Submitted via IRC for Fnord666
A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.
The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords —added in its 2017 edition.
The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches.
If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
What researchers from the Asia Pacific College (APC) have done was to take their students' email addresses associated with school accounts and check and see if the students' passwords had been leaked in previous breaches, correlating the final results with their GPA (grade point average).
All data such as names and passwords were hashed to protect students' privacy and personal information. Researchers checked students' passwords against a massive list of over 320 million passwords exposed in previous breaches and collected by Australian security researcher Troy Hunt, maintainer of the Have I Been Pwned service.
The results showed similar percentages of students across the GPA spectrum that were using previously exposed passwords —considered weak passwords and a big no-no in NIST's eyes.
Percentages varied from 12.82% to 19.83%, which is an inconclusive result to show a clear differentiation between the password practices of "smarter" kids when compared to the rest.
(Score: 4, Interesting) by nobu_the_bard on Thursday May 17 2018, @04:22PM (9 children)
First: I don't agree that a higher GPA necessarily means the students are smarter. It could mean they are harder working, better funded, or just happier in general. That's maybe nitpicking a bit though.
Second: The article contains this
Third:
Which suggests to me they only checked the subset of passwords that managed to get leaked, which means this is actually subset of users that may not be representative of the group they are attempting to research.
(Score: 4, Informative) by requerdanos on Thursday May 17 2018, @04:36PM (3 children)
I don't think so in this case. Their work seems to be based on some assumptions:
1. We assume that students who are smarter have higher GPAs.
2. We assume that passwords not on the pwned list are 'better' passwords
3. We assume that the smarter people from #1 will choose better passwords according to #2.
Then, they tested (only) assumption 3.
Should assumptions 1 and 2 (not tested) be false, then the data are not only inconclusive, but meaningless.
(Score: 5, Insightful) by NewNic on Thursday May 17 2018, @05:38PM
Since the "pwned" passwords are those stolen from websites, I see no reason to believe that the passwords on this list are generally worse quality than the non-pwned passwords. The passwords were generally not pwned because they are bad quality, but because the websites had poor security.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 3, Insightful) by DannyB on Thursday May 17 2018, @05:43PM
Conforming --> Higher GPAs
Questioning --> not as high GPAs, displeasure of instructor
What doesn't kill me makes me weaker for next time.
(Score: 2) by FakeBeldin on Thursday May 17 2018, @08:08PM
Just to pick another nit:
Strike that. Reverse it. [youtube.com]
1. We assume that students who have higher GPAs are smarter.
(Score: 3, Insightful) by bob_super on Thursday May 17 2018, @04:54PM (1 child)
> they only checked the subset of passwords that managed to get leaked
Many websites have spilled all the passwords of anyone on them, regardless of IQ. The only discriminant here is whether smart or dumb people avoided certain websites later found to have breaches. That would take its own study.
(Score: 3, Interesting) by nobu_the_bard on Thursday May 17 2018, @05:29PM
Some example sets of students that may be effectively excluded, because of the subset of leaked passwords that are being compared, just off the top of my head:
* Older students less likely to make use of the websites that leaked passwords. They may not have leaked credentials because they simply only use one mail account.
* Students whose leaked credentials don't actually match their student registration (ie. the accounts were with fake names or throwaway addresses instead of their real information) so there's no easy way to map their leaked credentials to their GPA. I would assume this would include students more technically or politically savvy.
* Foreign students, or students from countries or with primary languages under-represented in Troy Hunt's corpus, which (mostly) is English-oriented.
(Score: 3, Interesting) by frojack on Thursday May 17 2018, @05:39PM (1 child)
We also haven't seen any analysis of WHICH passwords these smart-idiots were using.
Was it "password"? Or was it some rather good complex password that was still found in the previous breaches?
Being unaware of a breech that was never widely publicized is hardly a sign of poor password practices.
Also as smarter people rely on two-factor authentication, even a compromised password is not the end of the world.
