Password Security: What Users Know and What They Actually Do
By Shannon Riley
Summary: This study investigated the common password generation practices of online users. Three hundred and fifteen undergraduate and graduate students completed a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information. Results indicate that, in general, users do not vary the complexity of passwords depending on the nature of the site (bank account vs. instant messenger) or change their passwords on any regular basis if it is not required by the site. Users report using lower case letters, numbers or digits, personally meaningful numbers and personally meaningful words when creating passwords, despite the fact that they realize that these methods may not be the most secure.
Password protected accounts are very common and widely used for a variety of online applications including instant messaging, personal and business e-mail, and online banking and retail purchasing accounts. Given the sensitivity of the information within these accounts and the potential for abuse and misuse of this information by others, one might suspect that users would create very secure passwords. This has not proven to be the case. In spite of the fact that online shoppers report that information security and protection are their primary concern (Luo, 2002, Lightner, 2003), many studies have shown that users’ consistently use very simplistic, easily predictable practices when constructing and using passwords. This includes using meaningful words or personal dates that are easy to remember (Bishop & Klein, 1995), using a proper name or using a word commonly found in the dictionary, or relating the password to the type of account for which it is used (Vu, Bhargav & Proctor, 2003). Such predictable and systematic practices are easier for the user to remember but they sacrifice the security that passwords are intended to provide.
The purpose of this study is to comprehensively assess what practices users employ in creating and storing passwords for online accounts.
A total of 328 undergraduate and graduate level college students from Wichita State University volunteered to participate in the survey, and were regular users of the Internet with one or more password protected accounts. Ages of the participants ranged from 18 to 58 years (M = 25.34). Thirteen cases were deleted due to missing data, resulting in 315 participants in the final data analysis.
Participants were administered the Password Practices Survey, a 101-item self-report questionnaire that requests information about four areas:
(1) Internet usage behaviors (frequency, duration and longevity of use);
(2) Types and number of different password protected accounts maintained;
(3) Actual practices used in generating, storing and using passwords;
(4) Practices believed they should use in generating and storing passwords;
(5) General demographic information.
The Password Practices Survey was developed to investigate and expand on information regarding a diverse range of specific user practices, the extent of knowledge users have and use in the construction and use of passwords and the potential influence of internet usage practices. Survey questions were developed through a series of pilot tests. Questions regarding frequency, duration and method of internet access as well as frequency and variety of internet activities were taken directly from Lida-Rogers (2004) dissertation on the Development of the Internet Experience Scale. The Password Practices Survey uses a variety of forced-choice, multiple-response, fill-in-the-blank and open-ended response items, and was administered both on paper and online. The online version of the Password Practices Survey was created using SPSS Data Entry Builder™ and was accessed via the web. Completion of the survey took between 15 – 25 minutes.
General password characteristics
Descriptive analysis of the data revealed that 35% (112) of respondents reported that they use a predetermined number of characters in their passwords. Of these participants, the average number of characters per password was found to be 6.84 (SD = 1.79).
Overall, 74.9% of respondents (236) reported that they have a set of predetermined passwords that they use frequently, of those 98.3% (232) reported an average of 3.1 (SD = 2.028) passwords. More than half (59.7%, 188) reported that they do not vary the complexity of their password depending on the nature of the site they are using, such as an online bank account compared to an online chat program. The average length of time users have maintained their primary personal use password was reported as 31.07 months (SD, 28.01), roughly two years and seven months. When asked “How frequently do you change your password on a regular basis when not required by the system?” 52.7% (166) responded “Never” (Table 1).
Password construction practices/strategies used
In regard to practices that respondents report using “Very Frequently” or “Always” when creating passwords, 85.7% (270) reported that they use lowercase letters and 56.5% (178) reported that they use numbers or digits in their passwords. In addition, 54.9% (173) indicated that they use personally meaningful words, such as names of children, pets or street names, while 49.8% (156) indicated that they use personally meaningful numbers, such as birthdates or telephone numbers (Table 2).
User perceptions of password construction practices that should be used
When asked what practices should be used in the creation and usage of passwords, the majority of respondents, 50.8% (160), were able to identify most of the password practices that are recommended for creating secure passwords (Tufts University, 2005), although 62.9% (198) failed to identify a practice that would result in the most secure password; using numbers and special characters in place of letters.
Differences between password practices users reported and the passwords practices they believe they should use included:
· 73% (230) of respondents reported that they should change their passwords for accounts every three to six months, but 52.7% (166) responded that they “Never” change their password when not required.
· 50.8% (160) of respondents reported that they should use special characters in their passwords, but only 4.8% (12) reported doing so.
· 63.5% (200) of respondents reported that they should use seven or more characters in their passwords, but only 35.5% (112) indicated that they use this number of characters with any regularity.
· 70.5% (222) of respondents indicated that personally meaningful words should not be used, but 49.8% (156) reported that they use this practice.
· 68.3% (215) of respondents report that personally meaningful numbers should not be used in passwords, but 54.9% (173) reported using this practice.
The majority of participants in the current study most commonly reported password generation practices that are simplistic and hence very insecure. Particular practices reported include using lowercase letters, numbers or digits, personally meaningful words and numbers (e.g., dates). It is widely known that users typically use birthdates, anniversary dates, telephone numbers, license plate numbers, social security numbers, street addresses, apartment numbers, etc. Likewise, personally meaningful words are typically derived from predictable areas and interests in the person’s life and could be guessed through basic knowledge of his or her interests.
The finding that participants in the current study use such simplistic practices to develop passwords is supported by similar research by Bishop and Klein (1995) and Vu, Bhargav & Proctor (2003) who found that even with the application of password guidelines, users would tend to revert to the simplest possible strategies (Proctor et al., 2002). In the current study, nearly 60% of the respondents reported that they do not vary the complexity of their passwords depending on the nature of the site and 53% indicated that they never change their password if they are not required to do so. These practices are most likely encouraged by the fact that users maintain multiple accounts (average = 8.5) and have difficulty recalling too many unique passwords.
It would seem to be a logical assumption that the practices and behaviors users engage in would be related to what they think they should do in order to create secure passwords. This does not seem to be the case as participants in the current study were able to identify many of the recommended practices, despite the fact that they did not use the practices themselves. These findings contradict the ideas put forth in Adams & Sasse (1999) and Gheringer (2002) who state that users are largely unaware of the methods and practices that are effective for creating strong passwords. Davis and Ganesan (1993) point out that the majority of users are not aware of the vulnerability of password protected systems, the prevalence of password cracking, the ease with which it can be accomplished, or the damage that can be caused by it. While the majority of this sample of password users demonstrated technical knowledge of password practices, further education regarding the vulnerability of password protected systems would help users form a more accurate mental model of computer security.
Obtained from Usability News 2006
EDIT: cleaned formatting up.
Edited by tekio, 08 February 2009 - 04:42 AM.