a master degree in Systems Ecology and in 2009 a PhD degree in Applied Informatics and Statistics.
Since 2001, she was involved in University of Bucharest's FP 5 and FP6 European projects, as researcher in Information and Knowledge Management field.

In 2009, she joined the E-Threat Analysis and Communication Team at BitDefender as technology writer and researcher, and started to write a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.