Researchers at Carnegie Mellon and Stanford University have been given access to password “frequency” information of 70 million Yahoo! users in order to develop methods to make online accounts more secure.
Companies track how many users choose the same, or similar, passwords. Those figures are collected to determine password frequency.
Anupam Datta, an associate professor of computer science at CMU, said in the right hands, that information helps organizations determine how strict to make their password standards.
“If there aren’t like, these very large numbers of users who are picking one particularly common password like ‘123456’ then, perhaps, the number of attempts that can be given to users can be made higher,” Datta said.
This data can also be used by hackers to gain access to accounts easily-guessed passwords. CMU’s privacy method distorts the numbers so individual passwords are not at risk.
Datta said, even with safety concerns, passwords are still necessary.
“They’re here for some very good reasons,” he said, “where they offer some kind of sweet spot between security and usability. And it’s not so easy to replace passwords by another mechanism that has all of those properties.”
Yahoo! is the first organization to voluntarily provide a frequency list of their users. However, breaches like the RockYou data set in 2009 have allowed researcher to advance their work.