Standardizing Password Surveys

uh so back in December 2012 I was doing passr con at University in Oslo in December we had minus 18 Celsius deges uh I had some friends coming over as an example from Texas uh to Oslo and they was pretty fun to see them running around in minus 18 Outdoors uh one of the things that uh one one of the talks that I had there was actually what they don't exist anymore but it's a government organization back then called nurses um they were essentially an organization that were giving out advice to uh small businesses and also to to people you know you and me uh in Norway about security stuff uh they do exist in

our different organization at the moment now and back in 2012 I asked them if they would be interested in doing a talk at passwords con um and because they were doing an annual survey about cyber security Norway amongst you know normal people and small businesses and Norway being a country with 4 and a half five million people uh a small business in Norway is like up to uh 10 people a mediumsized company is 50 people and a big company in Norway is 200 people or more that's pretty much a a big company in Norway um and they did a survey in the spring of 2012 and at pord conon in 2012 they presented the uh the results this

is the PDF um and having already spent quite a few years um 12 years already no 14 years cracking passwords before this uh talk uh I was curious to see the questions and the answers they got they asked about occupation which is fair enough and nothing uh interesting here the number of employees in the organization uh employment description you know regular employee head of Department project manager manager Executives and so on moving on what kind of education do you have it's interesting just to see if the level of Education can influence your choice and passwords or if it is mail female or if it is uh knowledge of cyber security or not that will influence your choice and

passwords now there exist academic papers also out there that have been looking into this and there's a distinct difference between let's say cyber security Prof professionals and pretty much everyone else in choice of passwords and password security just like something as simple as using a password manager there's a difference uh they also asked about gender and age male female here um uh and they asked uh as an example total number of passwords average minimum numbers of private pass passwords per person uh blah blah blah blah blah password security uh how did you get education on how to make good passwords well no answer do not remember other websites papers friends colleagues at work when studying

um now and description of a good password 10% wouldn't tell what is a good password 3.6% said I I have no clue on what is a good password and 86% uh 86% had an opinion now now my point of showing this because all the all these years since 2012 I have seen a gillion and one password surveys from all over the world commercial companies academic research and so on and I have never been able to sort of like compare two different password surveys properly because of the way the questions are formulated uh the way they are asked if you know I'm a white privileged old fat male so if I go out on the street and

somebody wants to ask me questions in the survey there is a difference whether there is a young beautiful woman asking me or if if it is some uh old guy at my age uh wanting to ask me questions there's also a difference between do I have to think about answering the question will you give me 24 hours or do I have to respond to you in like 5 Seconds as an example in 10 seconds don't look this up in your password manager tell me how many passwords do you have this is a question that you can find in many password surveys but there's a difference asking you this on the phone as an example you

have to answer within 10 seconds uh or if I give you 24 hours to think about it and I have been traveling to many different countries one of my hobbies is to go to uh cities uh visit a cafe and sit down with random strangers um you know I'm the kind of guy who says hi I'm P um I'm a crazy password uh uh researcher and I would like you to ask you a couple of questions as an example I asked the question how many pastors do you have and I say I want an answer from you within 10 seconds and and what I have found which is pretty consistent is that at the beginning of my little

survey I asked this question and at the end I will also ask so now after all these questions from me how many passwords do you actually think you have and they usually have at least three times more passwords than they said at the end beginning of my little survey people don't know how many passwords do you they have and if I go to the next question how many different passwords do you have because the question of how many passwords do you have I have seen people that will interpret that question in many different ways it's not a simple question to ask how many passwords do you have so how many different passwords do you have and of

course if you are doing this face to face with people you will probably see quite a few people blush when you come to this second question third question how many accounts do you have because a password and an account can be two different things how many accounts do you have how many accounts do you think you have and when I ask about how many accounts do you do you have I would also ask you did you include work accounts Banks payment cards and Customer Loyalty clubs in your account of passwords or accounts because yeah I'm a member of the uh you know uh Virgin Atlantic fly me somewhere in the world club I'm a I'm

a member of Walgreens to and Target to to buy groceries and as a member I get a 5% discount well if you are a member of those loyalty programs as an example you probably also have an account where you can log in and I also know back from from Norway that a lot of people they are member of of such loyalty clubs but they have never ever logged in and they don't know if if it is possible to log in they don't know if there's a default password for that account that they should change they go just go to the grocery store or the clothing store and I want to buy something uh the person

