Password Surveys are Shit!

good morning everyone and welcome to uh these sides welcome to uh pastorscom I'm pet you can just refer to me as the crazy password guy I've been doing this now since the first time was in December 2010 in my hometown in Bergen of Norway how high up north in in Europe uh anyone here that is participating at pastorscom for the very first time raise your hand oh wow awesome cool okay so I have a serious uh interest in this stuff a very healthy uh or unhealthy curiosity into passwords um my interest in passwords came about approximately 23 years ago I was doing pen testing as a consultant at PWC and during one engagement against the

Fortune 500 company we pulled out from a Windows domain controller we pull out tens of thousands of usernames and then we used an incredibly simple script to try out two different passwords against all accounts the first password was the name of the company and the second password was just password and blind luck but after um running the scripts for some time we did find some people that were just you know normal users and they'll be using the company name as the password but suddenly we also see on screen that there's an account which is using password as the password for the account and we look up the count and we see that that account is actually a member of the

domain administrators group and this was on day one of our assignment for Fortune 500 company and we were three guys in the room and we took like three steps back and like okay guys so this is the moment we've been waiting for do you want to become a criminal and move to the Bahamas or we should be just invoice the client to say got you and here I am so obviously I'm not rich I'm not living in the Bahamas that started my Fascination for passwords and passwordscon came about in 2010 I was invited to do uh attend a one-week workshop for phds and professors high up north in Norway and they asked me if I could do a rump

session on passwords never been to University so I just had I just heard can you do a talk I didn't know what the ramp session was supposed to be so I came there and I saw the program that I was not listed I had of course created a talk for them put a lot of info I thought into it and in evening I was asked can you start at nine o'clock in the evening after dinner and I was like sure not a problem at all and I started nine and I finished at approximately 11 o'clock so two hours that's a very very short introduction to the topic of passwords lots of questions lots of applause

and then they came up to me like uh you know a ramp session is supposed to be five minute stops so there are some PhD students that are a little pissed at you now because they've been waiting for quite some time they have also prepare some prepared some talks they allowed to they will have to do it tomorrow and he came back to me this professor in Norway and said hey I've got some money I got a budget and I have a room so if you would like to do a conference about passwords we can do that so we did the very first one in December 2010 in Bergen I'm also sad to say that a good friend

of mine Jeremy Gosney in Texas he is one of those who have been running passwords com here while I've been away for the past six years because of one president and one Global pandemic uh he couldn't make it this year unfortunately uh but again Jeremy really big thank you for while I'm waving to the camera a really big thank you for actually helping me to come to Las Vegas I had no idea this could be done back in 2013 when we did the first passagecon here in Vegas now again I'm obsessed with passwords I'm going to talk about password surveys and just to prove my obsession this is a tweet I mean you can probably guess what

my car license plate says it's in Norwegian but you know you probably get it and this is me tweeting out on Twitter that I have it probably from coma curly he's a famous researcher with Microsoft research with a witness present that his interest in passwords well I'm obsessed with it comac please confirm statement and Cormac responds in public on Twitter saying confirm I have a healthy curiosity while 2 SIM is pathologically obsessed and I am very proud of this tweet from coma curly so there we are better again background and context for this short talk um you know with my obsession I take no interest in costs or alcohol or Sports even uh I do password spins digital

authentication all the time and I have seen so many shitty password surveys all over the world nope not mentioning nor VPN or anyone else but I don't trust those password servers I don't trust them at all and it's not like you know I'm trying to be a nasty here against the people or the companies that are doing this surveys I just don't believe that they know enough about the topic to ask the correct questions the correct way in the correct order and I don't think that the majority of people responding to these surveys actually understand the questions they are about to answer that's what I want to talk about so this is a very easy talk so to

say and what I want you to do now you can use your phone or pen and paper and there's no online form so just type this down for your cell phone you can just do it in inside your head but I will give you 10 seconds to think about the following question how many passwords do you have 10 9 8 7. 6 5 four three two one so random person in the audience Jeff how many passwords do you have upwards of 700 he says I don't know what you came up with in your head but just remember that number now for now okay next question 10 10 seconds to think about the next one how many

different passwords do you have six five four three two one okay next question 10 seconds how many accounts do you have

