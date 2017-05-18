from the check-the-code-on-my-luggage dept.
A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.
The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords —added in its 2017 edition.
The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches.
If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
What researchers from the Asia Pacific College (APC) have done was to take their students' email addresses associated with school accounts and check and see if the students' passwords had been leaked in previous breaches, correlating the final results with their GPA (grade point average).
All data such as names and passwords were hashed to protect students' privacy and personal information. Researchers checked students' passwords against a massive list of over 320 million passwords exposed in previous breaches and collected by Australian security researcher Troy Hunt, maintainer of the Have I Been Pwned service.
The results showed similar percentages of students across the GPA spectrum that were using previously exposed passwords —considered weak passwords and a big no-no in NIST's eyes.
Percentages varied from 12.82% to 19.83%, which is an inconclusive result to show a clear differentiation between the password practices of "smarter" kids when compared to the rest.
(Score: 2) by nobu_the_bard on Thursday May 17, @04:22PM (2 children)
First: I don't agree that a higher GPA necessarily means the students are smarter. It could mean they are harder working, better funded, or just happier in general. That's maybe nitpicking a bit though.
Which suggests to me they only checked the subset of passwords that managed to get leaked, which means this is actually subset of users that may not be representative of the group they are attempting to research.
(Score: 2) by requerdanos on Thursday May 17, @04:36PM
I don't think so in this case. Their work seems to be based on some assumptions:
1. We assume that students who are smarter have higher GPAs.
2. We assume that passwords not on the pwned list are 'better' passwords
3. We assume that the smarter people from #1 will choose better passwords according to #2.
Then, they tested (only) assumption 3.
Should assumptions 1 and 2 (not tested) be false, then the data are not only inconclusive, but meaningless.
(Score: 2) by bob_super on Thursday May 17, @04:54PM
> they only checked the subset of passwords that managed to get leaked
Many websites have spilled all the passwords of anyone on them, regardless of IQ. The only discriminant here is whether smart or dumb people avoided certain websites later found to have breaches. That would take its own study.
(Score: 2) by martyb on Thursday May 17, @04:36PM
Obligatory comment [knowyourmeme.com]. =)
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Thursday May 17, @05:09PM
Given that the NIST recommendations don't correlate with GPA, maybe it is the recommendation that isn't so smart, just like earlier NIST advice on using upper case, lower case, digits, and special characters. The students probably know that anything where security matters should use two-factor authentication, and strong passwords are a lost cause.