A couple of articles this week got me thinking about the way people – you, me, your cousin Sally – think about cybersecurity and passwords. How do we develop our feelings about passwords and security? By feelings, I don’t mean a sentimental “I ______ passwords” (love or hate, insert your preference). I’m talking about our individual attitudes and approaches to using passwords. Is it a cultural thing?

Absorbing password hygiene at the moview

Darlene Storm in her ‘Security is Sexy’ (yes, it is!) column for Computerworld tells us about research analyzing passwords by country. Variables like password length, use of passwords from lists of common passwords (dictionary), and common password patterns were looked at for five countries: the United States, Russia, China, Pakistan and India.

According to researcher Faizan Ahmad, Russians are far and away the best at consistently following good password hygiene.

Length does matter

For starters, Mr Ahmad scanned for length of password (from 6-14 characters) by country, checking for the percentage of passwords that fell into each length by country. The largest percentage of passwords in Russia were 12 characters long, followed by 11 characters. Nicely done!

The largest percentage of passwords in the U.S., India and Pakistan were 8 characters, followed by 9 characters. Not so good.

For the record, China came in with their largest percentage having 9 characters, followed by 8 characters. No bonus points for them.

The Top 50 list you don’t want to be on

Another area that Mr Ahmad looked at is the percentage of passwords from each country that made it to the Top 50 list of common passwords – you know, the lists that come out at the end of each year of the year’s worst passwords. Once again, the Russians excelled at security while the other countries lagged way behind.

Americans and Indians had a 20x greater occurrence than Russians. China was approx. 25x as bad as Russia, with Pakistan bringing up the rear at over 35x more users having passwords in the top 50 common passwords.

But why should security be based on your country?

What if our views of security, in general, but specifically passwords, were shaped by pop culture instead of the reality that’s around us?

In 2016, when talking to folks about cybersecurity (hey, that’s what we do!), you might think that their approach would be based on current events (lots of news of hacks and how to protect oneself), when instead it’s quite possible that they approach passwords based on cultural elements – events that occurred when they were growing up, and especially movies from that earlier era.

Rich Haridy at New Atlas created a series of videos showing the way Hollywood has depicted computer hacking in movies since Wargames in the early 80’s. Back in 1983, Wargames gave a pretty accurate portrayal of the way hacking worked at the time (think modems!).

Superman III shows Richard Pryor hacking a computer by simply entering “OVERRIDE ALL SECURITY” in response to the prompt Give Security Code. And the image of geeky nerds being super computer hackers is the lasting – iconic! – image that first appeared in the movie Revenge of the Nerds.

The fascinating thing is that it’s this wrong image of hacking and cybersecurity – from these hugely popular American movies – that lots of us have in our minds when we think about our own security online.

Mr Haridy presents quite a list of movies from the 80’s, 90’s and 2000’s and how accurately they portray security. I recommend the entertaining and informative trip down memory lane (follow the links to videos).

Hollywood and Hacking:

The 1980s – kid hackers, nerds and Richard Pryor

The 1990s – Techno, virtual reality and Steven Seagal’s Apple Newton

Into the 21st Century – Real life hackers, computer punks and Hugh Jackman dancing

Food for thought: do movies made in Russia, China, Pakistan, India, and other countries depict computer security in ways that leads their citizens to approach passwords so differently?

Awareness in the right places

Sticky Password regularly participates in security awareness events like Twitter chats organized by StaySafeOnline based in Washington D.C. Security awareness is a big deal in the U.S. yet… many people aren’t on board. Maybe if we made a movie…

What do you think? Let us know in the comments, or send us your thoughts at mystory@stickypassword.com and together we’ll dive deeper in a future blog.