With 2FA, I suspect many people are falling back to something they can remember like "correct horse battery staple" which is sufficient to confuse the person watching over your shoulder, even if it falls to dictionary attacks, and is in every breach list in the world.
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Thursday May 17 2018, @05:40PM
And I fucked up the quote again.... You'll figure it out.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @09:59PM
Do not confuse 'smarts' with 'knowledge'
I always use the same example for the ones who understand it.
If someone can guess your password on one site they will have all of the sites you log into. The look of dread on their faces is enough to get them to put a modicum of thought into it.
(Score: 2) by martyb on Thursday May 17 2018, @04:36PM (3 children)
Obligatory comment [knowyourmeme.com]. =)
Wit is intellect, dancing.
(Score: 1, Troll) by MichaelDavidCrawford on Thursday May 17 2018, @06:20PM (2 children)
Obligatory comparison of you to Hitler
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Touché) by Bot on Thursday May 17 2018, @06:58PM (1 child)
Obligatory "Hitler did nothing wrong" factoid AI-derived from the net.
Account abandoned.
(Score: 0) by Anonymous Coward on Friday May 18 2018, @12:01PM
See? Hitler was so bad, he didn't even manage to do nothing without doing it wrong!
(Score: 1, Insightful) by Anonymous Coward on Thursday May 17 2018, @05:09PM (2 children)
Given that the NIST recommendations don't correlate with GPA, maybe it is the recommendation that isn't so smart, just like earlier NIST advice on using upper case, lower case, digits, and special characters. The students probably know that anything where security matters should use two-factor authentication, and strong passwords are a lost cause.
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @05:18PM (1 child)
realDonaldTrump Please tell your people to stop giving lame tech advice. It's an open secret that government IT is pitiful, and it's a joke that government IT people are publishing advice for others.
(Score: 2) by realDonaldTrump on Thursday May 17 2018, @07:06PM
Rod Rosenstein is a very smart cookie. He says we need RESPONSIBLE ENCRYPTION. So we never have another San Bernardino situation. 14 killed & 22 injured because of horribly one-sided cyber!!
(Score: 5, Informative) by MichaelDavidCrawford on Thursday May 17 2018, @06:15PM (3 children)
I used to have strong passwords but I forgot them all when I was in the slammer
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Funny) by Bot on Thursday May 17 2018, @06:59PM
Then they are even stronger now.
Account abandoned.
(Score: 3, Funny) by frojack on Thursday May 17 2018, @07:12PM
Sound advice. Thanks.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday May 18 2018, @12:07PM
From your sig:
Fun fact:
If you have an elder sibling, your father is a motherfucker.
(Score: 2) by Snotnose on Thursday May 17 2018, @07:05PM (3 children)
When I was a sysadmin (15-20 people on a Linux network some 15 years ago) I ran a password cracker overnight. When a password popped out I sent them an email telling them the password and asking them to change it (under penalty of me changing it for them). There were 2-3 people who's names always popped out, even after I told them I was running this cracker every night.
Did I inform management? Yeah. Did anything get done? Nope. Why? Because my immediate manager was one of those 2-3 people.
Ended up biting them in the ass too. Time came to do a demo for who was to be our biggest customer, they refused to let our box on their network because the default root password was "password", and the marketing droids didn't know how to change it. No network, no demo. Marketing made us change the root password to our company name (not kidding, they were clueless), ignored my advice to have a better password, or at least cApiTaliZe it differently for different customers. No go.
Company went bankrupt before they could get a second chip spin (too bad, it was good tech) and the biggest potential customer bought all the IP out of bankruptcy.
Note 1) The cracker took about a week to complete, I only let it run nights and weekends and automatically restarted when it was done.
Note 2) One of the offenders was a hoot. His passwords were various ways to swear at the world at large, and me in particular. He was a great guy and I hated to see him move away.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by frojack on Thursday May 17 2018, @07:19PM (2 children)
Actually, you are lucky you remained employed there long enough to run the cracker a second time.
