sponsored links
TEDxCMU

Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?

March 31, 2014

Lorrie Faith Cranor studied thousands of real passwords to figure out the surprising, very common mistakes that users -- and secured sites -- make to compromise security. And how, you may ask, did she study thousands of real passwords without compromising the security of any users? That's a story in itself. It's secret data worth knowing, especially if your password is 123456 ...

Lorrie Faith Cranor - Security researcher
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online. Full bio

sponsored links
Double-click the English subtitles below to play the video.
I am a computer science and engineering
professor here at Carnegie Mellon,
00:12
and my research focuses on
usable privacy and security,
00:15
and so my friends like to give me examples
00:20
of their frustrations with computing systems,
00:22
especially frustrations related to
00:25
unusable privacy and security.
00:28
So passwords are something that I hear a lot about.
00:32
A lot of people are frustrated with passwords,
00:35
and it's bad enough
00:38
when you have to have one really good password
00:39
that you can remember
00:42
but nobody else is going to be able to guess.
00:44
But what do you do when you have accounts
00:47
on a hundred different systems
00:48
and you're supposed to have a unique password
00:50
for each of these systems?
00:52
It's tough.
00:55
At Carnegie Mellon, they used to make it
00:58
actually pretty easy for us
00:59
to remember our passwords.
01:01
The password requirement up through 2009
01:02
was just that you had to have a password
01:05
with at least one character.
01:07
Pretty easy. But then they changed things,
01:09
and at the end of 2009, they announced
01:12
that we were going to have a new policy,
01:15
and this new policy required
01:17
passwords that were at least eight characters long,
01:19
with an uppercase letter, lowercase letter,
01:22
a digit, a symbol,
01:24
you couldn't use the same
character more than three times,
01:25
and it wasn't allowed to be in a dictionary.
01:28
Now, when they implemented this new policy,
01:30
a lot of people, my colleagues and friends,
01:32
came up to me and they said, "Wow,
01:34
now that's really unusable.
01:36
Why are they doing this to us,
01:38
and why didn't you stop them?"
01:39
And I said, "Well, you know what?
01:41
They didn't ask me."
01:42
But I got curious, and I decided to go talk
01:44
to the people in charge of our computer systems
01:47
and find out what led them to introduce
01:49
this new policy,
01:52
and they said that the university
01:54
had joined a consortium of universities,
01:55
and one of the requirements of membership
01:58
was that we had to have stronger passwords
02:00
that complied with some new requirements,
02:03
and these requirements were that our passwords
02:05
had to have a lot of entropy.
02:07
Now entropy is a complicated term,
02:08
but basically it measures the strength of passwords.
02:11
But the thing is, there isn't actually
02:14
a standard measure of entropy.
02:16
Now, the National Institute
of Standards and Technology
02:17
has a set of guidelines
02:20
which have some rules of thumb
02:21
for measuring entropy,
02:24
but they don't have anything too specific,
02:25
and the reason they only have rules of thumb
02:28
is it turns out they don't actually have any good data
02:31
on passwords.
02:34
In fact, their report states,
02:35
"Unfortunately, we do not have much data
02:38
on the passwords users
choose under particular rules.
02:40
NIST would like to obtain more data
02:43
on the passwords users actually choose,
02:45
but system administrators
are understandably reluctant
02:48
to reveal password data to others."
02:50
So this is a problem, but our research group
02:53
looked at it as an opportunity.
02:56
We said, "Well, there's a need
for good password data.
02:58
Maybe we can collect some good password data
03:01
and actually advance the state of the art here.
03:04
So the first thing we did is,
03:06
we got a bag of candy bars
03:08
and we walked around campus
03:09
and talked to students, faculty and staff,
03:11
and asked them for information
03:13
about their passwords.
03:15
Now we didn't say, "Give us your password."
03:16
No, we just asked them about their password.
03:19
How long is it? Does it have a digit?
03:22
Does it have a symbol?
03:24
And were you annoyed at having to create
03:25
a new one last week?
03:27
So we got results from 470 students,
03:29
faculty and staff,
03:33
and indeed we confirmed that the new policy
03:34
was very annoying,
03:36
but we also found that people said
03:38
they felt more secure with these new passwords.
03:39
We found that most people knew
03:42
they were not supposed to
write their password down,
03:45
and only 13 percent of them did,
03:47
but disturbingly, 80 percent of people
03:49
said they were reusing their password.
03:52
Now, this is actually more dangerous
03:54
than writing your password down,
03:56
because it makes you much
more susceptible to attackers.
03:58
So if you have to, write your passwords down,
04:01
but don't reuse them.
04:04
We also found some interesting things
04:06
about the symbols people use in passwords.
04:08
So CMU allows 32 possible symbols,
04:11