the cashier will ask you so do you have a membership with us and the answer usually is I have no idea okay what's your phone number uh blah blah blah blah blah yeah you are a member oh you have uh you know uh 50 Norwegian krona that you can use for this uh it's a bonus from us do you want to use it as an example and people are clueless that they have this account and if that account represents $5 $10 or $100 or or more in value people are clueless that can be stolen and I used to work as a CES for Hotel chain for 3 years before covid there were a lot of bad guys that

would or girls uh that would hack into Customer Loyalty um accounts in order to get free hotel rooms and they would also be anonymous so we saw people having you know illegal parties teenagers throwing parties for friends in hotel rooms so we had no idea who was actually in the room because they were using somebody else's loyalty points as an example how many customer loyalty memberships do you have okay fair enough how many of those do you think you have ever logged into I think this is a relevant question to ask in a survey because again in many cases it's like you don't count those accounts you never use them but you still have them

and they can still be a problem for you also in your account of uh accounting of passwords do you also include PIN codes because PIN codes are just really really bad passwords and again when I ask people they actually differentiate between a pin and a password so maybe I should be asking uh do you use passphrases as well because some people will say that they will just smile at me yeah no I don't use passwords okay well are you using p phrases yes those people actually do exist our passwords and passphrases pin the same thing yeah an API key yeah that's actually a password a cryptographic key well it's a password to me uh but people don't see them as

that the use to fication very common question to ask in a password survey do you use two indication raise your hand if you're using two indication okay excellent perfect but do you use two indication for all your your accounts raise your hand so most surveys if any are not asking this question so we ending up with oh yeah it's pretty good like 90% of our employees they are answering oh 100% of all our employees are answering yep I used to fication and you just Rick Roll yourself like a lot you need to ask you used to application for accounts but even with that question another problem will be the fact that you don't know how many

accounts you have where do you have them have I ever used them do you use two vcation for all accounts work because the previous question was that about work or private life when was the last time you deleted an account you no longer use raise your hand if you could remember the last time you deleted an account that you no longer need okay so pretty much everyone now if you go out in the street and ask people that question it's fascinating to see that most people they don't think about deleting unused accounts because when I've asked asked people why haven't you deleted those accounts It's like because I'm not using them anymore it's they represent no value to me and if they

don't represent any value to do you which is in most cases wrong those accounts if hijack by somebody else they can be used to trick other people so instead of being a part of the solution by deleting your own accounts you will be part of the problem having lots of accounts that other criminals can use and abuse against your friends how many old accounts do you think you have deleted since you got your very first account let me ask one of the young members of the audience since you got your very first account when you were I don't know starting at school or something how many accounts do you think you have deleted all the way back since you were like

five 6 7 8 nine years I have no idea absolutely no idea but what I do know and I should probably be better as a sort of a passord security professional but uh I know that my myself I also have lots of old accounts that I should have deleted but it's just boring to spend hours days weeks deleting them so one of the things that I've been discussing with colleagues in Industry passord cracking industry about is are there any ways for us to improve Pro how users can very quickly maybe automated delete their accounts for unus services that's a question for Dashlane for last pass for one password for bitwarden and so on can we create a standard that will

make it much easier to authenticate to your service and then delete your accounts uh and also last question for the audience have you ever changed password on an account without being told to do that or forced to do it

now that we have changed the this standard from 2018 and the new standard says that you don't have to change your password anymore unless it is compromised or we have good reasons to uh believe that your account has been uh compromised I think that that's a good thing that n made that standard P SC has been really helping out for many many years to create the new version of the N standard that came about in in uh in 2018 but I really really think that a new challenge for us as a security community in the future will be to assist people in deleting old and unused accounts we are getting more and more accounts that are just laying

dant uh when I was working for the hotel chain I went to the uh Customer Loyalty club and I asked them how long does our users actually stay members of of the Loyalty club and the answer was pretty simple they will stay members in our loyalty Club until the day we can no longer receive emails from them that's you know we will have it bounce back now if you if you know anything about email there can be many many many cases where you will never get a reply saying that user does not exist meaning that we will have loyalty club members that will basically live forever and I'm I'm an atheist and I do believe

