Age and Gender Impact on Password Hygiene
Abstract
:1. Introduction
1.1. Related Work
1.2. Contribution
- Do older users have weaker passwords considering their lack of general IT education compared to younger generations?
- Has gender no impact on password strength, as previous studies did not find conclusive evidence of any significant differences?
- What is the password hygiene in general?
2. Materials and Methods
2.1. Dataset of Leaked Passwords
2.1.1. Data Leak and Ethical Concerns
2.1.2. Data Description and Validity Checks
2.2. Password Recovery
- Making l33tsp34k-like transformations: AaĄą → 4, EeĖė → 3, IiĮį→ 1, SsŠš→ 5, etc.;
- Changing letters to numbers based on their keyboard layout: Ąą→ 1, Čč→ 2, Ęę→ 3, Ėė→ 4, Įį→ 5, Šš→ 6, Ųų→ 7, Ūū→ 8, Žž→ 0;
- Simply dropping the diacritics: Ąą → Aa, ĖėĘę → Ee, Įį → Ii, ŲŪųū → Uu, and Žž → Zz.
2.3. Strength Metrics
3. Results
3.1. Description of the Data
3.2. Analysis of Dictionaries and Patterns
3.3. Age and Gender Analysis
4. Discussion
Limitations and Strengths
5. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Sample Availability
References
- Ponemon Institute LLC. 2020 Global Encryption Trends Study. 2020. Available online: https://www.encryptionconsulting.com/wp-content/uploads/2020/04/2020-Global-Encryption-Trends-Study.pdf (accessed on 1 December 2021).
- IBM Corporation. Cost of a Data Breach Report 2020. 2020. Available online: https://www.capita.com/sites/g/files/nginej291/files/2020-08/Ponemon-Global-Cost-of-Data-Breach-Study-2020.pdf (accessed on 1 December 2021).
- PurpleSec LLC. 2021 Cyber Security Statistics The Ultimate List Of Stats, Data & Trends. 2021. Available online: https://purplesec.us/resources/cyber-security-statistics/ (accessed on 1 December 2021).
- Statista. Common Password Habits of Online Adults in Selected Countries as of 2019. 2020. Available online: https://www.statista.com/statistics/1147830/common-password-habits-adults-country/ (accessed on 1 December 2021).
- Statista. Which of These Personal Activities You Do on Your Employer-Issued Laptop and/or Smartphone? 2021. Available online: https://www.statista.com/statistics/1147849/share-adults-worldwide-employer-issued-device-personal-activities/ (accessed on 1 December 2021).
- Statista. Which of These Activities Do You Allow Friends or Family to Do on Your Employer-Issued Laptop and/or Smartphone? 2021. Available online: https://www.statista.com/statistics/1148992/share-adults-worldwide-friends-family-use-employer-issued-device-personal-activities/ (accessed on 1 December 2021).
- Statista. Share of Adults in Selected Countries Allowing Friends or Family to Use Their Employer-Issued Device for Personal Activities in 2020. 2021. Available online: https://www.statista.com/statistics/1147938/share-adults-worldwide-friends-family-use-employer-issued-device-personal-activities-country/ (accessed on 1 December 2021).
- Statista. Share of People Who Have Restricted Applications on Their Smartphone from Accessing Personal Data in Finland in 2018, by Gender. 2018. Available online: https://www.statista.com/statistics/955247/people-restricting-smartphone-apps-data-access-gender-finland/ (accessed on 1 December 2021).
- McGill, T.; Thompson, N. Gender Differences in Information Security Perceptions and Behaviour. In Australasian Conference on Information Systems; University of Technology Sydney ePress: Sydney, Australia, 2018. [Google Scholar] [CrossRef]
- Anwar, M.; He, W.; Ash, I.; Yuan, X.; Li, L.; Xu, L. Gender difference and employees’ cybersecurity behaviors. Comput. Hum. Behav. 2017, 69, 437–443. [Google Scholar] [CrossRef] [Green Version]
- Kennison, S.M.; Chan-Tin, E. Taking Risks With Cybersecurity: Using Knowledge and Personal Characteristics to Predict Self-Reported Cybersecurity Behaviors. Front. Psychol. 2020, 11, 3030. [Google Scholar] [CrossRef] [PubMed]
- Sebescen, N.; Vitak, J. Securing the human: Employee security vulnerability risk in organizational settings. J. Assoc. Inf. Sci. Technol. 2017, 68, 2237–2247. [Google Scholar] [CrossRef]
- Redmiles, E.M.; Chachra, N.; Waismeyer, B. Examining the Demand for Spam: Who Clicks? In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, Montreal, QC, Canada, 21–26 April 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 1–10. [Google Scholar] [CrossRef] [Green Version]
- Statista. Password Management by Teenagers in France in 2019. 2019. Available online: https://www.statista.com/statistics/1225114/password-management-by-teens-france/ (accessed on 1 December 2021).
