This Week in Cybercrime: Are Strong Passwords Only for Your Important Accounts?
Strong Passwords: Only For Your “Important” Accounts?
How strong are your computer passwords? What influences whether you “secure” an account with a password such as “123456” or never even bother to change it from a default such as “Welcome1” after you’ve registered at a website? A team of researchers from University of California at Berkeley, the University of British Columbia, and Microsoft wanted to know whether the password strength meters more frequently seen on registration pages make a difference in what alphanumeric combinations registrants decide to use. In a paper (pdf) released this week, the researchers report the results of experiments designed to reveal the circumstances under which strong or weak passwords are used. The team wrote that, “meters result in stronger passwords when users are forced to change existing passwords on important accounts and that individual meter design decisions likely have a marginal impact.” But the flip side of that coin, unfortunately, is that when it comes to sites that users view as unimportant (when there is no sensitive information, like their bank balances, to keep hidden), they tend not to make the effort. In those instances, say the researchers, users all too frequently reused passwords from other accounts. What they fail to take heed to, say the researchers, is that regardless of a password’s relative strength, if it is used across several sites, all of a user’s accounts are at risk if a hacker breaks into one site’s poorly guarded password database. The problems with passwords are mostly attributable to “poor policies and…the frequencies we see of databases getting disclosed,” Serge Egelman, a UC Berkeley researcher who was a member of the research team, told Kaspersky Lab’s Threatpost. “If more work was done to secure stored encrypted passwords, less effort would need to be done on the users’ end.”