Password Security: What Users Know and What They Actually Do

Summary: This study investigated the common password generation practices of online users. Three hundred and fifteen undergraduate and graduate students completed a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information. Results indicate that, in general, users do not vary the complexity of passwords depending on the nature of the site (bank account vs. instant messenger) or change their passwords on any regular basis if it is not required by the site. Users report using lower case letters, numbers or digits, personally meaningful numbers and personally meaningful words when creating passwords, despite the fact that they realize that these methods may not be the most secure.

[1]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[2]  Robert W. Proctor,et al.  Imposing Password Restrictions for Multiple Accounts: Impact on Generation and Recall of Passwords , 2003 .

[3]  Xueming Luo Trust production and privacy concerns on the Internet , 2002 .

[4]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[5]  Nancy J. Lightner What users want in e-commerce design: effects of age, education and income , 2003, Ergonomics.

[6]  Edward F. Gehringer Choosing passwords: security and human factors , 2002, IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293).