Lorrie Faith Cranor: What's wrong with your pa$$w0rd?

TL;DR

In this content, the computer science and engineering professor at Carnegie Mellon explores frustrations with passwords, conducts research on password strength, and suggests alternative approaches like passphrases and password meters.

Transcript

I am a computer science and engineering professor here at Carnegie Mellon, and my research focuses on usable privacy and security, and so my friends like to give me examples of their frustrations with computing systems, especially frustrations related to unusable privacy and security. So passwords are something that I hear a lot about. A lot of peo... Read More

Key Insights

• 😡 Password frustration: Many people are frustrated with passwords, especially when they have to remember unique passwords for multiple systems.
• 🔑 Entropy requirement: The new password policy at Carnegie Mellon was implemented due to requirements by a consortium of universities for stronger passwords with higher entropy.
• 📊 Lack of password data: The National Institute of Standards and Technology does not have enough data on passwords, making it difficult to measure password strength accurately.
• 🖊️ Collecting password data: Researchers collected password data from 470 people by asking about their passwords without actually requesting the passwords themselves.
• 🔐 Password reuse: 80% of the participants admitted to reusing their passwords, which is more dangerous than writing passwords down.
• 💡 Long passwords: Longer passwords were found to be more secure and usable compared to complex passwords, suggesting that length is more important than complexity.
• 😅 Ineffectiveness of password meters: Most password meters on the internet provide positive feedback too early, leading to weaker passwords. Password meters that make users work harder are more effective.
• ️ Passphrases vs. passwords: Passphrases were not found to be more memorable or easier to type, but pronounceable passwords were surprisingly effective. Further research is needed in this area.
• 🌐 Similarities in password data: Passwords collected from Carnegie Mellon students and those generated by Mechanical Turk participants had many similarities, validating the use of Mechanical Turk for password studies.

Questions & Answers

Q: What frustrations do people often have related to passwords?

People often feel frustrated when they have to remember a unique password for each of the numerous systems they have accounts on.

Q: Why did Carnegie Mellon change their password policy in 2009?

The university changed their password policy in 2009 because they had joined a consortium of universities that required stronger passwords with more entropy.

Q: What did the research group at Carnegie Mellon find when they analyzed password data from students, faculty, and staff?

The research group found that the new password policy was annoying, but people felt more secure with the new passwords. They also discovered that a majority of people were reusing their passwords, which is a dangerous practice.

Q: What type of passwords were found to be stronger and more usable?

The research found that long passwords were more usable and often stronger than complex passwords. It suggested that using long passwords instead of including numerous symbols and numbers could be more effective.

Q: What did the study on password meters reveal?

The study showed that most password meters were effective in helping users create stronger passwords. However, the ones that delayed positive feedback were found to be the most effective in encouraging the creation of strong passwords.

Summary & Key Takeaways

• The speaker's research focuses on usable privacy and security, particularly in relation to passwords.

• There is a frustration among users with the complexity and number of passwords required for different systems.

• The researcher conducted studies to analyze password strength, usability, and the effectiveness of password meters, and found that long passwords are generally stronger and more usable than complex passwords.