but as you can see, there's only a small number
04:14
that most people are using,
04:16
so we're not actually getting very much strength
04:18
from the symbols in our passwords.
04:21
So this was a really interesting study,
04:23
and now we had data from 470 people,
04:26
but in the scheme of things,
04:28
that's really not very much password data,
04:30
and so we looked around to see
04:32
where could we find additional password data?
04:34
So it turns out there are a lot of people
04:36
going around stealing passwords,
04:39
and they often go and post these passwords
04:41
on the Internet.
04:43
So we were able to get access
04:45
to some of these stolen password sets.
04:46
This is still not really ideal for research, though,
04:50
because it's not entirely clear
04:53
where all of these passwords came from,
04:55
or exactly what policies were in effect
04:57
when people created these passwords.
04:59
So we wanted to find some better source of data.
05:01
So we decided that one thing we could do
05:05
is we could do a study and have people
05:06
actually create passwords for our study.
05:08
So we used a service called
Amazon Mechanical Turk,
05:12
and this is a service where you can post
05:14
a small job online that takes a minute,
05:17
a few minutes, an hour,
05:19
and pay people, a penny, ten cents, a few dollars,
05:21
to do a task for you,
05:23
and then you pay them through Amazon.com.
05:25
So we paid people about 50 cents
05:27
to create a password following our rules
05:29
and answering a survey,
05:32
and then we paid them again to come back
05:33
two days later and log in
05:36
using their password and answering another survey.
05:38
So we did this, and we collected 5,000 passwords,
05:40
and we gave people a bunch of different policies
05:45
to create passwords with.
05:47
So some people had a pretty easy policy,
05:49
we call it Basic8,
05:51
and here the only rule was that your password
05:52
had to have at least eight characters.
05:54
Then some people had a much harder policy,
05:58
and this was very similar to the CMU policy,
06:00
that it had to have eight characters
06:03
including uppercase, lowercase, digit, symbol,
06:05
and pass a dictionary check.
06:07
And one of the other policies we tried,
06:09
and there were a whole bunch more,
06:11
but one of the ones we tried was called Basic16,
06:12
and the only requirement here
06:14
was that your password had
to have at least 16 characters.
06:17
All right, so now we had 5,000 passwords,
06:20
and so we had much more detailed information.
06:22
Again we see that there's only a small number
06:26
of symbols that people are actually using
06:29
in their passwords.
06:30
We also wanted to get an idea of how strong
06:32
the passwords were that people were creating,
06:35
but as you may recall, there isn't a good measure
06:38
of password strength.
06:40
So what we decided to do was to see
06:42
how long it would take to crack these passwords
06:44
using the best cracking tools
06:47
that the bad guys are using,
06:48
or that we could find information about
06:50
in the research literature.
06:52
So to give you an idea of how bad guys
06:54
go about cracking passwords,
06:56
they will steal a password file
06:58
that will have all of the passwords
07:00
in kind of a scrambled form, called a hash,
07:03
and so what they'll do is they'll make a guess
07:05
as to what a password is,
07:08
run it through a hashing function,
07:10
and see whether it matches
07:12
the passwords they have on
their stolen password list.
07:13
So a dumb attacker will try every password in order.
07:17
They'll start with AAAAA and move on to AAAAB,
07:20
and this is going to take a really long time
07:24
before they get any passwords
07:26
that people are really likely to actually have.
07:28
A smart attacker, on the other hand,
07:31
does something much more clever.
07:33
They look at the passwords
07:34
that are known to be popular
07:36
from these stolen password sets,
07:38
and they guess those first.
07:40
So they're going to start by guessing "password,"
07:41
and then they'll guess "I love you," and "monkey,"
07:43
and "12345678,"
07:46
because these are the passwords
07:48
that are most likely for people to have.
07:50
In fact, some of you probably have these passwords.
07:51
So what we found
07:57
by running all of these 5,000 passwords we collected
07:58
through these tests to see how strong they were,
08:01
we found that the long passwords
08:05
were actually pretty strong,
08:08
and the complex passwords were pretty strong too.
08:09
However, when we looked at the survey data,
08:13
we saw that people were really frustrated
08:15
by the very complex passwords,
08:18
and the long passwords were a lot more usable,
08:20
and in some cases, they were actually
08:23
even stronger than the complex passwords.
08:24
So this suggests that,
08:27
instead of telling people that they need
08:28
to put all these symbols and numbers
08:30
and crazy things into their passwords,
08:32
we might be better off just telling people
08:35
to have long passwords.
08:37
Now here's the problem, though:
08:39
Some people had long passwords
08:41
that actually weren't very strong.
08:43
You can make long passwords
08:45
that are still the sort of thing
08:47
that an attacker could easily guess.
08:48
So we need to do more than
