Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites

From email to online banking, passwords are an essential component of modern internet use. Yet, users do not always have good password security practices, leaving their accounts vulnerable to attack. We conducted a study which combines self-report survey responses with measures of actual online behavior gathered from 134 participants over the course of six weeks. We find that people do tend to re-use each password on 1.7-3.4 different websites, they reuse passwords that are more complex, and mostly they tend to re-use passwords that they have to enter frequently. We also investigated whether self-report measures are accurate indicators of actual behavior, finding that though people understand password security, their self-reported intentions have only a weak correlation with reality. These findings suggest that users manage the challenge of having many passwords by choosing a complex password on a website where they have to enter it frequently in order to memorize that password, and then re-using that strong password across other websites.

[1]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[2]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[3]  Heinrich Hußmann,et al.  Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition , 2013, INTERACT.

[4]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[5]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[6]  Rick Wash,et al.  Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users , 2015, SOUPS.

[7]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[8]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[9]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[10]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[11]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[12]  Joseph Bonneau,et al.  The Password Game: Negative Externalities from Weak Password Practices , 2010, GameSec.

[13]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[14]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[15]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[16]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[17]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[18]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[19]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[20]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[21]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[22]  Hilary Johnson,et al.  Rational security: Modelling everyday password use , 2012, Int. J. Hum. Comput. Stud..

[23]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[24]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[25]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[26]  Christof Paar,et al.  Statistics on Password Re-use and Adaptive Strength for Financial Accounts , 2014, SCN.

[27]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[28]  Caitlin Rinn,et al.  Password creation strategies across high‐ and low‐literacy web users , 2015, ASIST.

[29]  Matthew K. Wright,et al.  A study of user password strategy for multiple accounts , 2013, CODASPY '13.

[30]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[31]  Rick Wash,et al.  Materials for SOUPS 2015 paper "Too Much Knowledge? Security Beliefs and Protective Behaviors Among US Internet Users" , 2017 .

[32]  P. Sheeran Intention—Behavior Relations: A Conceptual and Empirical Review , 2002 .

[33]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[34]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[35]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[36]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[37]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[38]  Kat Krol,et al.  The Great Authentication Fatigue - And How to Overcome It , 2014, HCI.

[39]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[40]  Shinichi Nakagawa,et al.  A general and simple method for obtaining R2 from generalized linear mixed‐effects models , 2013 .

[41]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.