Hi Non-SSL Login,
Yeah, that's exactly right. There should be ZERO difference, from my point of view (see my last comment posted before this one, where I explain what my original assumption was when the experiment started).
As I wrote in my last comment, I even pre-wrote the abstract to highlight how the results show that weak passwords stem from issues of disinterest, not intelligence (as expected). It's just that the data (limited by the constraints as noted in the paper) showed otherwise when it finally came in, so I have to write the paper as the data says, instead of what I think it should say. All I could do, though, was note all the constraints at the conclusion, as well as emphasizing that with all the limitations, this is just a curiosity and should only be regarded as a first step in a series of more-refined experiments.
In the end, I'm sure improvements in data size (more people), different environments (different school, different company), and improvements in the measurement tool itself (updated breach corpus, adding localization) will end up showing that intelligence is not really a big factor when it comes to weak passwords or sub-optimal password habits. I'm squarely in the camp that human/psychological issues are the main determinant, hence the updated NIST / Microsoft Research guidelines that are less technical and more user-friendly.
Biting the hand that feeds IT
