SoylentNews

Smarter People Don’t Have Better Passwords, Study Finds

posted by cmn32480 on Thursday May 17 2018, @04:12PM   
from the check-the-code-on-my-luggage dept.

MrPlow writes:

Submitted via IRC for Fnord666

A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.

The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords —added in its 2017 edition.

The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches.

If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.

What researchers from the Asia Pacific College (APC) have done was to take their students' email addresses associated with school accounts and check and see if the students' passwords had been leaked in previous breaches, correlating the final results with their GPA (grade point average).

All data such as names and passwords were hashed to protect students' privacy and personal information. Researchers checked students' passwords against a massive list of over 320 million passwords exposed in previous breaches and collected by Australian security researcher Troy Hunt, maintainer of the Have I Been Pwned service.

The results showed similar percentages of students across the GPA spectrum that were using previously exposed passwords —considered weak passwords and a big no-no in NIST's eyes.

Percentages varied from 12.82% to 19.83%, which is an inconclusive result to show a clear differentiation between the password practices of "smarter" kids when compared to the rest.

Source: https://www.bleepingcomputer.com/news/security/smarter-people-don-t-have-better-passwords-study-finds/

---

Original Submission

• Re:actually it didn't Re:actually it didn't (Score: 3, Interesting) by frojack on Thursday May 17 2018, @05:39PM (1 child)

  by frojack (1554) on Thursday May 17 2018, @05:39PM (#680784) Journal

  We also haven't seen any analysis of WHICH passwords these smart-idiots were using.

  Was it "password"? Or was it some rather good complex password that was still found in the previous breaches?
  Being unaware of a breech that was never widely publicized is hardly a sign of poor password practices.

  Also as smarter people rely on two-factor authentication, even a compromised password is not the end of the world.

  With 2FA, I suspect many people are falling back to something they can remember like "correct horse battery staple" which is sufficient to confuse the person watching over your shoulder, even if it falls to dictionary attacks, and is in every breach list in the world.

  The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches.

  This recommendation seems quickly self-defeating. That someone else had the same password stolen is not really germane to a new enrollment using that same password. With breaches numbering in the billions of compromised accounts, preventing reuse of a password merely forces all the fish into a even smaller barrel.

  --
  No, you are mistaken. I've always had this sig.

  Parent

  Starting Score:	1		point
  Moderation		+1
  Interesting=1, Total=1
  Extra 'Interesting' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3

• Re:actually it didn't (Score: 2) by frojack on Thursday May 17 2018, @05:40PM

  by frojack (1554) on Thursday May 17 2018, @05:40PM (#680786) Journal

  And I fucked up the quote again.... You'll figure it out.

  --
  No, you are mistaken. I've always had this sig.

  Parent