People have a very poor grasp of what makes one password stronger than another, according to research conducted at Carnegie Mellon University (CMU) and published by the Association of Computing Machinery.
The old rule that a password should contain letters, numbers and symbols mean respondents to the CMU's CyLabs study think ieatkale88 and iloveyou88; are about the same strength.
The same people believe L0vemetal is harder crack than Lovemetal, even though there's no real difference to an automated attacker.
The boffins modelled cracking the two passwords, and while both are weakened by including dictionary words, the string “I love you” is so much more common than the string “I eat kale”, the latter would need “four billion times more guesses”, according to the CyLab blurb.
Delving into the study (published earlier this month by the ACM in this PDF), the CyLab researchers tested their hypothesis simply enough: they asked 165 participants in an online study to “rate the comparative security of carefully juxtaposed pairs of passwords, as well as the security and memorability of both existing passwords and common password-creation strategies”.
Because it's well-studied (see, breaches can be good for the world!), they made sure at least one password of the pairs shown to users came from the 2009 Rock You breach.
Oddly enough, the researchers note, “participants’ perceptions of what characteristics make a password more secure matched the performance of today’s password-cracking tools,” but when crafting their own passwords, participants didn't follow what they apparently knew.
The ordinary person-in-the-street also, and unsurprisingly, has no idea how many guesses an attacker will need to yield a password. Hence 34 per cent people thought a password is secure if it can survive 50 guesses or fewer, and 67 per cent figured a 50,000-guess-strong password was good enough.
The IT crowd was bound to make it into a random sample: four per cent believe a password has to be good for 1014 guesses before it's strong enough.
This is as good a time as any for The Register to suggest that the best thing to do is get a password wallet, and use a strong password generator rather than your own brain. ®