Research: Weird Works When It Comes to Passwords

Researchers at Microsoft and Harvard University warn that popular passwords pose a bigger risk to online security than weak ones and suggest that many tools to enforce strong passwords actually steer users to choices that are easy to guess.

Researchers at Microsoft and Harvard University warn that popular passwords pose a bigger risk to online security than weak ones and suggest that many tools to enforce strong passwords actually steer users to choices that are easy to guess.

Forcing users to choose passwords that are rare and “unpopular,” rather than “strong,” as it has traditionally been defined, provides a better defense against one type of attack, known as “statistical guessing,” according to a paper by researchers Cormac Herley and Stuart Schechter of Microsoft Research and Michael Mitzenmacher, a professor of Computer Science at Harvard University. The researchers will present their paper, “Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks” at the USENIX HotSec ’10 Workshop in Washington, D.C. on August 10.

The dispiriting lack of originality that many online users display in choosing passwords has been on display in recent months. In January, researchers at Web security firm Imperva announced the results of an analysis of a trove of 32 million passwords belonging to customers of RockYou, a developer of social networking software, that had been hacked. The most popular password, they found, was “123456” – the choice of almost 300,000 RockYou users. The second most popular password was “12345.”  “Password” was the fourth most popular choice.

Twitter, also, has blocked 370 “obvious” passwords from being used to secure its users’ accounts, while others have studied and written about the illusory security of the all-too-common challenge questions used by many financial and e-commerce Web sites. 

Herley and his colleagues found that such easy-to-guess passwords are vulnerable to statistical guessing attacks, in which dictionaries of common or popular passwords are used in automated attempts to break into an account. Limiting the number of log in attempts users are granted is the easiest way to block such attacks, but getting users to pick unusual passwords is also part of the solution.

But ensuring that users actually choose secure passwords is harder than it sounds, the researchers wrote in their paper, which is available on Microsoft Research’s Web site. Features that are common on many Web sites to enforce password security may be having the opposite effect, the researchers argue. For example, features that measure password strength or enforce strong password policies (such as length of password, use of non-standard characters) are indirect means to produce secure passwords that often merely force users into a different set of predictable choices that can also be easily guessed. 

The rules around password length and composition (upper lower, special chars etc) are an attempt to get users to choose passwords that withstand brute-forcing and guessing. But users appear to hate them, and we don’t have good ways of measuring whether and by how much they help withstand attack. By making sure that no passwords become too popular we ensure that no short list of candidate passwords can allow an attacker to break an appreciable fraction of accouns.
As to password rules making things less secure: forcing users to choose special characters can push them in the direction of making simple substitutions. E.g. P@$$w0rd and so on; those can look like they conform to strong policies, but the effect of the special characters isn’t accomplishing much

“The rules around password length and composition are an attempt to get users to choose passwords that withstand brute-forcing and guessing. But users appear to hate them, and we don’t have good ways of measuring whether and by how much they help withstand attack,” Herley wrote in an e-mail response to questions from ThreatPost about the paper. “The less direct approach almost certainly forbids users from things that might be perfectly good password choices, just because they don’t conform to a certain policy. For example, `fkwgshqum’ is probably a far better password than `P@ssw0rd’ even though many policies would reject it while allowing the latter,” he wrote.

Herley, Schechter and Mitzenmacher recommend replacing password creation rules with policies that are attuned to the popularity of different passwords and keep any set of passwords from becoming too common. Their paper proposes creating an “oracle” that would weigh the uniqueness of new password submissions.

Such an approach would raise the stakes for attackers using dictionary-style attacks: reducing the number of accounts that will be compromised in any single attack. Such an approach will also free users to pick passwords of any length or makeup – so long as they aren’t used by too many other people, Herley wrote. 

But limiting passwords by popularity isn’t without its shortcomings. The password oracle, itself, could become a target of attack, as hackers look to crack the list of the most popular passwords. Herley and his colleagues propose seeding the oracle with non-popular password choices that will (falsely) be reported as popular to throw off such attacks. 

Finally, the researchers admit that their popularity system, while promising in theory, may end up being deeply annoying to users in practice. 


“To be clear, we
need to perform a user study to determine if users find our oracle better than
the existing system of length and composition requirements. Our reason for
being hopeful is that ours is a very direct way of accomplishing the design
goal (make sure that no passwords become too common) while length and
composition policies are a very indirect way,” Herley wrote. 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Philip Lieberman on

    Hi Paul,

    Consider that the root and administrator accounts in many organizations have these types of weak passwords.  Even worse, sometimes they are changed and put into a spreadsheet that is on a common share that anyone in the company can access (ahh, what a convenience).  Finally, many companies never change these privileged accounts, so employees that have left years ago still have full administrator access.

    We make solutions to solve this problem, but many companies prefer to get hacked, receive fines, or be embarrased due a complete lack of IT controls rather than change organizational behavior.  Go figure-organizational inertia is a heavy weight to move for some and the insanity of bad repeated bad security seems better than a formal password management program.