six five four three two one okay last one did you count all accounts into those numbers or are you basically just counting accounts that you actively use my point about these questions is I bring them with with me anywhere I go if I go to a party I will crash the party asking password questions if I go to a cafe I will just approach random people and you don't do that in Norway but I do and I say hey I'm a crazy password guy I'm doing a survey about passwords I have some questions for you I can assure you there's a lot of people who looks at me when I do that and I asked this and I'm really not

interested in the answers to the questions I'm interested in how do you interpret my question what am I actually asking about because when you ask how many passwords do you have am I asking how many unique passwords do you have or am I asking how many accounts do I have because my experience is some people think that the first question is about how many accounts do I have some people they consider this as passwords but you didn't unbox them ask about how many horse races do I have as an example and how many accounts do you have as well people tend to count the accounts they are actually using on a sort of like everyday or at least weekly or

monthly basis but if you ask the question how many accounts do you think you have that you have ever created that are most probably not deleted yet because that number is going to be a lot higher so the question also is how many accounts in active use do you have and of course you can make a note of this as well because that is going to be a pretty small number compared to the total amount of counts that you have and also regarding all these accounts that you have when they counted the number of accounts did you also include customer loyalty programs that actually provides an account for you where you can log in but

you don't need that now I don't know how you do customer loyalty programs in the US but in Norway I can go to a lot of different shops for clothing for shoes for you know electrical tools for my home or whatever gardening stuff and they will ask you are you a member with us no would you like to be a member no hell no well you get a 10 discount oh hell yes I will and in Norway they would just ask you your phone number because in Norway your phone number is to us it's public information for almost everyone and then they will set up an account for me they will probably send me a text

message to confirm my account but in most cases at least in my experience people have never looked logged in to their Customer Loyalty account with the you know clothing retailer whatever it is where you can see what kind of clothing have you been purchasing over the past two years what kind of groceries have you been purchasing and so on but those are also accounts and in those accounts you can find interesting information about people in some cases stuff that your spouse is not supposed to see or maybe your kids shouldn't see them or you shouldn't see the well things that kids can buy in a grocery store or teenagers as an example I have a teenage children myself

I'm also interested in in the number of accounts did you include accounts that you use at work and do you consider work as one account or do you have 5 or 10 or 50 different systems for payroll for you know submitting working hours or for logging into your database or anything else like that did you include include all those accounts into your account of number of accounts that you have and passwords and the question how many customer loyalty programs are you actually a member of I still have yet to meet almost anyone in Norway who says anything else but I have absolutely no [ __ ] clue people in Norway no idea how many membership loyalty programs they are a

member of which is to me a little bit you know discomforting and also when you don't know how many of these customer loyalty programs you are a member of then asking how many of these have you ever logged into just to see do they have two-factation available what kind of information do they actually keep track on about me well people are clueless about that as well that could be a security problem that is most definitely also a privacy problem to a lot of people moving on on these summer questions that you need to answer here now but asking people did you include pins in your account or passwords Jim looking at you you know memorable

Secrets is sort of uh the official nist expression to use a memorable uh Secret because to Norwegians at least a pin code has nothing to do with a password those are completely different things so I have yet to find a single Norwegian more or less that have counted their pins as or considered a pins as a password so they don't include that in the count and I asked them well so how many pins do you have again most usually people are clueless and it's also fun to ask them of the different pins that you have how many of them were given to you and how many did you actually create yourselves four digits three five

six or whatever you have in Norway if you ask people what is a pin they will say four numbers and if you ask them well could a pin be six numbers uh yeah on my iPhone but other than that in Norway it's PIN codes in Norway there are four digits everywhere for everything and I'm fascinated about the fact that you know if there's a place where I'm required to use a pin not a password I can't select anything else than a four digit PIN there's no option for doing something else and we have incredibly good statistics on usual selection and four digit pins it is that easy to guess in most cases and also since I'm turning 51 years old

in September I actually do have an email account and I'm actually actively using I have several email accounts but asking people how many email accounts do you have most people they will say well I don't want to work and I've got one private one and if I asked my daughter she's 50 and a half years old she has two email accounts one at school and one for personal use the email address at school is being used for homework and a personal account is only ever used for registering with new services nothing else my daughter never sends emails to anyone if anyone sends her email you will not get an answer if I send her an email she won't even see it

that's how it is I've been also also asking people do you know what the passphrase is did you know you can use space in passwords most people still don't know that do you know what you've had on vacation let's do two-step verification or multiplication is there's no point in asking people about that because they don't care and they don't want to learn just make it easy and also asking do you use two-fact multiplication pointless so my point here to get closer to the ending of this my key question is if I give you 24 hours to generate a list of all accounts passwords and pins you've got how much do you think your answers in

