PasswordBaby Boomers may not be perceived as tech savvy as Millenials, but they apparently are better at protecting their digital assets. A new British study believed to be the largest of its kind shows those 55 and older tend to pick passwords with twice the strength of those under 25. It also indicates those who prefer to use German and Korean languages chose the strongest passwords; Indonesian speakers, the weakest.

But that’s still not saying much since weak passwords were prevalant across every demographic from a data set that included 70 million anonymized Yahoo accounts analyzed with the Internet giant’s permission.

“We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution,” wrote computer science researcher Joseph Bonneau of the University of Cambridge in an abstract.

Many research projects measure password security by the sophistication of dictionary attacks involved in data breaches. Bonneau’s study involved mathematical analytics on active accounts. Because the Yahoo passwords were hashed, Bonneau could not access individual accounts but did cull useful demographic data.

How weak were these passwords? The average secret code offered less than 10 bits of security against an online attack and 20 bits for an offline attack. The recommendation for those with a password policy is 32 bits. Even those with credit or debit cards tied to their account did little to up the ante on crackability — even when prompted. This calls into question the theory that users pick harder-to-crack passwords for important accounts, such as those linked to their financial data.

“Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality,” Bonneau said. “Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference.”

Gender did not play much of a role, though the study notes that men’s passwords were slightly more vulnerable to offline attacks. Age was more of a differentiator.

“There is a general trend towards better password selection with users’ age, particularly against online attacks, where password strength increases smoothly across different age groups by about a bit between the youngest users and the oldest users,” according to the researcher.

Bonneau noted that the Yahoo passwords were set with minimal requirements, and that had there been a stricter password policy in place, the average combination likely would have been harder to guess. “Still, these numbers represent a minimal benchmark which any serious password replacement scheme should aim to decisively clear.”


Categories: Web Security

Comments (2)

  1. mrpete

    Never use anything that looks like a “word” for a password!

    An Excellent way to create a computer password is to use a “pass phrase.” Here’s how to do it …

    Your password (PW) length should be at least 8 characters.

    Pick a “pass phrase” and use the first letters of the words to form the PW. For example, use this phrase: “four score and seven years ago.” Use the first letters of the “phrase words” to form the PW. See below …


    Initial effort PW = fsasya

    Throw in a number and a special character (or two) in a place that seems natural for you.

    Second effort PW = fsa72!sya

    Then put one or more (not all) of the characters in CAPS.

    Final effort PW = fsa72!Sya

    That’s a VERY strong password and it’s not very difficult to remember. But don’t use a phrase as well known as “four score and seven years ago.” This is just an example.

  2. secure_surfer


    I find it mildly amusing when someone thinks a strong complicated password or in this case passphrase is all one may need, when like it or not the truth is usernames and passwords are not secure anymore. It has been proven true time and time again. To be best protected with online accounts, people need to look for websites and organizations who offer two-Factor Authentication technology and activate it where they can telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice. For me, this gives me the confidence that my account won’t get hacked and my personal information isn’t up for grabs.


Comments are closed.