Human Password Selection:

It is commonly known that people typically pick weak (easy to crack) passwords. For example, Troy Hunt categorized cracked passwords from the Sony and Gawker password breaches. Over two-thirds of the passwords fell into one of six relatively simple categories:

 

 

 

Why do people pick such simple passwords? One reason why people do not select random passwords is that users are worried about forgetting their password. Another reason is that users may not be aware of the attacks that could be mounted against their passwords. In some cases users may use weak passwords to protect accounts that are not important to them (e.g., ESPN). Another issue is that humans have difficulty consciously generating random sequences.

Human Randomness?

One common issue with popular password management schemes is that they instruct the user to make up a random word or sentence, but do not tell the user how to do this. It impossible to make any formal security guarantees without understanding the entropy of a humanly generated random sequence. Suppose that you were not worried about remembering your passwords, but that you did care about security. In other words, suppose that you were simply trying to generate a random sequence of letters and numbers without worrying about remembering it later. Would that sequence of letters and numbers be truly random?  Studies have shown that humans have difficulty consciously generating random sequences of numbers. The ‘random’ sequences that people generated tended to follow predictable patterns that would most likely not occur in a truly random sequence. Most people – when asked to pick a random number between 1 and 20 – will select the number 17.

i-a03a7810e186eeba8d2dff79d04afcd6-random1.gif

This does not rule out the possibility that human generated random sequence could provide a weak source of entropy. A weak source of entropy could theoretically be used along with randomness-extractor to produce a (shorter) truly random sequence of numbers although it is not clear that a human could do this without computer help.