Hello NonSSL-Login,
(JV Roig here, the author of the cited paper)
re: "The article says that 215 students hashes were in Troys database and states this was down to bad/unsafe passwords. Wrong. They are in Hunts databases because they happened to be signed up to websites that got hacked. There is no relation to IQ at all."
Yes, that's actually a pretty good point, although I would like to say it's a little bit more nuanced than that. Not everyone on the list would have been personally pwned - some have just settled on really bad passwords (especially passwords or patterns that look strong, but really aren't due to predictability).
For example, if their password is outwardly (seemingly) "strong" / "secure" (say, it's long and has some substitutions), the chances of another person thinking of the same password should be statistically nil (infinite combinations vs very finite human users) - unless of course, the chosen "secure" password is actually predictable due to human nature. Microsoft itself actually has some interesting research findings about this, particularly about how users will predictably choose passwords given very strict, arcane password requirements.
If they are in the habit of re-using passwords, then that password (and habit itself) really should still be considered unsafe. A way to think about that would be: a password can be unsafe because of "physical" characteristics (e.g., too short), "psychological" characteristics (e.g., too predictable based on human nature, such as adding "1" at the end of a common password when asked to use at least one number), or "environmental" characteristics (e.g., an otherwise strong password that is now much more vulnerable [weak] due to being used widely in different sites).
So either way, unsafe.
But as mentioned in my opening, yours is a very good insight, thanks. That's exactly why any interesting findings, be they just curiosities at the moment, are shared - so that others can see them and then potentially draw from them interesting insight, such as yours. Further studies, for example, can now explicitly look for, attempt to mitigate, or control for, or simply measure the impact of, that factor. Science at work!
Regards,
-JV
Biting the hand that feeds IT
