Users know how to create good passwords, but they don’t

From Usability News’ “Password Security: What Users Know and What They Actually Do“:

A total of 328 undergraduate and graduate level college students from Wichita State University volunteered to participate in the survey, and were regular users of the Internet with one or more password protected accounts. Ages of the participants ranged from 18 to 58 years (M = 25.34). Thirteen cases were deleted due to missing data, resulting in 315 participants in the final data analysis. …

When asked what practices should be used in the creation and usage of passwords, the majority of respondents, 50.8% (160), were able to identify most of the password practices that are recommended for creating secure passwords (Tufts University, 2005), although 62.9% (198) failed to identify a practice that would result in the most secure password; using numbers and special characters in place of letters.

Differences between password practices users reported and the passwords practices they believe they should use included:

  • 73% (230) of respondents reported that they should change their passwords for accounts every three to six months, but 52.7% (166) responded that they “Never” change their password when not required.
  • 50.8% (160) of respondents reported that they should use special characters in their passwords, but only 4.8% (12) reported doing so.
  • 63.5% (200) of respondents reported that they should use seven or more characters in their passwords, but only 35.5% (112) indicated that they use this number of characters with any regularity.
  • 70.5% (222) of respondents indicated that personally meaningful words should not be used, but 49.8% (156) reported that they use this practice.
  • 68.3% (215) of respondents report that personally meaningful numbers should not be used in passwords, but 54.9% (173) reported using this practice. …

The majority of participants in the current study most commonly reported password generation practices that are simplistic and hence very insecure. Particular practices reported include using lowercase letters, numbers or digits, personally meaningful words and numbers (e.g., dates). It is widely known that users typically use birthdates, anniversary dates, telephone numbers, license plate numbers, social security numbers, street addresses, apartment numbers, etc. Likewise, personally meaningful words are typically derived from predictable areas and interests in the person’s life and could be guessed through basic knowledge of his or her interests. …

It would seem to be a logical assumption that the practices and behaviors users engage in would be related to what they think they should do in order to create secure passwords. This does not seem to be the case as participants in the current study were able to identify many of the recommended practices, despite the fact that they did not use the practices themselves.