- Jiow, H.J.; Mwagwabi, F.; Low-Lim, A. Effectiveness of protection motivation theory based: Password hygiene training programme for youth media literacy education. J. Media Lit. Educ. 2021, 13, 67–78. [Google Scholar] [CrossRef]
- Merdenyan, B.; Petrie, H. Generational Differences in Password Management Behaviour. In Proceedings of the 32nd International BCS Human Computer Interaction Conference (HCI), Belfast, UK, 4–6 July 2018; BCS Learning & Development Ltd.: Swindon, UK, 2018. [Google Scholar] [CrossRef] [Green Version]
- Morrison, B.; Coventry, L.; Briggs, P. How do Older Adults feel about engaging with Cyber-Security? Hum. Behav. Emerg. Technol. 2021, 3, 1033–1049. [Google Scholar] [CrossRef]
- Furnell, S.; Thomson, K.L. Recognising and addressing ‘security fatigue’. Comput. Fraud. Secur. 2009, 2009, 7–11. [Google Scholar] [CrossRef]
- Habib, H.; Naeini, P.E.; Devlin, S.; Oates, M.; Swoopes, C.; Bauer, L.; Christin, N.; Cranor, L.F. User Behaviors and Attitudes Under Password Expiration Policies. In Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Berkeley, CA, USA, 12–14 August 2018; USENIX Association: Baltimore, MD, USA, 2018; pp. 13–30. Available online: https://www.usenix.org/conference/soups2018/presentation/habib-password (accessed on 1 December 2021).
- Yu, X.; Liao, Q. Understanding user passwords through password prefix and postfix (P3) graph analysis and visualization. Int. J. Inf. Secur. 2019, 18, 647–663. [Google Scholar] [CrossRef]
- Doucek, P.; Pavlíček, L.; Sedláček, J.; Nedomová, L. Adaptation of password strength estimators to a non-English environment—the Czech experience. Comput. Secur. 2020, 95, 101757. [Google Scholar] [CrossRef]
- Wheeler, D.L. zxcvbn: Low-budget password strength estimation. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 157–173. [Google Scholar]
- European Commission. Special Eurobarometer 499: Europeans’ Attitudes towards Cyber Security (Cybercrime) (v1.00). (2020). [Data Set]. Available online: http://data.europa.eu/88u/dataset/S2249_92_2_499_ENG (accessed on 1 December 2021).
- Holroyd, M. Thousands of CityBee users have their personal data leaked online. Euronews 2021. Available online: https://www.euronews.com/2021/02/17/thousands-of-citybee-users-have-their-personal-data-leaked-online (accessed on 1 December 2021).
- Lithuanian Data Protection Authority (VDAI). Car Rental Company Fined for Data Breach under the General Data Protection Regulation. 2021. Available online: https://etid.link/ETid-927 (accessed on 1 December 2021).