What you did was probably a crime, even back then. It would have been a crime in the State I was located in at that time.
That cracker can crack a password does not necessarily make it a bad password, it just means you have too much time at your disposal.
Firing offense at the least.
No, you are mistaken. I've always had this sig.
(Score: 2) by Snotnose on Thursday May 17 2018, @08:25PM (1 child)
First off, I was the sysadmin with responsibility to keep the network running and safe. Second, management knew I was running it.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Friday May 18 2018, @12:02AM
And third, it's only illegal if you gain unauthorized access. Simply cracking a password isn't illegal. Using it without permission is.
(Score: 2) by bzipitidoo on Thursday May 17 2018, @08:32PM (4 children)
Using a strong password on a system in which it can be found is just a waste of a strong password. A decent system should use a strong one-way hash and salt on the password so it is impractical to recover through attacking the stored info, even if a cracker can guess it because it's too weak.
That's been SOP for a couple of decades now, but who knows, maybe the organization is running an extremely antiquated system. Or, maybe they're keeping copies of everyone's passwords in plaintext. Have had at least one bank in which a person was able to tell me what my password was when I called their support number with the old "I forgot my password" line. I hadn't actually forgotten my password; I was testing them. Thus assured that they could learn my password anytime they wanted and at least one call center monkey had seen it, I closed my accounts with them that day.
It can also be some unimportant account you're only going to use for a few months or less, like for a class.
If their system isn't taking security seriously, why should anyone else?
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @08:45PM
you can't do that if you have to sync passwords between heterogenous system but if you have to do so you have to use encryption and proper key management and derivation
(Score: 2) by Immerman on Thursday May 17 2018, @11:07PM (2 children)
>A decent system should...
Certainly - but given the practically monthly announcement of passwords stolen from some site or other, there's obviously a lot of non-decent systems out there - even some pretty high-profile ones who should REALLY know better.
Meanwhile, there's no need for the school to be using a crappy system - they could simply try to brute-force the students' accounts using a list of exposed passwords. Or just ask students for their passwords for the purpose of the study - assuming they have official sanction it's not like anything sensitive is being lost - IT almost certainly has full access to their accounts without needing the password.
(Score: 2) by bzipitidoo on Friday May 18 2018, @03:04AM (1 child)
> IT almost certainly has full access to their accounts without needing the password
Of course, but they should not have access to the passwords, only the salted hashes of the passwords. Mainly that's to prevent accidental exposure. If the password file escapes, perhaps via a backup being misplaced, it will be harder for crackers to do much with it. Obviously system admins could break security to pieces in any number of ways, for instance by modifying the login program to stealthily record the actual passwords elsewhere.
(Score: 2) by Immerman on Friday May 18 2018, @03:17PM
Which was my point - nothing in the article implies they DO have such access - there's any number of ways an officially sanctioned research group could figure out how many students were using exposed passwords without them being stored anywhere IT has access. Heck, even your stealthy password logger running for a while, checking passwords against the exposed list and tallying "exposed" ones could do the job, without ever storing the student passwords anywhere.
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @09:26PM (4 children)
my password has always been the number three. In 35 years, I don't recall it ever having been used
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @10:18PM (3 children)
How strange, I could do with a bank that does things their own way. Which bank was this again??
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @10:26PM (2 children)
I use a real pw for my money. Nothing else online has any value. Oooh noes, somebody broke into my reddit account.
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @11:35PM
But how else are you to manage those points!
(Score: 2) by Wootery on Friday May 18 2018, @10:58AM
Posting as AC, huh? What's wrong with your account?
(Score: 0) by Anonymous Coward on Friday May 18 2018, @07:33AM
When smart people have the same crappy passwords as less smart people, the reason is often that they have the same crappy password policy.
For things that require me to remember my password (e.g. logging in, where I don't have access to a password manager), I have three passwords.
The strong, random generated password that changes rarely because learning a new one would take months.
The short one for things I don't care much about.
And the really shitty one that complies with the password policy.