this survey will change so go back to the initial question of how many passwords how many unique passwords how many accounts do you have if I give you 24 hours do you think you will stay at the same number will you double the number will you triple it my experience with those people have actually done as I've told them to do try to make that list I see that on an average the list will increase by three to five times typically they will say well I got 20 30 accounts they end up 100 or more so from a security and privacy perspective I think that survey password service oh [ __ ] and to the extent they are showing that

we have a problem they should actually show us we have a very [ __ ] serious problem so in summary I do not trust password surveys at all this has nothing to do with any specific company or organization or anything but it's just the way we ask the questions and how people interpret what they are being asked about I really want to know for this surveys I really want to know the questions that have been asked I'm also interested to learn how they were asked like was it was this a phone interview was this done online was this done in person like this is is it through one-on-one interviews and I would also like to know about the

questions asked by the respondents uh you know did they understand it I want to learn how did they interpret the question being asked and last but not least my point of this I would really like to try to generate a standard set of questions that can either be the start of a password survey or included in password surveys so across different countries branches you know ngos or whatever it is we could be able to compare results across borders across countries across ages genders and so on because today I find that totally impossible to do and with that it is to be continued because I've been doing this now for many years and I will continue to do so as well if

anyone has a background in Psychology or statistics or anything you know please raise your hand ask questions Reach Out link up with me on Twitter on LinkedIn because I would really like to you know uh crowdsource information on this how to ask the questions how to interpret them how to explain them both to the respondents and also to the people that are going to ask people these questions to make better password service and that's basically my initial start today thank you and time for questions

hopefully hello testing great fantastic I'm just teasing you a little here so what is a good password [Music] so uh did like you know what time of the day it is uh it's uh just an example uh to me I say that a good password is a simple positive sentence that is easy for you to remember that means something that has happened in the past that won't change in the future which is very easy for you to remember so for for the majority of band in here maybe something not related to your you know wedding date as an example but in my case as an example I can say that some of my passwords that I need to

remember are simple sentences that has to do with my parents my family places I've lived or they have lived or lived today I know where that is and I need to get seriously drunk to forget as an example where I was born and raised so with that information just made it much easier for me to brute force your password thank you [Laughter] okay I always have a question um given that people don't really even if even if the questions are explained and understood given that people don't actually know the answers to the questions are surveys a good way to get the information you're trying to get and well I doing password surveys uh would be better than not doing them but

so one more survey question raise your hand if you are an idiot

why am I doing this

that that one backfired um so the point of my question is this is from John Cleese of Monty Python he have said previously that if you ask an idiot are you an idiot the idiot will say no I'm not and if you ask somebody who's not an idiot they will also say no and I think that password surveys just like other things you can ask as well I think there are a lot of people that won't really that they really don't want to sort of confess that they are doing something stupid because you don't want to be considered to be stupid and you know what you're doing is not good but you still do it anyway

so I'm not sure how to really respond to the question issue initially but I think that at least it's better to do password service than not to do them

in your surveying do you see any increased use in password managers and do you believe those will help in password hygiene in the long run or do you think having that one Central password controlling the Keys of the Kingdom could do more harm than good we I'm very sorry and I'm gonna give him a chance to answer that question in a minute but this man had the poor judgment to make an outrageous speaker request uh which was for a hug from nouse now now it's intended to be here in person to give you the hug but instead she's stuck fighting a fire downstairs so I had to go give her a hug and get a hug from her to pass to you so

this is your surprise last night I even went on tips it was just like she would have to uh and I saw this stuff on Slack and I couldn't remember my request because I was afraid I actually asked for spanking from Mouse and Melanie so oh I'm I'm really relieved now yeah so to answer that one and I this is the final one uh yes I really do believe in password managers I do see an increased use of them uh there's to me a big difference between built-in password managers in browsers and you know these should I say Standalone uh password managers I do recommend password managers but not for everyone for my own mother as an

example my parents I I've said just write them down on a piece of paper because your risk analysis the threat scenario is nobody's interested in them and keeping five six passers on a piece of paper in the kitchen drawer is fine the Russian fsp is not going to hogason in Norway to break into my parents house and try to get access to their accounts they are not of that interest period it's easy

absolutely amazing to be at b-sides thank you Mouse and that's it uh from my talk uh thank you and in just a few minutes we have Jeff [Applause]