- Council of European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. Eur. Union 2016, 59, 1–88. [Google Scholar]
- Eastlake, D., 3rd; Jones, P. RFC 3174: US Secure Hash Algorithm 1 (SHA1); The Internet Society: Reston, VA, USA, RFC 3174; September 2001. [Google Scholar] [CrossRef]
- Maoneke, P.B.; Flowerday, S.; Isabirye, N. The influence of native language on password composition and security: A socioculture theoretical view. In IFIP International Conference on ICT Systems Security and Privacy Protection; Springer: Cham, Switzerland, 2018; pp. 33–46. [Google Scholar] [CrossRef]
- Golla, M.; Dürmuth, M. On the accuracy of password strength meters. In CCS’18, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security; Toronto, ON, Canada, 15–19 October 2018, Association for Computing Machinery: New York, NY, USA, 2018; pp. 1567–1582. [Google Scholar] [CrossRef]
- Jones, M.N.; Mewhort, D.J. Case-sensitive letter and bigram frequency counts from large-scale English corpora. Behav. Res. Methods Instruments Comput. 2004, 36, 388–396. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Grigas, G.; Juškevičienė, A. Letter Frequency Analysis of Lithuanian and Other Languages Using the Latin Alphabet. Coactivity Philol. Educol./Santalka Filol. Edukologija 2015, 23, 81–91. [Google Scholar] [CrossRef] [Green Version]
- Ghasemi, A.; Zahediasl, S. Normality tests for statistical analysis: A guide for non-statisticians. Int. J. Endocrinol. Metab. 2012, 10, 486. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Gelman, A.; Carlin, J. Beyond power calculations: Assessing type S (sign) and type M (magnitude) errors. Perspect. Psychol. Sci. 2014, 9, 641–651. [Google Scholar] [CrossRef] [PubMed]
- Petrie, H.; Merdenyan, B. Cultural and Gender Differences in Password Behaviors: Evidence from China, Turkey and the UK. In NordiCHI’16, Proceedings of the 9th Nordic Conference on Human-Computer Interaction; Gothenburg, Sweden, 23–27 October 2016, Association for Computing Machinery: New York, NY, USA, 2016; NordiCHI’16. [Google Scholar] [CrossRef]
- Li, Y.; Wang, H.; Sun, K. A study of personal information in human-chosen passwords and its security implications. In Proceedings of the IEEE INFOCOM 2016—The 35th Annual IEEE International Conference on Computer Communications, San Francisco, CA, USA, 10–14 April 2016; pp. 1–9. [Google Scholar] [CrossRef]
- Awad, M.; Al-Qudah, Z.; Idwan, S.; Jallad, A.H. Evaluating Password Behavior at a Small University. J. Comput. Sci. 2019, 15, 28. [Google Scholar] [CrossRef] [Green Version]
- Renaud, K.; Zimmerman, V.; Maguire, J.; Draper, S. Lessons Learned from Evaluating Eight Password Nudges in the Wild. In The LASER Workshop: Learning from Authoritative Security Experiment Results (LASER 2017); USENIX Association: Arlington, VA, USA, 2017; pp. 25–37. [Google Scholar]
Dictionary | Words | Passwords | Unique | Description |
---|---|---|---|---|
Lithuanian words | 83,256 | 1530 | 0 | Microsoft’s spell checker |
↪ Latin version | 81,093 | 3044 | 0 | Same, with diacritic symbols removed |
Anthology | 144,716 | 1852 | 10 | Most frequent words (without diacritics) from Lithuanian classic literature |
