When it comes to choosing passwords, it turns out that a person's country of residence has an impact on the strength of their choice.
Researchers from GoSecure have uncovered four primary macro-social factors that strongly correlate to positive password performance (measured by the time it takes to crack the credential, in seconds). Those are:
- Level of human rights in-country and its degree of free society;
- Literacy level of a population;
- Country's placement in the Global Cybersecurity Index (GCI); and
- Level of data-breach exposure and victimization.
"Countries have an impact on the level of protection of their users," according to the report, released this week. "A user’s country of origin and/or residence necessarily has an impact on their social identity. It means that our social identity, which can be influenced by several levels (e.g., macro and micro), might have an impact on password choice."
4 Correlations of Society's Impact on Password Performance
To arrive at these conclusions, the researchers started with the mean time needed to crack the 200 most common passwords by country, as determined by NordPass. According to the most recent data set (last November), the mean time to crack passwords globally is about 9.6 hours, spanning a range from 0 hours to more than 10 years. That said, the majority of passwords (61%) included in the list can be cracked in less than a minute, according to the findings, which dovetail with other analysis.
GoSecure then took this dataset and cross-referenced it with 29 different social variables, eventually finding that four of them were strongly correlated indicators of password strength.
1. Support for Civil Society
Interestingly, the level of democracy and freedom within a country posed a strong correlation to password strength, the firm found.
"Countries in which citizens participate in selecting their government and have freedom increase password strength performance," according to GoSecure researcher Andréanne Bergeron, writing in the analysis. "This might be explained by the fact that democratic countries also have greater access to the Internet."
The firm used Voice & Accountability as a cross-referenced data point, which is one of six components of governance indicators as stipulated by the World Bank. Voice & Accountability reflects perceptions of the extent to which a country’s citizens are able to participate in selecting their government, as well as freedom of expression, freedom of association, and a free media.
"Since the Internet is synonymous with access to information and freedom, undemocratic countries are resistant to the widespread use of Internet by their citizens," Bergeron said. "When the Internet is widely accessible, people learn how to use it and structures can be developed."
2. Basic Education
Literacy is a predictive benchmark for better password practices because it's directly connected to the use of technologies and the ability to educate oneself, according to GoSecure. When a user’s level of cybersecurity knowledge increases, their cybersecurity behaviors improve. The firm cross-referenced publicly available data on literacy rates with the password-cracking data to bear this out.
"To seek, evaluate, and use information found on the Internet, users must navigate via largely text-based menus and links, as well as reading large volumes of text," Bergeron said. "The challenges faced by low-literacy users when creating and managing passwords are documented and research indicates that they are more prevalent than in the literate population."
3. Global Cybersecurity Index
Unsurprisingly, the level of government commitment to and funding in cybersecurity also matters. Bergeron said, "The commitment of countries to fight against online crime is beneficial economically. The present analysis goes further suggesting this type of investment predicts better password strength performance."
Researchers found the correlation by cross-referencing the ITU's Global Cybersecurity Index (GCI) with the NordVPN numbers. The GCI is a comprehensive measure of the cybersecurity commitment of individual countries, gleaned from 25 indicators across five pillars (Legal Measures, Technical Measures, Organizational Measures, Capacity Development, and Cooperation).
4. Cybersecurity Exposure Index
It makes sense that people might be more sensitive to the importance of protecting data with strong passwords when they are exposed to more cybersecurity incidents — in fact, GoSecure noted that the level at which countries are targeted (as determined by the Cyber Exposure Index) had the strongest correlation to better password hygiene in its analysis.
The CEI is based on data about sensitive disclosures, exposed credentials, and hacker-group activity against companies, collected from publicly available sources in the Dark Web and Deep Web and from data breaches.
"Users are aware of the meaning of a data breach, and it influences their behavior and password formation strategies," according to the report. "This demonstrates the resilience of users when they live in a hostile environment."