Think your password is secure? You may need to think again. People’s perceptions of password strength may not always match reality, according to a recent
study by CyLab, Carnegie Mellon’s Security and Privacy Institute.
For example, study participants expected ieatkale88 to be roughly as secure as iloveyou88; one said “both are a combination of dictionary words and are appended by numbers.” However, when researchers used a model to predict the number of guesses an attacker would need to crack each password, ieatkale88 would require four billion times more guesses to crack because the string iloveyou88 is one of the most common in passwords.
“Although participants generally had a good understanding on what makes passwords stronger or weaker, they also had some critical misunderstandings of how passwords are attacked and assumed incorrectly that their passwords need to withstand only a small number of guesses,” said Blase Ur, the study’s lead author and a Ph.D. student studying societal computing in Carnegie Mellon’s School of Computer Science.