CityBee users | 145,401 | 3044 | 464 | Names and e-mail patterns |
Top500k Lithuanian passwords | 523,267 | 21,152 | 1745 | Breaches of 2019–2020 |
Extended Lithuanian leaks | 1,944,927 | 24,045 | 4084 | Names and passwords of previous breaches (388,327 words overlap with the Top500k dictionary) |
Rockyou | 14,344,392 | 8145 | 2797 | Social games site’s leak, 2009 |
All Lithuanian words | 33,170,533 | 3823 | 154 | Generated using Lithuanian language grammar rules (without diacritics) |
Master dictionary | 49,705,914 | 30,265 | Unique words from all dictionaries together |
Length | All Records | Male | Female | Foreign/Unknown | ||||
---|---|---|---|---|---|---|---|---|
Count | Proportion | Count | Proportion | Count | Proportion | Count | Proportion | |
0 | 536 | 0.49% | 322 | 0.45% | 95 | 0.28% | 119 | 2.54% |
1 | 1 | 0.001% | 1 | 0.001% | ||||
3 | 24 | 0.02% | 8 | 0.01% | 9 | 0.03% | 7 | 0.15% |
4 | 253 | 0.23% | 30 | 0.04% | 115 | 0.34% | 108 | 2.30% |
5 | 607 | 0.55% | 246 | 0.34% | 174 | 0.52% | 187 | 3.99% |
6 | 5490 | 4.98% | 3442 | 4.78% | 1641 | 4.88% | 407 | 8.68% |
7 | 5578 | 5.06% | 3484 | 4.84% | 1760 | 5.24% | 334 | 7.12% |
8 | 38,594 | 34.99% | 25,004 | 34.73% | 11,509 | 34.24% | 2,081 | 44.36% |
9 | 17,659 | 16.01% | 11,730 | 16.29% | 5451 | 16.22% | 478 | 10.19% |
10 | 13,687 | 12.41% | 9024 | 12.53% | 4363 | 12.98% | 300 | 6.40% |
11 | 8727 | 7.91% | 5705 | 7.92% | 2841 | 8.45% | 181 | 3.86% |
12 | 5187 | 4.70% | 3329 | 4.62% | 1771 | 5.27% | 87 | 1.85% |
13 | 2732 | 2.48% | 1730 | 2.40% | 955 | 2.84% | 47 | 1.00% |
14 | 1597 | 1.45% | 974 | 1.35% | 599 | 1.78% | 24 | 0.51% |
15 | 770 | 0.70% | 449 | 0.62% | 313 | 0.93% | 8 | 0.17% |
16 | 357 | 0.32% | 217 | 0.30% | 137 | 0.41% | 3 | 0.06% |
17 | 155 | 0.14% | 81 | 0.11% | 72 | 0.21% | 2 | 0.04% |
18 | 99 | 0.09% | 60 | 0.08% | 37 | 0.11% | 2 | 0.04% |
19 | 34 | 0.03% | 21 | 0.03% | 11 | 0.03% | 2 | 0.04% |
20 | 20 | 0.02% | 10 | 0.01% | 10 | 0.03% | ||
21 | 6 | 0.01% | 1 | 0.001% | 5 | 0.01% | ||
22 | 3 | 0.003% | 2 | 0.003% | 1 | 0.003% | ||
24 | 1 | 0.001% | 1 | 0.001% | ||||
25 | 1 | 0.001% | 1 | 0.001% | ||||
26 | 1 | 0.001% | 1 | 0.003% | ||||
28 | 1 | 0.001% | 1 | 0.001% | ||||
Unknown | 8182 | 7.42% | 6130 | 8.51% | 1738 | 5.17% | 314 | 6.69% |
Total | 110,302 | 100.00% | 72,003 | 100.00% | 33,608 | 100.00% | 4691 | 100.00% |
Class | Fraction | Example | Description |
---|---|---|---|
random | 21.45% | 9q7FZ!OTkE | A sequence of random characters |
digits only | 4.00% | 1234500 | Any sequence of digits |
↪ phone | 0.75% | 860012345 | Possibly a phone number |
↪ personal code | 0.10% | State-issued code, 11 digits | |
date of birth | 1.24% | me19720101 | User’s date of birth in any format |
special symbol | 2.58% | password! | At least one special character |
spatial | 0.11% | 1q2w3e | Keyboard walks |
lowercase only | 23.82% | apassword | a–z letters only |
uppercase only | 0.09% | PASSWORD | A–Z letters only |
ULS pattern | 3.05% | Password1 | One A–Z, then many a–z, then any non-letter |
ULS+ pattern | 12.21% | Password!1 | One A–Z, then many a–z, then many non-letters |
