Microsoft researchers studied password security and concluded that popular passwords pose a bigger risk to online security than weak ones. Microsoft researchers studied password security and concluded that popularity is everything. Enterprises might be interested to discover that simple but weird is what works as the best way to protect passwords from statistical-guessing attacks. In fact, a study found that popular passwords are easy to guess and pose a bigger risk to online security than weak ones.Many websites require “strong” password policies, forcing users to include symbols, mixed cases, numbers, and a minimum length for passwords. These rules help to guard against dictionary attacks, but passwords are harder for users to remember. Limiting the number of log in attempts before locking a user out is one of the easiest password safety solutions. On the Microsoft Research site, a published study states that forcing users to pick unusual passwords is another part of the solution.Microsoft researchers Cormac Herley and Stuart Schechter, and Harvard University Computer Science professor Michael Mitzenmacher came together on a research paper, “Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks.” If users are forced to choose “unpopular” passwords, instead of “strong” ones, it can provide a better defense against a type of attack known as “statistical guessing.” For organizations with millions of users, like Microsoft Hotmail, researchers propose a system that would count how many times any user on the service chooses a specific password. When more than a small, limited number of users pick the same password, that password is then banned. No one else would be allowed to use it.The authors wrote, “Replacing password creation rules with popularity limitations has the potential to increase both security and usability. Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing.” According to Threat Post, Microsoft researcher Herley told them, “The rules around password length and composition are an attempt to get users to choose passwords that withstand brute-forcing and guessing. But users appear to hate them, and we don’t have good ways of measuring whether and by how much they help withstand attack. The less direct approach almost certainly forbids users from things that might be perfectly good password choices, just because they don’t conform to a certain policy. For example, `fkwgshqum’ is probably a far better password than `P@ssw0rd’ even though many policies would reject it while allowing the latter.”This password system has not been implemented, but researchers believe it is a way to create easy-to-recall passwords that do not make a system more vulnerable to hackers. The researchers wanted to get feedback from the security community, so they released their study to more than 200 computer security researchers from around the world at the annual Symposium on Usable Privacy and Security. The focus of the symposium was to discuss approaches for making computers simultaneously more usable and more secure. Microsoft researchers presented another study at the symposium, “Where Do Security Policies Come From?” According to the study, websites that have the strictest password requirements are those where the users have no ability to shop around, sites like large universities webmail systems and the U.S. Social Security Administration. These organizations, unlike financial institutions, have no monetary incentives to balance their systems with usability and security. The security policy paper states, “Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.” Like this? Check out these other posts: All of today’s Microsoft news and blogs Will Future Virtual Intelligence & Precrime Predictions Kill Privacy? Marketing Gone Wild: One Product Helps You Stalk, One Stalks You Rogue Security Researchers vs Microsoft: Karma Is Brutal! Verizon’s 2010 DBIR: Rise in Misuse, Malware and Social Engineering The Next Big Privacy Concern: RFID “Spychips” Certified Lies: Big Brother In Your Browser Privacy Wars: How to Hide While Google is Watching You EFF Fights To Allow People To Comment Anonymously Online Follow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe