Password Management: Empirical Results from a RSA and USA Study

“The state of information security as a whole is a disaster, a train wreck”. This view is given by Forte and Power (2007) describing the state of information security towards the end of the first decade of the 21 century. Amongst solutions offered, the view that security programs have to be holistic is proposed indicating that technical controls are of little value without the workforce understanding the risks of their irresponsible behavior. Another solution proposed by them is the role of awareness and education. All levels of users should be targeted letting them understand their role and responsibility in information security. Password related behavior is often highlighted as a key component of information security awareness. However, studies have shown that password hygiene is generally poor amongst users (Stanton, Stam, Mastrangelo, & Jolton, 2005). In an effort to identify, categorize and prioritize those factors that may have a significant impact on password behavior, a study was conducted amongst students in South Africa and the United States of America to investigate certain aspects of password management practices. The objective of this paper is to report on the empirical results obtained, using techniques such as cause-and-effect diagrams and Pareto analyses.