more password studies
Friday, February 20th, 2009phpbb.com was broken into recently, and 20,000 passwords were revealed. There are two articles which attempt to draw conclusions from the data. One lists the 500 most common passwords, and the other does some analysis to try and get aggregate groupings.
The bottom line: no matter how much training we do, even reasonably internet literate people like the phpbb users, still pick crappy passwords. People don’t like remembering passwords, and therefore they find every conceivable measure to circumvent them. (See my previous post: all passwords are weak). If you’re developing a security system where the people who are supposed to be protected feel the need to circumvent the security, they will usually bring your security system down. Better to make a different system which is more transparent to the people who you’re trying to protect.
