Heartbleed update: UOIT researchers analyze why consumers use weak passwords

Internet security is front and centre in the wake of recent news stories about the Heartbleed Internet bug. The online bug has exposed a potential encryption vulnerability and prompted some websites to temporarily shut down, including Canada Revenue Agency’s (CRA) tax filing system. The CRA reported on April 14 about 900 social insurance numbers were stolen by the bug.

The Heartbleed bug is also prompting discussion about how insecure our passwords are. Researchers at the University of Ontario Institute of Technology (UOIT), including Dr. Christopher Collins, UOIT’s Canada Research Chair in Linguistic Information Visualization; Dr. Julie Thorpe, Assistant Professor, IT Security (whose research specializes in authentication and passwords); and graduate student Rafael Veras Guimarães, are actively examining the issue by investigating the secret language of passwords, including how the meaning of passwords relates to security risks.

“Where prior research investigated simple letter and number sequences such as password123, our research delves into the composition of more complex passwords such as a specific date like may101982,” said Dr. Collins. “Patterns involving the word love, specific names and day/month/year, where letters are followed by numbers are very common.”

The resulting analysis of these relationships between types of words guided the researchers’ creation of a password guessing system (not available to the public) which on several measures has proven to be more effective than any prior published result. The exposed vulnerabilities are motivating ongoing work by Dr. Collins and Dr. Thorpe into new ways to help people create ‘semantically secure’ passwords.

“Our research started with the many large password leaks that were made publicly available on the Internet, such as the 32-million passwords from the RockYou website that were exposed in 2009,” said Dr. Thorpe. “In terms of date patterns, a quarter of the RockYou passwords contain a numeric sequence of at least four digits. We wondered if these sequences are dates, and if so, are there any temporal patterns? Our analyses discovered six per cent of these passwords (almost two million accounts) contain numbers that match a date.”

The UOIT researchers created an interface to determine the frequency that each day, month, year or decade (back to the year 1900) is referred to, as well as the corresponding passwords. Passwords with numbers more likely to be keyboard patterns than dates, such as ‘111111’ were not counted.

“We confirmed a preference for dates with repeated days and months, such as 08/08/1989,” said Dr. Collins. “We also uncovered hidden patterns, such as a consistent preference for the first two days of months, holidays, and a few notorious dates such as the date of the Titanic sinking (April 12, 1912).

• Read the full research paper
• Try the researchers’ exploratory interface

The UOIT researchers also examined patterns in the choice of words or ‘password grammar’. Individual words were classified according to grammar (syntax) function and their meaning.

“The resulting model finds ‘love’ is the most common verb in passwords,” said Dr. Thorpe. “Honey is the most-used food-related word, and monkey is the most popular animal. And contrary to reported psychology research, many categories related to sexuality and profanity are among the top 100.”

Other discoveries provided insight on the relationships between concepts. The UOIT model shows a male name is four times more likely to follow the string ‘ilove’ than a female name.

“Our conclusion: the security provided by passwords is overestimated by methods that do not account for basic semantic patterns,” said Dr. Collins.

• Link to the UOIT researchers’ paper published in the 2014 Network and Distributed System Security Symposium, held in San Diego, California.  

Key tips – make sure your new passwords:

• Are at least eight characters in length (longer is much better).
• Contain both upper case and lower case characters.
• Contain numbers and special characters, and not just at the end of the password
• Contain unusual words and/or unusual sequences of words.
• Do not contain common themes, e.g., love (especially in the context of "I love X"), sexual terms, profanity, royalty, animals, food, money, names, dates or places.
• Consider using a password manager – which can help generate random, strong passwords. Password manager programs are normally locked by a single master password, which means you only need to remember one strong (master) password.

Dr. Christopher Collins and Dr. Julie Thorpe are available to speak with journalists upon request.

Also happening at UOIT:

• Dr. Khalil El-Khatib, UOIT Faculty of Business and Information Technology, and Sentry Metrics will co-host a public seminar about the Heartbleed bug on Wednesday, April 16 at 4 p.m. The seminar will take place in the Energy Systems and Nuclear Science Research Centre, Room 1092 at UOIT’s north Oshawa location (2000 Simcoe Street North).

About Ontario Tech University
A modern, forwarding-thinking university, Ontario Tech advances the discovery and application of knowledge to accelerate economic growth, regional development and social innovation. We inspire and equip our students and our graduates to make a positive impact in a tech-focused world. For us, it’s not only about developing the next tech breakthrough. Understanding and integrating the social and ethical implications of technology differentiates us as university. Learn more at ontariotechu.ca.

Media contact
Bryan Oliver
Communications and Marketing
Ontario Tech University
905.721.8668 ext. 6709
289.928.0268
bryan.oliver@uoit.ca