The percentage of passwords guessed after a given number of guesses (shown in log scale), by colleges within Carnegie Mellon University. Mazurek et al. If you’re a student or teacher in a computer science school of a big college, chances are good that you pick stronger passwords than your peers in the arts school. In turn, the arts students usually pick better passwords than those in the business school, according to research presented this week.

The landmark study is among the first to analyze the plaintext passwords that a sizable population of users choose to safeguard high-value accounts.

The researchers examined the passwords of 25,000 faculty, staff, and students at Carnegie Mellon University used to access grades, e-mail, financial transcripts, and other sensitive data.

The researchers then analyzed how guessable the passwords would be during an offline attack, such as those done after hackers break into a website and steal its database of cryptographically hashed login credentials. By subjecting the CMU passwords to a cracking algorithm with a complex password policy, the researchers found striking differences in the quality of the passwords chosen by various subgroups within the university population.

For instance, people associated with CMU’s computer science and technology schools chose passwords that were more than 1.8 times stronger than those used by people in the business school. In between these two groups were people associated with the art school. Statistically speaking, passwords picked by computer science and technology users were only 68 percent as likely to be guessed as arts users and only 55 percent as likely to be cracked as people in the business school. Stated differently, the number of attempts required to successfully guess 100 arts school passwords in the typical offline crack would yield passwords for 124 people in the business school and 68 people in the computer science school.     

Leave a Reply