Research Finds No Guidance Results in Weak Passwords
People with proper guidance are 40% more likely to create a secure password.
According to research led by the University of Plymouth, in one experiment 300 users creating an internet account were offered either no advice or a range of advice, including a standard password meter, emojis or an emotive feedback message. The results showed the number of choices rated "weak" falling from 75% when users received no guidance to around a third when they were shown more emotive messages.
In the second experiment, 500 participants were presented with more specific security-related advice, including suggestions of how long it would take a hacker to crack their password. Those users had a significantly greater understanding of the risks and created passwords that were longer and up to 10 times stronger as a result.
The research was conducted by the University's Centre for Security, Communications and Network Research (CSCAN), in conjunction with the Desautels Faculty of Management at McGill University and the Department of Computer Sciences at Purdue University.
Steve Furnell, professor of information security and the director of CSCAN, said: “Over the past few years, numerous cyber-attacks and security incidents have demonstrated that protecting personal and professional assets is no longer an optional duty. Yet many still occur out of unintentional mistakes, such as negligence, carelessness, and human errors.
“Despite the advance in security technology, the weakest link in the information security realm still lies in end-users so it is essential that more support is offered to try and overcome this in the future.”
In an email to Infosecurity, security researcher Troy Hunt said that he did not feel that there was enough available guidance on how to create a secure password. “I think most people fall back to convenience at every opportunity,” he said.
“When we see data breaches and analyze password lengths, there’s always a massive skew towards the minimum allowable size; people tend to conform to the lowest common denominator because, for most, that’s the easiest thing for them to do.”
Source: Information Security Magazine