VIDEO
HIGHLIGHT
Log InSign up
Lorrie Faith Cranor: What's wrong with your pa$$w0rd?
SummaryTranscriptChat

Lorrie Faith Cranor: What's wrong with your pa$$w0rd?

New Section

In this section, the speaker introduces themselves as a computer science and engineering professor at Carnegie Mellon University, specializing in usable privacy and security. They discuss the frustrations people face with passwords due to usability issues.

Password Frustrations

  • Passwords are a common source of frustration for many individuals, especially when required to have unique and complex passwords across multiple systems.
  • Changes in password policies, such as requiring longer passwords with specific character requirements, can lead to increased user frustration and challenges in password management.

New Section

The speaker delves into the reasons behind the implementation of new password policies at Carnegie Mellon University and the concept of entropy in password strength measurement.

Entropy and Password Policies

  • Membership requirements from a university consortium led to the introduction of stronger password policies at Carnegie Mellon University.
  • Entropy is used to measure password strength, but standard measures are lacking, leading to challenges in determining the effectiveness of password policies.

New Section

The research group's approach to collecting data on passwords is discussed, highlighting insights gained from interactions with students, faculty, and staff regarding their password practices.

Data Collection on Password Practices

  • Conducting surveys among students, faculty, and staff revealed mixed feelings about new password policies - annoyance yet perceived security improvement.
  • Discoveries include high rates of password reuse among individuals despite awareness not to write down passwords.

New Section

The search for additional password data through stolen sets leads to an exploration of creating a study using Amazon Mechanical Turk for participants to generate passwords under various policy conditions.

Generating Password Data

  • Accessing stolen password sets provided additional data for analysis but lacked clarity on origin or policy context.
  • Utilizing Amazon Mechanical Turk allowed for controlled studies where participants created passwords under different policy constraints for analysis.

Cracking Passwords and Strengthening Security

The speaker discusses the process of cracking passwords, emphasizing the importance of password strength and usability.

Understanding Password Cracking

  • Attackers use stolen password files to crack passwords by making educated guesses based on popular choices like "password" or "12345678."
  • Long and complex passwords are generally strong, but user frustration with complexity suggests a need for balance between strength and usability.
  • Long passwords are found to be more usable than complex ones, highlighting the importance of length in password security.

Effectiveness of Password Meters

The effectiveness of password meters in enhancing password strength is explored through a research study.

Evaluating Password Meters

  • Most password meters are effective, with those delaying positive feedback proving most successful in encouraging stronger passwords.
  • Delayed positive feedback from password meters can lead to better password choices by users.

Pass Phrases vs. Passwords Study

A study comparing pass phrases and passwords reveals surprising findings regarding memorability and usability.

Pass Phrases vs. Passwords

  • Pass phrases were not significantly better than random passwords in terms of memorability or error rates during typing.

Pronounceable Passwords and Insights from Password Studies

The speaker discusses the effectiveness of pronounceable passwords and shares insights from password studies conducted at Carnegie Mellon University.

Pronounceable Passwords

  • Pronounceable passwords were found to work well, prompting further research for improvement.

Real Password Analysis

  • Obtained permission to analyze real passwords of 25,000 CMU students, faculty, and staff.
  • School of computer science-affiliated passwords were 1.8 times stronger than business school-affiliated ones.
  • Comparison between CMU and Mechanical Turk-generated passwords validated research method.

Insights from Password Analysis and Quilt Creation

The speaker shares insights gained during a sabbatical at Carnegie Mellon art school, focusing on password analysis and quilt creation.

Security Blanket Quilt

  • Created "Security Blanket" quilt with the 1,000 most frequent RockYou website stolen passwords.
  • Categorized words thematically based on frequency in dataset.
  • Noted prevalence of love-themed words over hate-themed ones in passwords.

Word Cloud Analysis

  • Analyzed common words like "justin," "princess," and "iloveyou" within stolen passwords dataset.
  • Identified patterns related to names, affectionate terms, profanity, animals like monkeys.

Understanding the Popularity of "Monkey" in Passwords

Exploring the popularity of the term "monkey" in passwords through user responses.

Monkey in Passwords

  • Discovered that users included "monkey" due to pet or friend named monkey or personal preference for monkeys' cuteness.
  • Users tend to create passwords based on ease of typing, positive associations, or account-related cues.

User Preferences

  • Users often choose password elements that evoke happiness or familiarity when creating their passwords.
Channel: TED
Video description

Lorrie Faith Cranor studied thousands of real passwords to figure out the surprising, very common mistakes that users — and secured sites — make to compromise security. And how, you may ask, did she study thousands of real passwords without compromising the security of any users? That's a story in itself. It's secret data worth knowing, especially if your password is 123456 ... TEDTalks is a daily video podcast of the best talks and performances from the TED Conference, where the world's leading thinkers and doers give the talk of their lives in 18 minutes (or less). Look for talks on Technology, Entertainment and Design -- plus science, business, global issues, the arts and much more. Find closed captions and translated subtitles in many languages at http://www.ted.com/translate Follow TED news on Twitter: http://www.twitter.com/tednews Like TED on Facebook: https://www.facebook.com/TED Subscribe to our channel: http://www.youtube.com/user/TEDtalksDirector