Packnet Blog

Recent research has shown that online passwords are still too easy to crack, despite many repeated warnings by internet providers and individual companies over recent years.

The study, which analysed the largest ever sample of data, was carried out by a university scholar based in Cambridge. The most alarming finding suggested that as many as one per cent of all passwords could be cracked with 10 guesses or fewer.

The study interrogated anonymous data of 70 million passwords provided by Yahoo.

Further details of the study will be announced by the researcher, Joseph Bonneau, at an Institute of Electrical and Electronics Engineers security conference in May 2012.

It found that despite proactive measures put in place compelling users to devise passwords with greater levels of security, password creation remained basic. This was even the case for sites where payment cards were registered and corporate accounts such as business phone systems.

Analysing the demographics of the collated information did bring up key differences though.

One of the most marked differences, which is surprising in many ways, was that older users tended to create more secure passwords than younger users. Rather than being a sign of internet savviness though, it is likely to be just the opposite; with the older generation far less trusting of the internet.

There were clear differences between native speakers of certain languages too. German users were likely to have passwords more difficult to guess for example, whilst Indonesian speakers were likely to have the most crackable.

What was most clear was most passwords, online and offline, were only made up of between 10 and 20 bits of security, leaving Bonneau to conclude that password creation could well be beyond most users. He confirmed that his findings might indicate that users are unable or unwilling to imagine how easy their passwords are to guess.

Callum Byrnes