    Philip Lieberman
    Lieberman Software Corporation

  • Anonymous on

    > The password oracle, itself, could become a target of attack, as hackers look to crack the list of the most popular passwords.

    Don't store the passwords themselves in the oracle--store hashes.

  • Adhimas Setianegara on

    I suggest that to make a strange password that is easy to remember for the user but harder to guess by others, the user can create one from an abbreviation of a long sentence or slogan that he/she familiar with. For example, he/she can create from consonant or vocal only (or other combination of) characters from the sentence. That will be harder to guess.


    Adhimas Setianegara

    IT Consultant at Hermis Consulting

  • Anonymous on

    Continuing from Adhimas Setianegara's suggestion, you can also replace characters with numbers either where their sound is appropriate or where they would be appropriate in "l33t sp34k."

    So "The quick brown fox jumped over the lazy dog" becomes "tqbfjotld" which might then become "tqbfj0t1d" (or "7qbfj071d" or "7q8fj071d" or any other variation)

    Maybe even capitalize nouns: From the first example, "tqbFj0t1D"

    Get creative, but make sure it's something you can easily remember.

  • Alex Burke on

    > users appear to hate them

    Big disconnect between our ideas of security and the users. Do they view technology as an intrusion into their peasant folkways, or access controls as meaningless barriers? We need more surveys (targeted by population) to learn more about what is motivating or demotivating to a good user security mindest. Maybe if there were a prize for best password of the month (ho ho) people would put their minds to it.

  • Tbird on

    What about the use of "password" managers that purport to generate strong passwords, keep them stored safely, and free you from memorizing all but the "master" password?  Would love to see more "solutions" here, not just all the problems, issues, and hacking trends.

  • Senrats on

    "7q8fj071d" ?

    I thought you said "Easy" to remember.  :)

  • Ralph Dratman on

    I suggest using two different words with a punctuation character between them. That's the system some 1980s online services suggested.

    Using that method, it is even reasonably safe to use previously-forbidden choices such as names or birthdays. For example, a password like "Suzy-10/7/94" is not as bad as you might think.

    Better yet, replace the single punctuation character with something just a little bit longer. "Peanut#%Brittle" would not be likely to show up in anybody's dictionary.

    Finally, if you really can't remember anything beyond "12345", just make up a really difficult random password such as "cM49lpr" then write it down and carry it around in your purse or wallet. Even keeping your password on paper is better than using, effectively, no "Password" at all.

  • Anonymous on

    My personal opinion is that most users don't find passwords easy to remember in the first place. As a community administrator, I've given countless tips of how to make stronger passwords and a couple of weeks later I'm finding myself reseting users's passwords because they forget the complicated thing they created.

    It's hard to remember so many passwords. Most people use over a dozen different accounts and to be more secure they're expected to use a different password for every one, even worst change it every couple of months. Hence, people tend to drop the most common security tips which are to make it 'easy to remember,' 'change it frequently,' and 'don't reuse old ones' opting for longer lasting 'hard to guess passwords.' And this just gives hackers more time to crack them.

  • Anonymous on

    It takes time to read all of the security literature and study software attacks.  This is time that the average user does not take.  Many people are uneducated concerning the amount of threats that exist on the internet or the impact to them personally.  Identity theft is common.  Password hacking is common.  As has been pointed out above, strong passwords are not necessarily "easy to remember" for those of us with 10 - 14 accounts.  That fact does lead to spreadsheets of passwords which are most often stored on the users computer, even if that user is a system administrator and knows better.  Tis the nature of the beast:  take the easy way out.  I do this, but store the spreadsheet on a flash drive and remove it from my system until I need it.

    I have tried many of the suggestions of the previous writers, but struggle to keep from reusing a password or remembering to change the password frequently.  It seems to be a maintenance nightmare, until you have a system zapped by a take over or virus.  The loss of four systems has been an expensive lesson for me.

    As I read all of the warnings, speeches, and literature, I share concerns with my wife - a full-time power user.  She laughs, but acknowledges she should do better.  At the same time, I am the one that fixes her problems and she laughs even more at the complexity of the security software and the downtime it takes to scan the computer and change passwords on her systems.

    I, too, would like to see more emphasis on software solutions that would aid users.  Most will not buy an expensive solution from a vendor, but there is a need for some software system to either generate these strong passwords (that are most frequently not memory bound words) and store them or impose a mandatory change with restrictions on the words (passwords) that could be used.  Again, I feel there would be a rebellion from the user community if such did occur.

    Some sites that I use do mandate the use of strong passwords and reject many that are strong based on their beliefs.  Some passwords are considered strong when they are really weak.  Just slipping random numbers between two nouns normally defeats the controls, but could easily be overcome by a dictionary attack approach (rain9785water, rAin528waTeR).  Perhaps these are better than the 12345678 passwords, but better can be done.

    It is an interesting problem.  Society's quest and desire for freedom of choice complicates the situation.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.