Human Password Selection:
It is commonly known that
people typically pick weak (easy to crack) passwords. For example, Troy Hunt categorized
cracked passwords from the Sony
and Gawker
password breaches. Over two-thirds of the passwords fell into one of six
relatively simple categories:
Why do people
pick such simple passwords? One reason why people do not select random
passwords is that users are worried about forgetting their password. Another
reason is that users may not be aware of the attacks that could be mounted
against their passwords. In some cases users may use weak passwords to protect
accounts that are not important to them (e.g., ESPN). Another issue is that
humans have difficulty consciously generating random sequences.
Human Randomness?
One common issue
with popular password management schemes is that they instruct the user to make
up a random word or sentence, but do not tell the user how to do this. It
impossible to make any formal security guarantees without understanding the
entropy of a humanly generated random sequence. Suppose that you were not
worried about remembering your passwords, but that you did care about security.
In other words, suppose that you were simply trying to generate a random
sequence of letters and numbers without worrying about remembering it later.
Would that sequence of letters and numbers be truly random? Studies have shown that
humans have difficulty consciously generating random sequences of numbers. The ‘random’
sequences that people generated tended to follow predictable patterns that
would most likely not occur in a truly random sequence. Most people – when asked
to pick a random number between 1 and 20 – will select the number
17.
This does not
rule out the possibility that human generated random sequence could provide a weak source of entropy. A
weak source of entropy could theoretically be used along with randomness-extractor
to produce a (shorter) truly random sequence of numbers although it is not
clear that a human could do this without computer help.