The Psychology of Password Generation
Nothing too surprising in this study of password generation practices:
The majority of participants in the current study most commonly reported password generation practices that are simplistic and hence very insecure. Particular practices reported include using lowercase letters, numbers or digits, personally meaningful words and numbers (e.g., dates). It is widely known that users typically use birthdates, anniversary dates, telephone numbers, license plate numbers, social security numbers, street addresses, apartment numbers, etc. Likewise, personally meaningful words are typically derived from predictable areas and interests in the person’s life and could be guessed through basic knowledge of his or her interests.
The finding that participants in the current study use such simplistic practices to develop passwords is supported by similar research by Bishop and Klein (1995) and Vu, Bhargav & Proctor (2003) who found that even with the application of password guidelines, users would tend to revert to the simplest possible strategies (Proctor et al., 2002). In the current study, nearly 60% of the respondents reported that they do not vary the complexity of their passwords depending on the nature of the site and 53% indicated that they never change their password if they are not required to do so. These practices are most likely encouraged by the fact that users maintain multiple accounts (average = 8.5) and have difficulty recalling too many unique passwords.
It would seem to be a logical assumption that the practices and behaviors users engage in would be related to what they think they should do in order to create secure passwords. This does not seem to be the case as participants in the current study were able to identify many of the recommended practices, despite the fact that they did not use the practices themselves. These findings contradict the ideas put forth in Adams & Sasse (1999) and Gheringer (2002) who state that users are largely unaware of the methods and practices that are effective for creating strong passwords. Davis and Ganesan (1993) point out that the majority of users are not aware of the vulnerability of password protected systems, the prevalence of password cracking, the ease with which it can be accomplished, or the damage that can be caused by it. While the majority of this sample of password users demonstrated technical knowledge of password practices, further education regarding the vulnerability of password protected systems would help users form a more accurate mental model of computer security.
Matt Austern • March 2, 2006 12:53 PM
The problem, of course, is that everyone knows the recommendations for good password security and everyone also knows that it is impossible to follow all of the recommendations simultaneoursly. (Use passwords that can’t be guessed even by someone who knows you and your interests well. Use long passwords that include letters of both cases, numbers, and symbols. Use a different password for each site. Vary passwords regularly. Never write your passwords down.)
One of the reasons people get this absurd advice: each site gives password advice for that site alone, because each site only considers its own security problems. But from the point of view of a user, each site is just an incremental addition to an overall password management problem. A bank probably thinks that its job is to solve its own banking problems, not to solve users’ overall password management problems.
If people are given advice that’s impossible to follow, it should come as no surprise that they will do something else.