Skip to main content
Ontario Tech acknowledges the lands and people of the Mississaugas of Scugog Island First Nation.

We are thankful to be welcome on these lands in friendship. The lands we are situated on are covered by the Williams Treaties and are the traditional territory of the Mississaugas, a branch of the greater Anishinaabeg Nation, including Algonquin, Ojibway, Odawa and Pottawatomi. These lands remain home to many Indigenous nations and peoples.

We acknowledge this land out of respect for the Indigenous nations who have cared for Turtle Island, also called North America, from before the arrival of settler peoples until this day. Most importantly, we acknowledge that the history of these lands has been tainted by poor treatment and a lack of friendship with the First Nations who call them home.

This history is something we are all affected by because we are all treaty people in Canada. We all have a shared history to reflect on, and each of us is affected by this history in different ways. Our past defines our present, but if we move forward as friends and allies, then it does not have to define our future.

Learn more about Indigenous Education and Cultural Services

Heartbleed update: UOIT researchers analyze why consumers use weak passwords

How can you improve strength of your online passwords?

Below right image: Dr. Christopher Collins (left), UOIT Canada Research Chair in Linguistic Information Visualization, speaks with graduate student Rafael Veras Guimarães in the Faculty of Science's Visualization for Information Analysis Laboratory (Vialab).
Below right image: Dr. Christopher Collins (left), UOIT Canada Research Chair in Linguistic Information Visualization, speaks with graduate student Rafael Veras Guimarães in the Faculty of Science's Visualization for Information Analysis Laboratory (Vialab).

Internet security is front and centre in the wake of recent news stories about the Heartbleed Internet bug. The online bug has exposed a potential encryption vulnerability and prompted some websites to temporarily shut down, including Canada Revenue Agency’s (CRA) tax filing system. The CRA reported on April 14 about 900 social insurance numbers were stolen by the bug.

The Heartbleed bug is also prompting discussion about how insecure our passwords are. Researchers at the University of Ontario Institute of Technology (UOIT), including Dr. Christopher Collins, UOIT’s Canada Research Chair in Linguistic Information Visualization; Dr. Julie Thorpe, Assistant Professor, IT Security (whose research specializes in authentication and passwords); and graduate student Rafael Veras Guimarães, are actively examining the issue by investigating the secret language of passwords, including how the meaning of passwords relates to security risks. Dr. Christopher Collins, UOIT Canada Research Chair in Linguistic Information Visualization

“Where prior research investigated simple letter and number sequences such as password123, our research delves into the composition of more complex passwords such as a specific date like may101982,” said Dr. Collins. “Patterns involving the word love, specific names and day/month/year, where letters are followed by numbers are very common.”

The resulting analysis of these relationships between types of words guided the researchers’ creation of a password guessing system (not available to the public) which on several measures has proven to be more effective than any prior published result. The exposed vulnerabilities are motivating ongoing work by Dr. Collins and Dr. Thorpe into new ways to help people create ‘semantically secure passwords.

“Our research started with the many large password leaks that were made publicly available on the Internet, such as the 32-million passwords from the RockYou website that were exposed in 2009,” said Dr. Thorpe. “In terms of date patterns, a quarter of the RockYou passwords contain a numeric sequence of at least four digits. We wondered if these sequences are dates, and if so, are there any temporal patterns? Our analyses discovered six per cent of these passwords (almost two million accounts) contain numbers that match a date.”

The UOIT researchers created an interface to determine the frequency that each day, month, year or decade (back to the year 1900) is referred to, as well as the corresponding passwords. Passwords with numbers more likely to be keyboard patterns than dates, such as ‘111111’ were not counted.

“We confirmed a preference for dates with repeated days and months, such as 08/08/1989,” said Dr. Collins. “We also uncovered hidden patterns, such as a consistent preference for the first two days of months, holidays, and a few notorious dates such as the date of the Titanic sinking (April 12, 1912).

The UOIT researchers also examined patterns in the choice of words or ‘password grammar’. Individual words were classified according to grammar (syntax) function and their meaning.

“The resulting model finds ‘love’ is the most common verb in passwords,” said Dr. Thorpe. “Honey is the most-used food-related word, and monkey is the most popular animal. And contrary to reported psychology research, many categories related to sexuality and profanity are among the top 100.”

Other discoveries provided insight on the relationships between concepts. The UOIT model shows a male name is four times more likely to follow the string ‘ilove’ than a female name.

“Our conclusion: the security provided by passwords is overestimated by methods that do not account for basic semantic patterns,” said Dr. Collins.

Key tips – make sure your new passwords:

  • Are at least eight characters in length (longer is much better).
  • Contain both upper case and lower case characters.
  • Contain numbers and special characters, and not just at the end of the password
  • Contain unusual words and/or unusual sequences of words.
  • Do not contain common themes, e.g., love (especially in the context of "I love X"), sexual terms, profanity, royalty, animals, food, money, names, dates or places.
  • Consider using a password manager – which can help generate random, strong passwords. Password manager programs are normally locked by a single master password, which means you only need to remember one strong (master) password.

Dr. Christopher Collins and Dr. Julie Thorpe are available to speak with journalists upon request.

Also happening at UOIT:

  • Dr. Khalil El-Khatib, UOIT Faculty of Business and Information Technology, and Sentry Metrics will co-host a public seminar about the Heartbleed bug on Wednesday, April 16 at 4 p.m. The seminar will take place in the Energy Systems and Nuclear Science Research Centre, Room 1092 at UOIT’s north Oshawa location (2000 Simcoe Street North).

About Ontario Tech University
A modern, forwarding-thinking university, Ontario Tech advances the discovery and application of knowledge to accelerate economic growth, regional development and social innovation. We inspire and equip our students and our graduates to make a positive impact in a tech-focused world. For us, it’s not only about developing the next tech breakthrough. Understanding and integrating the social and ethical implications of technology differentiates us as university. Learn more at ontariotechu.ca.


Media contact
Bryan Oliver
Communications and Marketing
Ontario Tech University
905.721.8668 ext. 6709
289.928.0268
bryan.oliver@uoit.ca