Password Security: What Users Know and What They Actually Do

The study “password security: what users know and what they actually do” was conducted by the department of psychology from the Wichita State University. The study investigated the common password generation practices of online users. All participiants took part in a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information.The results are interesting:

• The average length of time users have maintained their primary personal use password was reported as 31.07 months
• How frequently do you change your password on a regular basis when not required by the system?â€? 52.7% (166) responded “Neverâ€?

• 85.7% (270) reported that they use lowercase letters and 56.5% (178) reported that they use numbers or digits in their passwords. In addition, 54.9% (173) indicated that they use personally meaningful words, such as names of children, pets or street names, while 49.8% (156) indicated that they use personally meaningful numbers, such as birthdates or telephone numbers
• 54.6% of users (177) report using the same exact password for multiple accounts “Very Frequentlyâ€? or “Alwaysâ€?, while 33.0% (104) report using some variation of the same password for multiple accounts
• 73% (230) of respondents reported that they should change their passwords for accounts every three to six months, but 52.7% (166) responded that they “Neverâ€? change their password when not required.
• 70.5% (222) of respondents indicated that personally meaningful words should not be used, but 49.8% (156) reported that they use this practice.

So, what´s the lesson we learn from this stufy ? Users have to be forced to create passwords that meet certain security standards. I hate the IT section at my workplace because they force you to change the passwords regulary, use upper / lowercase, numbers and chars. The new password is not allowed to match with the nine previous ones, is not allowed to have repeated chars and not allowed to have logic sequences (123456, eee, sort of things).