A couple of articles this week got me thinking about the way people – you, me, your cousin Sally – think about cybersecurity and passwords. How do we develop our feelings about passwords and security? By feelings, I don’t mean a sentimental “I ______ passwords” (love or hate, insert your preference). I’m talking about our individual attitudes and approaches to using passwords. Is it a cultural thing?
Darlene Storm in her ‘Security is Sexy’ (yes, it is!) column for Computerworld tells us about research analyzing passwords by country. Variables like password length, use of passwords from lists of common passwords (dictionary), and common password patterns were looked at for five countries: the United States, Russia, China, Pakistan and India.
According to researcher Faizan Ahmad, Russians are far and away the best at consistently following good password hygiene.
Length does matter
For starters, Mr Ahmad scanned for length of password (from 6-14 characters) by country, checking for the percentage of passwords that fell into each length by country. The largest percentage of passwords in Russia were 12 characters long, followed by 11 characters. Nicely done!
The largest percentage of passwords in the U.S., India and Pakistan were 8 characters, followed by 9 characters. Not so good.
For the record, China came in with their largest percentage having 9 characters, followed by 8 characters. No bonus points for them.
The Top 50 list you don’t want to be on
Another area that Mr Ahmad looked at is the percentage of passwords from each country that made it to the Top 50 list of common passwords – you know, the lists that come out at the end of each year of the year’s worst passwords. Once again, the Russians excelled at security while the other countries lagged way behind.
Americans and Indians had a 20x greater occurrence than Russians. China was approx. 25x as bad as Russia, with Pakistan bringing up the rear at over 35x more users having passwords in the top 50 common passwords.
But why should security be based on your country?
What if our views of security, in general, but specifically passwords, were shaped by pop culture instead of the reality that’s around us?
In 2016, when talking to folks about cybersecurity (hey, that’s what we do!), you might think that their approach would be based on current events (lots of news of hacks and how to protect oneself), when instead it’s quite possible that they approach passwords based on cultural elements – events that occurred when they were growing up, and especially movies from that earlier era.
Rich Haridy at New Atlas created a series of videos showing the way Hollywood has depicted computer hacking in movies since Wargames in the early 80’s. Back in 1983, Wargames gave a pretty accurate portrayal of the way hacking worked at the time (think modems!).
Superman III shows Richard Pryor hacking a computer by simply entering “OVERRIDE ALL SECURITY” in response to the prompt Give Security Code. And the image of geeky nerds being super computer hackers is the lasting – iconic! – image that first appeared in the movie Revenge of the Nerds.
The fascinating thing is that it’s this wrong image of hacking and cybersecurity – from these hugely popular American movies – that lots of us have in our minds when we think about our own security online.
Mr Haridy presents quite a list of movies from the 80’s, 90’s and 2000’s and how accurately they portray security. I recommend the entertaining and informative trip down memory lane (follow the links to videos).
Hollywood and Hacking:
Food for thought: do movies made in Russia, China, Pakistan, India, and other countries depict computer security in ways that leads their citizens to approach passwords so differently?
Awareness in the right places
Sticky Password regularly participates in security awareness events like Twitter chats organized by StaySafeOnline based in Washington D.C. Security awareness is a big deal in the U.S. yet… many people aren’t on board. Maybe if we made a movie…
What do you think? Let us know in the comments, or send us your thoughts at firstname.lastname@example.org and together we’ll dive deeper in a future blog.