Passwords are everywhere in computer security. All too often, they are also ineffective. A good password should be both easy to remember and hard to guess, but in practice people seem to pay more attention to the former. That predictability lets security researchers and hackers create dictionaries which list common passwords, useful to those seeking to break in. Although researchers know passwords are insecure，working out just how insecure has been difficult. Many studies have only small samples to work on. However,with the cooperation of Yahoo!, Joseph Bonneau of the University of Cambridge obtained the biggest data sample to date—70 million passwords that came with useful data about their owners. Mr. Bonneau found some interesting variations. Older users had better passwords than young ones. People whose preferred language was Korean or German chose the most secure passwords,while those who spoke Indonesian the least. Passwords designed to hide sensitive information such as credit card numbers were only slightly more secure than those protecting less important things, like access to games. “Nag screens” that told users they had chosen a weak password made virtually no difference. And users whose accounts had been hacked in the past did not make more secure choices. But the broader analysis of the sample is of most interest to researchers. Despite their differences, the 70 million users were still so predictable that a generic password dictionary was effective against both the entire sample and any slice of it. Mr. Bonneau said bluntly, An attacker managing ten guesses per account will (compromise )around 1% of accounts. And that is a worthwhile outcome for a hacker. One obvious solution would be for sites to limit the number of guesses that can be made before access is blockeD.Yet while the biggest sites, such as Google and Microsoft, take such measures, many do not. The reasons for their not doing so are various. So it’s time for users to consider the alternatives to traditional passwords.