Stats re: passwords

[Allison Dolan <adolan () MIT EDU>]

See below for some research re: passwords.  Not that  you couldn't
have predicted the results, but have to have formal research validate
your gut can be helpful!


Allison F. Dolan
Program Director, Personally Identifiable Information
Massachusetts Institute of Technology
77 Massachusetts Ave  NE49-3021
Cambridge MA 02139-4307
Phone: (617) 252-1461
http://mit.edu/infoprotect



http://www.out-law.com//default.aspx?page=10445

Only 4% of corporate IT users stick to password rules, finds study

OUT-LAW News, 14/10/2009

Just 4% of users of corporate systems abide by IT security policies,
even when that system handles very sensitive private information
according to an academic survey that has revealed humans to be the
main flaw in any security system.


Researchers at the University of Wisconsin-Madison and  IT
University, Copenhagen surveyed 836 members of staff at a company
that handles sensitive information about their use of IT systems. The
research focused on passwords and whether their abuse renders complex
IT security systems ineffective.

The study found that just 4% of the people surveyed obey best
practice rules for passwords. The rest use the same passwords for
different systems or use words that appear in the dictionary or write
their passwords down on post-it notes beside the computer.

The average user makes 2.7 deviations from passwords best practice,
the study said.

"In deviating from the best practices, end-users can make the best
protected computer systems vulnerable," it said. "Problems with the
use of alphanumeric passwords have been known for more than 20 years,
but unfortunately, so far we have made little progress."

"Much of the attention in the past to improve Computer and
Information Security (CIS) has been focused on hardware and software
solutions," it said. "Relatively little attention has been paid to
'peopleware'. However, several studies have shown that humans and the
way they interact with computer systems are the weakest link in CIS."

The study said that its conclusions will not surprise IT security
experts. "Problems with weak passwords are not a new problem. In
1979, Morris & Thompson (1979) reported that many UNIX-users choose
very weak passwords, for example very short or obvious passwords," it
said. "They analyzed 3289 passwords and results showed that passwords
mainly consisted of: strings of three ASCII characters (14%); strings
of 4 alphamerics (a set of characters, including letters, numbers,
and, often, special characters, such as punctuation marks) (15%); 5
letters, all upper-case or all lower case (21%) or 6 letters, all
lower case (18%). Furthermore, 15% of the passwords appeared in
various available dictionaries."

Such problems persist, the researchers said. "Almost identical
problems with weak passwords are seen today. Schneier (2006) examined
34,000 MySpace usernames and passwords. Results showed that 65% of
all passwords contained 8 characters or less. The most frequently
used password were: password1; abc123; myspace1; and password," said
the report.

The study found that the people most likely to have safe password
practices were the people who were the most experienced computer users.

"Results of statistical analysis show that user type (novice,
average, advanced or expert user) is the strongest factor related to
the number of deviations. Gender, age, education, job position the
organizational unit the respondents work in, and years of computer
experience, are less important," it said. "Expert users and to a
lesser extent advanced users perform significantly better than
average users and novice users.

The report did suggest how security could be improved. As well as the
use of more expensive token or smart card systems, it said,
organisations could use pictorial passwords.

"Humans do not seem to have a specific limit regarding how many
pictures can be stored in long term memory and pictures are easily
remembered," it said. "Studies have shown that picture based
passwords have a better memorability than alpha-numeric passwords and
PIN numbers."

"Graphical passwords are not a security 'silver bullet', but a
possible alternative for usable yet secure authentication," said the
report.

See: The report (5-page / 641KB PDF)