World’s largest password study sheds new insight

A new study into computer passwords finds results that might be surprising but might also be totally expected.

Do you have a weak password? Probably. Even if you think your password can’t be hacked, there might be a good chance that a lot of other people thought the exact same thing and chose a very similar password.

These are the results from Joseph Bonneau at the University of Cambridge, who analyzed passwords from more users than any other password-related study.

Specifically, he looked into data from 70 million Yahoo users. The reason why most password studies are limited is because neither companies nor individual users give out that kind of data.

But Bonneau was able to access lightly encrypted versions of the passwords, which gave him enough information to at least see patterns and trends among the tens of millions of users.

“We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution,” he summarized.

He also noted that when it comes to accounts that require credit card data to be stored, passwords are only extremely marginally more secure. And another interesting point:

“More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists,” said Bonneau.