just say long passwords.
08:50
There has to be some additional requirements,
08:53
and some of our ongoing research is looking at
08:55
what additional requirements we should add
08:58
to make for stronger passwords
09:01
that also are going to be easy for people
09:03
to remember and type.
09:05
Another approach to getting people to have
09:08
stronger passwords is to use a password meter.
09:10
Here are some examples.
09:12
You may have seen these on the Internet
09:14
when you were creating passwords.
09:15
We decided to do a study to find out
09:18
whether these password meters actually work.
09:20
Do they actually help people
09:23
have stronger passwords,
09:25
and if so, which ones are better?
09:26
So we tested password meters that were
09:28
different sizes, shapes, colors,
09:31
different words next to them,
09:33
and we even tested one that was a dancing bunny.
09:34
As you type a better password,
09:38
the bunny dances faster and faster.
09:39
So this was pretty fun.
09:42
What we found
09:44
was that password meters do work.
09:46
(Laughter)
09:49
Most of the password meters were actually effective,
09:51
and the dancing bunny was very effective too,
09:54
but the password meters that were the most effective
09:57
were the ones that made you work harder
10:00
before they gave you that thumbs up and said
10:02
you were doing a good job,
10:04
and in fact we found that most
10:06
of the password meters on the Internet today
10:07
are too soft.
10:09
They tell you you're doing a good job too early,
10:10
and if they would just wait a little bit
10:13
before giving you that positive feedback,
10:14
you probably would have better passwords.
10:16
Now another approach to better passwords, perhaps,
10:20
is to use pass phrases instead of passwords.
10:24
So this was an xkcd cartoon
from a couple of years ago,
10:26
and the cartoonist suggests
10:30
that we should all use pass phrases,
10:31
and if you look at the second row of this cartoon,
10:34
you can see the cartoonist is suggesting
10:37
that the pass phrase "correct horse battery staple"
10:39
would be a very strong pass phrase
10:42
and something really easy to remember.
10:45
He says, in fact, you've already remembered it.
10:47
And so we decided to do a research study
10:49
to find out whether this was true or not.
10:51
In fact, everybody who I talk to,
10:54
who I mention I'm doing password research,
10:56
they point out this cartoon.
10:58
"Oh, have you seen it? That xkcd.
10:59
Correct horse battery staple."
11:01
So we did the research study to see
11:02
what would actually happen.
11:04
So in our study, we used Mechanical Turk again,
11:07
and we had the computer pick the random words
11:10
in the pass phrase.
11:14
Now the reason we did this
11:15
is that humans are not very good
11:16
at picking random words.
11:18
If we asked a human to do it,
11:19
they would pick things that were not very random.
11:20
So we tried a few different conditions.
11:23
In one condition, the computer picked
11:25
from a dictionary of the very common words
11:27
in the English language,
11:30
and so you'd get pass phrases like
11:31
"try there three come."
11:33
And we looked at that, and we said,
11:35
"Well, that doesn't really seem very memorable."
11:36
So then we tried picking words
11:40
that came from specific parts of speech,
11:42
so how about noun-verb-adjective-noun.
11:44
That comes up with something
that's sort of sentence-like.
11:46
So you can get a pass phrase like
11:49
"plan builds sure power"
11:51
or "end determines red drug."
11:52
And these seemed a little bit more memorable,
11:55
and maybe people would like those a little bit better.
11:58
We wanted to compare them with passwords,
12:01
and so we had the computer
pick random passwords,
12:03
and these were nice and short, but as you can see,
12:06
they don't really look very memorable.
12:08
And then we decided to try something called
12:11
a pronounceable password.
12:13
So here the computer picks random syllables
12:14
and puts them together
12:17
so you have something sort of pronounceable,
12:18
like "tufritvi" and "vadasabi."
12:20
That one kind of rolls off your tongue.
12:23
So these were random passwords that were
12:25
generated by our computer.
12:27
So what we found in this study was that, surprisingly,
12:30
pass phrases were not actually all that good.
12:33
People were not really better at remembering
12:37
the pass phrases than these random passwords,
12:39
and because the pass phrases are longer,
12:42
they took longer to type
12:45
and people made more errors while typing them in.
12:46
So it's not really a clear win for pass phrases.
12:49
Sorry, all of you xkcd fans.
12:53
On the other hand, we did find
12:56
that pronounceable passwords
12:58
worked surprisingly well,
13:00
and so we actually are doing some more research
13:01
to see if we can make that
approach work even better.
13:04
So one of the problems
13:07
with some of the studies that we've done
13:09
is that because they're all done
13:10
using Mechanical Turk,
13:12
these are not people's real passwords.
13:13
They're the passwords that they created
13:15
or the computer created for them for our study.
13:17
And we wanted to know whether people
13:20
would actually behave the same way
13:21
with their real passwords.
13:24
