Computer passwords Speak, friend, and enter

PASSWORDS are ubiquitous in computer security.

All too often, they are also ineffective.

A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter.

A good password has to be both easy to remember and hard to guess, but in practice people seem to plump for the former over the latter.

Some take simplicity to extremes: one former deputy editor of The Economist used “z” for many years.

And when hackers stole 32m passwords from a social-gaming website called RockYou, it emerged that 1.1% of the site’s users—365,000 people—had opted either for “123456” or for “12345”.

That predictability lets security researchers (and hackers) create dictionaries which list common passwords, a boon to those seeking to break in.

That predictability lets security researchers (and hackers) create dictionaries which list common passwords, a boon to those seeking to break in.

Hacked websites such as RockYou have provided longer lists, but there are ethical problems with using hacked information, and its availability is unpredictable.

However, a paper to be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers, a New York-based professional body, in May, sheds some light.

With the co-operation of Yahoo!, a large internet company, Joseph Bonneau of Cambridge University obtained the biggest sample to date—70m passwords that, though anonymised, came with useful demographic data about their owners.

Mr Bonneau found some intriguing variations.

For, despite their differences, the 70m users were still predictable enough that a generic password dictionary was effective against both the entire sample and any demographically organised slice of it.

Mr Bonneau is blunt: “An attacker who can manage ten guesses per account…will compromise around 1% of accounts.”

Mr Bonneau is blunt: “An attacker who can manage ten guesses per account…will compromise around 1% of accounts.”

And that, from the hacker’s point of view, is a worthwhile outcome.

How this state of affairs arose is obscure.

But password laxity imposes costs even on sites with good security, since people often use the same password for several different places.

One suggestion is that lax password security is a cultural remnant of the internet’s innocent youth—an academic research network has few reasons to worry about hackers.

Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change.

Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change.

So they compared their collection of passphrases with two-word phrases extracted at random from the British National Corpus (a 100m-word sample of English maintained by Oxford University Press), and from the Google NGram Corpus (harvested from the internet by that firm’s web-crawlers).

So they compared their collection of passphrases with two-word phrases extracted at random from the British National Corpus (a 100m-word sample of English maintained by Oxford University Press), and from the Google NGram Corpus (harvested from the internet by that firm’s web-crawlers).

One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password.

One way round that is to combine the ideas of a password and a passphrase into a so-called mnemonic password.

This is a string of apparent gibberish which is not actually too hard to remember.

It can be formed, for example, by using the first letter of each word in a phrase, varying upper and lower case, and substituting some symbols for others—“8” for “B”, for instance. (“itaMc0Ttit8” is thus a mnemonic contraction of the text in these brackets.)

Even mnemonic passwords, however, are not invulnerable.

A study published in 2006 cracked 4% of the mnemonics in a sample using a dictionary based on song lyrics, film titles and the like.

The upshot is that there is probably no right answer.

All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.

While that tension persists, the hacker will always get through.