I'm going to die sometime so that's a problem as well we will have more and more members that actually no longer exist on Planet Earth so point of the talk is I have been talking to psychologists to all kinds of people doing statistics and so on and what I want to do and been working on now for 12 years is trying to come up with questions that cannot be Mis misinterpreted and that also has a very thorough explanation on what do I mean by this question so that we can have a standard open-source password survey available on GitHub or wherever that anyone can copy and use in their organization in their company or at school and so on so we can actually

compare two different password service because they asking the same questions the same way across companies organizations countries and so on and that's the point of my talk now also just to back it up back in 2012 when uh this initial survey was presented 10 years before this survey was done I was working for a large organization in um Norway and I cracked a passwords of the internal Windows uh domain Windows nt4 back then uh I cracked all the passwords and I generated statistics about those passwords and since I also had the usernames the full name phone number address and so on of all the employees and and everybody connected to the active directory I could do some pretty

interesting statistics and internally the security uh head of security they also did an annual survey and one of the questions that were asked is is your password in compliance with the written password policy and surprisingly approximately 78% said yes my password is compliant with the password policy the one that exists in writing I knew the written password policy and I cracked all the passwords so I could say internally that no the answer isn't 78% compliance it's approximately 8% of the passwords that are actually compliant with the password policy so I could go back to the people doing the statistics and say you are completely wrong with your answers and that's a risk today organization and if it wasn't for me and

my password cracking you would be clueless about risks you are actually facing and that's why I do not believe in password surveys at least not all the passwords that I've seen to date if you are an idiot and I ask you are you an idiot you're probably going to say no because you don't know you're an idiot and if you are not an idiot you will obviously say no when I ask you are you an idiot and if you ask people in a large organization or small organization are you breaking the rules the obvious question will be no that's why I want to do a survey like this and make it open source so everybody can use it across

everywhere that's it thank [Applause]

you what do you want to do with the information that going get sorry uh the question is what do you want to do with information you're going to get out of the survey well I would like to do you know I will set up a survey that people can fill out anonymously uh online but I would also you know my point is not that you know I'm interested in the data to do my own research and see how this works out across the world but if you want to do it with your employer internally you know you you can just copy this I I'm not I'm not interested in learning about your employees and I'm

not interested in making money out of this so just copy the survey and use it internally and you never have to reveal any information to me but if other organizations like yours as an example are doing the same survey then maybe you will be able to see if your users are complete idiots or if they are you know doing passwords the way they are supposed to do passwords as an example because I have seen organizations today trying to compare password surveys to other organizations and it's it it it's wrong and most my well my personal opinion of course most organizations companies today they have they have absolutely no clue how much they are exposed to bad password security because

they are just doing surveys they don't crack passwords they don't compare the crack results to to you know the kind of Statistics that we have my apologies I'm monopolizing the questions um the reason I asked a question what are you going to do with that there is I'll make a statement I'll be really careful with it but I can justify it so no matter how what the password policy is as we speak on organization and I'm not talking about generating random passwords M so no matter the password policies length whatever it is um Pas crackers can crack more than 95% let's say 90% of them yeah within a reasonable amount of time which is a

day um so having said that the I understand this can be used for awareness I guess Y which is the main thing when when a question is asked then you get people trying to think about it but um it wouldn't create let's take good practices when we tell people how to or uh when we suggest to them why don't you use P phrases why don't you use uppercase as your first character or why don't you use an exclamation mark at the end which used to be a suggestion couple of years ago so to make a complex password uh the the reason I'm trying to make and the purpose that I'm saying this is um I I say there is the a value

for for this this kind of survey for awareness um but we should focus on the end result of let's see what we're going to do with passwords because we I think we're close to the end of of it and I think you also you said that 10 years ago y well we're close to the end of passwords but I'm going to be doing password talks for another 10 years and here we are today yeah talking about and and I have yet to see an organization where the written password polic policy is equal to the password policy that has technically been implemented in just a single system and if you look on throughout an organization with 50

different systems you will probably see 50 different implementations of a password policy and none of them equals the written password policy it's to no surprise people are angry about passwords but again we got to cut it off there next talk is coming in minutes if you want to discuss this from a Linguistics perspective uh psychology or anything else please feel free to reach out on Twitter LinkedIn signal phone call all kinds of channels thank you again [Applause]