Password Security: What Users Know and What They Actually Do
As a web developer, Usability News from the Software Usability Research Lab at Wichita State is one of my favorite sites. Design for web apps can seem pretty arbitrary, but UN presents hard numbers to identify best practices, which comes in handy when you’re trying to explain to your boss why the search box shouldn’t be stuck at the bottom of the page (not that this has ever happened at CERIAS, mind you).
The Feb 2006 issue has lots of good bits, but particularly interesting from an infosec perspective are the results of a study on the gulf between what online users know about good password practice, and what they practice.
“It would seem to be a logical assumption that the practices and behaviors users engage in would be related to what they think they should do in order to create secure passwords. This does not seem to be the case as participants in the current study were able to identify many of the recommended practices, despite the fact that they did not use the practices themselves.”
Some interesting points from the study:
- More than half of users do not vary the complexity of passwords depending on the nature of the data it protects
- More than half of users never change passwords if the system does not force them to do so. Nearly 3/4 of the users stated that they should change their passwords every 3 to 6 months, though
- Half of users believe they should use “special” characters in their passwords (like “&” and “$”), but only 5% do so