The research paper, titled Measuring Password Guessability for an Entire University (PDF) is significant because it’s among the few that have studied a statistically significant sample of passwords used for high-value accounts. By comparison, the findings of many previous studies have been less reliable because they analyzed smaller numbers of passwords, passwords taken from real-world database breaches, or passwords created for one-off accounts set up for research purposes.
The paper, which was presented in Berlin at this week’s 20th ACM Conference on Computer and Communications Security, is also important because its findings may one day help people who secure computer networks and websites provide better password guidance and policies. As Ars has reported in a series of articles over the past 18 months, advances in hardware, software, and experience are increasingly giving passwords crackers the upper hand. This advantage often carries over even when users resort to long passphrases.
“This kind of experiment can’t tell us anything about why this effect is going on, just that it is,” Michelle L. Mazurek, one of the researchers who wrote the paper, told Ars. (Disclosure: Mazurek is married to Ars Senior Gaming Editor Kyle Orland.) She continued:
So it could mean that business school users don’t know how to make stronger passwords (that is, they are trying but aren’t as good at it), or it could mean they are making less effort or care less about protecting their accounts, or something else entirely. I think in practice it means that some extra education may be needed either to help those users learn to make stronger passwords or to give them more motivation to make stronger passwords. In general I think if you are a sysadmin trying to bring up the strength of passwords across the organization, it gives you some sense of where to focus your efforts (at least in populations that somewhat resemble the CMU population).
Perhaps not surprisingly, the researchers also found that length and other password characteristics are strongly correlated to strength. With the addition of each lowercase letter or digit, for instance, a password is 70 percent as likely to be guessed. Adding special symbols or uppercase letters made passwords even stronger, reducing the likelihood of guessing to 56 percent and 46 percent respectively. The researchers go into additional detail: