OpenIDEO is an open innovation platform. Join our global community to solve big challenges for social good. Sign Up / Login or Learn more

Password Privacy

Merged into "Without Forced Entry / Road to Cyber-Safety / Password Privacy / The Weakest Link" application

Photo of Goulven Guillard
9 1

Written by

Sketch 1 (1,500 characters)

*This application has been merged into "Without Forced Entry" (see "Inspiration" link below), it is kept for the comments history and additional description.*
Additional description :
I used https://howsecureismypassword.net to create examples of passwords in an increasing order of difficulty to crack (from "instant" to "336 sextillion years"…), then attributed each an increasing opacity. I used passwords easy to interpret in terms of how they are defined (character set and length, mostly).
Original photograph credits : Lies Thru a Lens, CC-BY (https://commons.wikimedia.org/wiki/File:Danrocha.jpg).

What is your experience with the field of cybersecurity?

  • I have minimal experience and/or knowledge in the cybersecurity field.

What best describes you?

  • Other

How did you hear about this OpenIDEO Challenge?

  • In the news

Location: City

Clermont-Ferrand, France.

Location: Country

  • France

9 comments

Join the conversation:

Comment
Photo of Jason Kravitz

This is a great topic to educate people and I think you have some good ideas to get started.

One thought on your sketch is that another way people might interpret that is they are trying to see the naked woman and just making guesses. Vs. the woman herself not wanting others to see her photos revealed and her choice of password being the only thing keeping them safe. A subtle distinction but could impact the effectiveness of the campaign. Maybe a clever title or header could help.

Maybe for another image in the series, you could do something with financials - like the weak password tier says "Bank balance transferred. Account $0". Not sure how to do the sliding scale of stronger passwords but something to play around with...

FWIW, In my experience, one of the biggest reasons people use weak passwords is
a) They don't think they can remember a complex one, or feel overwhelmed with too many passwords.
b) even despite all the breaches going on, they don't see an immediate reason to change, short of getting their email hacked or something like that, so they don't.

Regarding point a, I think more can be done to caution people on password reuse. For example, at least to not use the same password for their web email as they do for other services given that when that other service gets breached, the first thing people do is try to login to the webmail with the same password, and from there can reset any other number of accounts. Of course a password manager is a perfect tool in this case and yet many people don't bother.

On point b, I think this is the case with most cyber security knowledge. People hear about risks and may be concerned here or there, but if it doesn't immediately affect them, they have other stuff to worry about.

Photo of Jason Kravitz

One small technical suggestion on secure passwords. The idea of substituting 3 for E or Zero of O is not something people recommend much anymore, as most brute force password cracking tools also use all these common substitutions as well, along with feeding their scripts millions of previously used passwords from public breaches.

Seems like the site you linked is calculating "password security" solely on length and variance of characters. However another issue is predictability, which does not seem to be factored into their checker. Aka common "clever" words / phrases are still easy to crack even if they are longer or more complex.

For example a password of "password" registers as "instant" which it is, but "password123" registers as taking "1 month" to crack. In a real world scenario, given the predictability and fact it has been used before a lot, that too would be cracked instantly -- as would "p4ssw0rd123" despite the numeric substitutions.

While not a huge issue as that last password for example is still fairly complex (by length and character variance), it is good when creating visuals to depict "best practices", to ensure the latest guidance is conveyed.

A truly secure password (for the last phase) would be something like
QAe!Y3AFyJD&cfhT

Because it is not something a person would come up with (not predictable) and has high entropy based on length and variance of characters.

Photo of Goulven Guillard

Thanks for your feedback. I'm not sure I completely understand the "guessing" issue but indeed a title would help clarify anyway. And financials would be a good addition to the series, yes.

Concerning the common substitutions issues, actually I had this trap in mind when trying to come up with passwords with different levels of security, and I think I managed to avoid it. If you look more closely at the "Mix3dUp?" example, it's not just a substitution of letters by number (you will notice that the 'i' is plain), but a mix of numbers, uppercase and lowercase letters, and punctuation.

Anyway, I'm not sure it's possible to convey all the good practices in such a picture while keeping it attractive and legible. I'm not sure what the Hewlett Fundation wants to do with these pictures, but if this idea was to be selected I believe a good use for it would be to forward people to a dedicated, neutral and up-to-date "password good practices" website.

Finally, I don't believe your last example is "that" secure (unless used with a password manager). A secure password is also easy to remember, or it will be written or stored somewhere. The main issue with passwords is their predictability. Take a long and not common sentence, title-case it (or even better, reverse-title-case it), remove parts of the words, tweak a few letters with numbers and special characters, and you'll have a pretty unpredictable yet easy to remember password.

View all comments