CMU Research Makes Password Data More Secure

Feb 29, 2016

Yahoo! is the first organization to voluntarily give up password frequency data, with the goal of making them more secure in the future.
Credit Christiaan Colen / Flickr

 Researchers at Carnegie Mellon and Stanford University have been given access to password “frequency” information of 70 million Yahoo! users in order to develop methods to make online accounts more secure.

Companies track how many users choose the same, or similar, passwords. Those figures are collected to determine password frequency.

Anupam Datta, an associate professor of computer science at CMU, said in the right hands, that information helps organizations determine how strict to make their password standards.

“If there aren’t like, these very large numbers of users who are picking one particularly common password like ‘123456’ then, perhaps, the number of attempts that can be given to users can be made higher,” Datta said. 

A sign on the Duquesne University campus notes the importance of changing passwords.
Credit Kevin Gavin / 90.5 WESA

This data can also be used by hackers to gain access to accounts easily-guessed passwords. CMU’s privacy method distorts the numbers so individual passwords are not at risk.

Datta said, even with safety concerns, passwords are still necessary.

“They’re here for some very good reasons,” he said, “where they offer some kind of sweet spot between security and usability. And it’s not so easy to replace passwords by another mechanism that has all of those properties.”

Yahoo! is the first organization to voluntarily provide a frequency list of their users. However, breaches like the RockYou data set in 2009 have allowed researcher to advance their work.