So we talked to the information
security office at Carnegie Mellon
13:26
and asked them if we could
have everybody's real passwords.
13:30
Not surprisingly, they were a little bit reluctant
13:33
to share them with us,
13:35
but we were actually able to work out
13:37
a system with them
13:39
where they put all of the real passwords
13:40
for 25,000 CMU students, faculty and staff,
13:42
into a locked computer in a locked room,
13:45
not connected to the Internet,
13:47
and they ran code on it that we wrote
13:49
to analyze these passwords.
13:50
They audited our code.
13:53
They ran the code.
13:54
And so we never actually saw
13:55
anybody's password.
13:57
We got some interesting results,
14:00
and those of you Tepper students in the back
14:01
will be very interested in this.
14:03
So we found that the passwords created
14:06
by people affiliated with the
school of computer science
14:10
were actually 1.8 times stronger
14:12
than those affiliated with the business school.
14:14
We have lots of other really interesting
14:18
demographic information as well.
14:20
The other interesting thing that we found
14:22
is that when we compared
the Carnegie Mellon passwords
14:24
to the Mechanical Turk-generated passwords,
14:26
there was actually a lot of similarities,
14:29
and so this helped validate our research method
14:31
and show that actually, collecting passwords
14:33
using these Mechanical Turk studies
14:36
is actually a valid way to study passwords.
14:38
So that was good news.
14:40
Okay, I want to close by talking about
14:43
some insights I gained while on sabbatical
14:45
last year in the Carnegie Mellon art school.
14:47
One of the things that I did
14:50
is I made a number of quilts,
14:52
and I made this quilt here.
14:53
It's called "Security Blanket."
14:55
(Laughter)
14:57
And this quilt has the 1,000
14:59
most frequent passwords stolen
15:02
from the RockYou website.
15:04
And the size of the passwords is proportional
15:07
to how frequently they appeared
15:09
in the stolen dataset.
15:11
And what I did is I created this word cloud,
15:13
and I went through all 1,000 words,
15:16
and I categorized them into
15:18
loose thematic categories.
15:20
And it was, in some cases,
15:22
it was kind of difficult to figure out
15:24
what category they should be in,
15:26
and then I color-coded them.
15:28
So here are some examples of the difficulty.
15:30
So "justin."
15:32
Is that the name of the user,
15:34
their boyfriend, their son?
15:35
Maybe they're a Justin Bieber fan.
15:37
Or "princess."
15:40
Is that a nickname?
15:42
Are they Disney princess fans?
15:43
Or maybe that's the name of their cat.
15:45
"Iloveyou" appears many times
15:49
in many different languages.
15:50
There's a lot of love in these passwords.
15:52
If you look carefully, you'll see there's also
15:56
some profanity,
15:57
but it was really interesting to me to see
16:00
that there's a lot more love than hate
16:02
in these passwords.
16:04
And there are animals,
16:06
a lot of animals,
16:08
and "monkey" is the most common animal
16:09
and the 14th most popular password overall.
16:11
And this was really curious to me,
16:15
and I wondered, "Why are monkeys so popular?"
16:17
And so in our last password study,
16:20
any time we detected somebody
16:23
creating a password with the word "monkey" in it,
16:25
we asked them why they had
a monkey in their password.
16:27
And what we found out --
16:30
we found 17 people so far, I think,
16:32
who have the word "monkey" --
16:34
We found out about a third of them said
16:36
they have a pet named "monkey"
16:38
or a friend whose nickname is "monkey,"
16:39
and about a third of them said
16:42
that they just like monkeys
16:43
and monkeys are really cute.
16:45
And that guy is really cute.
16:46
So it seems that at the end of the day,
16:50
when we make passwords,
16:53
we either make something that's really easy
16:55
to type, a common pattern,
16:57
or things that remind us of the word password
17:00
or the account that we've created the password for,
17:03
or whatever.
17:06
Or we think about things that make us happy,
17:09
and we create our password
17:11
based on things that make us happy.
17:13
And while this makes typing
17:15
and remembering your password more fun,
17:18
it also makes it a lot easier
17:21
to guess your password.
17:22
So I know a lot of these TED Talks
17:24
are inspirational
17:26
and they make you think about nice, happy things,
17:27
but when you're creating your password,
17:30
try to think about something else.
17:32
Thank you.
17:34
(Applause)
17:35

sponsored links

Lorrie Faith Cranor - Security researcher
At Carnegie Mellon University, Lorrie Faith Cranor studies online privacy, usable security, phishing, spam and other research around keeping us safe online.

Why you should listen

Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics.

Cranor plays a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P. She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review.

sponsored links

If you need translations, you can install "Google Translate" extension into your Chrome Browser.
Furthermore, you can change playback rate by installing "Video Speed Controller" extension.

Data provided by TED.

This website is owned and operated by Tokyo English Network.
The developer's blog is here.