Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics…
Lorrie Faith Cranor – Security Researcher
I am a computer science and engineering professor here at Carnegie Mellon, and my research focuses on usable privacy and security, and so my friends like to give me examples of their frustrations with computing systems, especially frustrations related to unusable privacy and security.
So passwords are something that I hear a lot about. A lot of people are frustrated with passwords, and it’s bad enough when you have to have one really good password that you can remember but nobody else is going to be able to guess. But what do you do when you have accounts on a hundred different systems and you’re supposed to have a unique password for each of these systems? It’s tough.
At Carnegie Mellon, they used to make it actually pretty easy for us to remember our passwords. The password requirement up through 2009 was just that you had to have a password with at least one character. Pretty easy. But then they changed things, and at the end of 2009, they announced that we were going to have a new policy, and this new policy required passwords that were at least eight characters long, with an uppercase letter, lowercase letter, a digit, a symbol, you couldn’t use the same character more than three times, and it wasn’t allowed to be in a dictionary.
Now, when they implemented this new policy, a lot of people, my colleagues and friends, came up to me and they said, “Wow, now that’s really unusable. Why are they doing this to us, and why didn’t you stop them?”
And I said, “Well, you know what? They didn’t ask me.”
But I got curious, and I decided to go talk to the people in charge of our computer systems and find out what led them to introduce this new policy, and they said that the university had joined a consortium of universities, and one of the requirements of membership was that we had to have stronger passwords that complied with some new requirements, and these requirements were that our passwords had to have a lot of entropy.
Now entropy is a complicated term, but basically it measures the strength of passwords. But the thing is, there isn’t actually a standard measure of entropy. Now, the National Institute of Standards and Technology has a set of guidelines which have some rules of thumb for measuring entropy, but they don’t have anything too specific, and the reason they only have rules of thumb is it turns out they don’t actually have any good data on passwords. In fact, their report states, “Unfortunately, we do not have much data on the passwords users choose under particular rules. NIST would like to obtain more data on the passwords users actually choose, but system administrators are understandably reluctant to reveal password data to others.”
So this is a problem, but our research group looked at it as an opportunity. We said, “Well, there’s a need for good password data. Maybe we can collect some good password data and actually advance the state of the art here.
So the first thing we did is, we got a bag of candy bars and we walked around campus and talked to students, faculty and staff, and asked them for information about their passwords. Now we didn’t say, “Give us your password.” No, we just asked them about their password. How long is it? Does it have a digit? Does it have a symbol? And were you annoyed at having to create a new one last week? So we got results from 470 students, faculty and staff, and indeed we confirmed that the new policy was very annoying, but we also found that people said they felt more secure with these new passwords. We found that most people knew they were not supposed to write their password down, and only 13% of them did, but disturbingly, 80% of people said they were reusing their password.
Now, this is actually more dangerous than writing your password down, because it makes you much more susceptible to attackers. So if you have to, write your passwords down, but don’t reuse them. We also found some interesting things about the symbols people use in passwords. So CMU allows 32 possible symbols, but as you can see, there’s only a small number that most people are using, so we’re not actually getting very much strength from the symbols in our passwords.
So this was a really interesting study, and now we had data from 470 people, but in the scheme of things, that’s really not very much password data, and so we looked around to see where could we find additional password data? So it turns out there are a lot of people going around stealing passwords, and they often go and post these passwords on the Internet. So we were able to get access to some of these stolen password sets. This is still not really ideal for research, though, because it’s not entirely clear where all of these passwords came from, or exactly what policies were in effect when people created these passwords. So we wanted to find some better source of data.