A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.

The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords —added in its 2017 edition.

The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches.

If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.

Study shows inconclusive results

What researchers from the Asia Pacific College (APC) have done was to take their students' email addresses associated with school accounts and check and see if the students' passwords had been leaked in previous breaches, correlating the final results with their GPA (grade point average).

All data such as names and passwords were hashed to protect students' privacy and personal information. Researchers checked students' passwords against a massive list of over 320 million passwords exposed in previous breaches and collected by Australian security researcher Troy Hunt, maintainer of the Have I Been Pwned service.

The results showed similar percentages of students across the GPA spectrum that were using previously exposed passwords —considered weak passwords and a big no-no in NIST's eyes.

Percentages varied from 12.82% to 19.83%, which is an inconclusive result to show a clear differentiation between the password practices of "smarter" kids when compared to the rest.

The study also showed that most students also used quite long passwords, with an average of 11.2 characters/password.

"Over 98% of users have 8 characters or more, over 50% have 10 or more characters, and over 25% use at least 12 characters," the research team observed. "This means the usage of short passwords is an almost non-existent problem for APC users."

A bigger study is needed

While researchers noted that students with a higher GPA had the smaller percentage of weak passwords, they also called for a larger study for more definitive results.

The APC study, entitled "Do Smarter People Have Better Passwords? Yes, But..." and published online last week, checked passwords for only 1,252 APC students, of which only 215 used passwords also exposed in public breaches.