repeat | 5.19% | Pass121212 | Repeated groups of one or more characters |
word based | 74.55% | Password123 | Some part is a dictionary word |
↪ name/email | 8.61% | Someuser!1 | User’s name or email |
↪ reversed name | 0.23% | resUemoS123 | User’s name in reverse |
↪ l33t | ≈1.5% | P455w0rd | L33tsp34k, somewhat ambiguous |
Char | Count | Freq % | Char | Count | Freq % | Char | Count | Freq % | Char | Count | Freq % |
---|---|---|---|---|---|---|---|---|---|---|---|
a | 31,081 | 8.08 | 4 | 6012 | 1.56 | V | 2568 | 0.67 | # | 19 | 0.005 |
s | 20,521 | 5.33 | v | 5753 | 1.49 | C | 2553 | 0.66 | % | 18 | 0.005 |
i | 17,970 | 4.67 | p | 5583 | 1.45 | N | 2544 | 0.66 | / | 15 | 0.004 |
1 | 15,516 | 4.03 | c | 4768 | 1.24 | I | 2526 | 0.66 | ) | 14 | 0.004 |
e | 14,785 | 3.84 | y | 4749 | 1.23 | U | 2486 | 0.65 | space | 11 | 0.003 |
r | 11,869 | 3.08 | z | 4641 | 1.21 | J | 2437 | 0.63 | : | 10 | 0.003 |
u | 11,467 | 2.98 | j | 4589 | 1.19 | H | 2413 | 0.63 | = | 8 | 0.002 |
n | 10,956 | 2.85 | f | 3482 | 0.90 | O | 2391 | 0.62 | ; | 8 | 0.002 |
t | 10,787 | 2.80 | h | 3478 | 0.90 | F | 2389 | 0.62 | & | 6 | 0.002 |
l | 10,466 | 2.72 | x | 3236 | 0.84 | Z | 2375 | 0.62 | ( | 5 | 0.0013 |
2 | 10,287 | 2.67 | w | 3071 | 0.80 | X | 2325 | 0.6 | > | 3 | 0.0008 |
k | 10,215 | 2.65 | A | 3029 | 0.79 | W | 2313 | 0.6 | ∖ | 3 | 0.0008 |
o | 10,163 | 2.64 | M | 2866 | 0.74 | Q | 2289 | 0.59 | ’ | 2 | 0.0005 |
0 | 8864 | 2.30 | S | 2844 | 0.74 | Y | 2239 | 0.58 | [ | 2 | 0.0005 |
m | 8847 | 2.30 | L | 2724 | 0.71 | . | 151 | 0.04 | ∼ | 2 | 0.0005 |
3 | 8202 | 2.13 | K | 2654 | 0.69 | @ | 131 | 0.03 | { | 2 | 0.0005 |
9 | 7742 | 2.01 | P | 2630 | 0.68 | - | 87 | 0.02 | ] | 2 | 0.0005 |
d | 7727 | 2.01 | R | 2626 | 0.68 | ! | 80 | 0.02 | < | 1 | 0.0003 |
5 | 6981 | 1.81 | D | 2624 | 0.68 | * | 75 | 0.02 | | | 1 | 0.0003 |
7 | 6367 | 1.65 | q | 2623 | 0.68 | ? | 50 | 0.01 | ˆ | 1 | 0.0003 |
b | 6294 | 1.64 | T | 2619 | 0.68 | _ | 44 | 0.01 | " | 1 | 0.0003 |
8 | 6283 | 1.63 | E | 2615 | 0.68 | + | 40 | 0.01 | } | 1 | 0.0003 |
g | 6202 | 1.61 | B | 2605 | 0.68 | $ | 24 | 0.01 | ` | 0 | 0 |
6 | 6158 | 1.60 | G | 2597 | 0.67 | , | 19 | 0.005 |
Password Strength (log10) | ||
---|---|---|
Female | Male | |
Valid | 30,631 | 62,185 |
Missing | 0 | 0 |
Mean | ||
Std. Error of Mean | ||
Std. Deviation | ||
Minimum | ||
Maximum |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Juozapavičius, A.; Brilingaitė, A.; Bukauskas, L.; Lugo, R.G. Age and Gender Impact on Password Hygiene. Appl. Sci. 2022, 12, 894. https://doi.org/10.3390/app12020894
Juozapavičius A, Brilingaitė A, Bukauskas L, Lugo RG. Age and Gender Impact on Password Hygiene. Applied Sciences. 2022; 12(2):894. https://doi.org/10.3390/app12020894
Chicago/Turabian StyleJuozapavičius, Aušrius, Agnė Brilingaitė, Linas Bukauskas, and Ricardo Gregorio Lugo. 2022. "Age and Gender Impact on Password Hygiene" Applied Sciences 12, no. 2: 894. https://doi.org/10.3390/app12020894
APA StyleJuozapavičius, A., Brilingaitė, A., Bukauskas, L., & Lugo, R. G. (2022). Age and Gender Impact on Password Hygiene. Applied Sciences, 12(2), 894. https://doi.org/10.3390/app12020894