Password Security: What Users Know and What They Actually Do

Martin Brinkmann
Apr 22, 2006
Updated • May 4, 2013

The study "password security: what users know and what they actually do" was conducted by the department of psychology at Wichita State University. The study investigated the common password generation practices of online users. All participants took part in a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information.The results are interesting:

  • The average time users have maintained their primary personal use password is 31.07 months, nearly three years.
  • How frequently do you change your password on a regular basis when not required by the system was answered by 52.7% of the participants with never.
  • 85.7% reported that they use lowercase letters and 56.5% mentioned that they use numbers or digits in their passwords. In addition, 54.9% indicated that they use personally meaningful words, such as names of children, pets or street names, while 49.8% stated that they use personally meaningful numbers, such as birth dates or telephone numbers
  • 54.6% of users report that they are using the same password for multiple accounts “very frequently or  even“always", while 33.0% use variations of the same password for multiple accounts.
  • 73% of the respondents reported that they should change their passwords for accounts every three to six months, but 52.7% mentioned that they never change their password when not required.
  • 70.5%  indicated that personally meaningful words should not be used, but 49.8% mentioned that they still use these meaningful words in regards to passwords.

So, what's the lesson we learn from this study? If you want users to follow password guidelines, make sure you enforce them across your network. I hate the IT section at my workplace because they force you to change the passwords regulary, use upper / lowercase, numbers and chars. The new password is not allowed to match with the nine previous ones, is not allowed to have repeated chars and not allowed to have logic sequences (123456, eee, sort of things). While that is a nuisance in the eyes of the user, it certainly helps in terms of overall security of the workplace.


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.