A study we just completed confirms what many of us already know. We are frustrated with the need to remember multiple passwords to gain access to our various personal accounts, online subscriptions and perhaps a secure location.
Further, most of the companies we work for have policies about the use of passwords to protect the sensitive and proprietary data employees have on their desktop and laptop computers. These policies often require us to change our passwords frequently and to use complex alphanumeric combinations.
Passwords as a security measure do not seem to be working. In Ponemon Institute's newly released Perceptions about Passwords study, most respondents report that in the past two years they have forgotten a password or PIN and had to have it reset by a company (see Bar Chart 1). Moreover, a majority of respondents had to have their password or PIN reset at least three times in the past two years. Many respondents reported that they have to recall five or more uniquely defined passwords or PINs on a routine basis.
The study was designed to find out what consumers think about the use of passwords and PINs and what their preferences are for verifying their identity. We surveyed adults (18 years of age and older) across all major regions of the United States. Our Web-based survey was sent to 7,678 individuals. We received 590 responses and rejected 51 for reliability purposes. The final sample was 539 respondents.
Table 1 provides a further analysis of the respondents' experience in failing to remember their passwords or PINs. As shown, more than 67 percent of those citing that they forgot their password did so three or more times in the past two years.
|If yes, how often was your password or PIN reset in the past two years?||Freq.||Pct%|
|More than four times||99||21%|
Password Lessons for IT
We believe our study points to the need for information security professionals to find an alternative method and technology to protect access to personal and sensitive information. Understanding what we don't like about the current use of passwords can be helpful in developing acceptable methods for identity verification.
Limit the types of personal data collected for identification purposes. Most people appear willing to share basic personal information such as name, address, home telephone and even e-mail address with a company that they trust for purposes of identity verification. In contrast, individuals appear to be much more hesitant to provide information such as digital photos, credit card numbers, Social Security numbers, driver's licenses and fingerprints for purposes of verifying their identity—even with a trusted organization.
Table 2 reports the number of separate data elements that people are willing to share to verify their identity with a company they trust. Only 25 percent of respondents are willing to share three or more pieces of their personal information for identity verification purposes.
|How many pieces of information (separate data elements) are you willing to share to verify your identity?||Freq.||Pct%|
|One piece of information about myself.||126||23%|
|Two pieces of information about myself.||275||51%|
|Three pieces of information about myself.||102||19%|
|As much as needed by the organization to prove it is me.||34||6%|
Keep it simple. Table 3 provides the approximate number of passwords or PINs that respondents are required to remember today.
|Approximately, how many different passwords or PINs are you required to remember today?||Freq.||Pct%|
|Between 1 and 3||93||17%|
|Between 3 and 5||113||21%|
|Between 5 and 7||132||24%|
|Between 7 and 9||105||19%|
|Between 10 and 15||31||6%|
|More than 15||65||12%|
More than 62 percent of individuals say they are required to recall five or more passwords and PINs today. Respondents were also asked if they ever forgot their password or PIN and, hence, had to have it reset to gain access to their private accounts. Bar Chart 1 shows that more than 88 percent said they did forget their password at least once in the past two years.
It is not a good idea to require both a password and personal facts for identity verification purposes. Table 4 asks whether a trusted company should ask individuals to provide a unique password in addition to using personal facts such as name, telephone or last four digits of a Social Security number. As shown, 59 percent of respondents do not think it is a good idea for a company to require both a password and personal facts for identity verification purposes.
|In addition to verifying your identity from personal facts, do you think the company should ask you to recall a unique password before allowing you to have access to your private accounts?||Freq.||Pct%|
Passwords are not viewed as a good way to protect personal information. As indicated in Table 5, of those who do not want to have to remember a unique password, the two biggest objections are the inconvenience of having to remember the password (63 percent) and the belief that "passwords are not necessary if the company has other ways of determining who I am" (60 percent). Forty-two percent don't think a password increases security, and 24 percent don't trust the company to keep the password private.
|If you said No, why not? Please check the top two answers only.||Freq.||Pct%|
|It is inconvenient for me to remember passwords.||201||63%|
|Passwords are not necessary if the company has other ways of determining who I am.||190||60%|
|I don't think using a password would increase my security.||132||42%|
|I don't trust the company to keep my password private.||77||24%|
Do not make passwords a regulatory requirement. At present, there is proposed federal legislation that would require some companies to mandate the use of passwords as part of their identity verification process. So we asked respondents how they feel about a requirement for mandatory passwords or PINs. Bar Chart 2 shows that 87 percent of respondents say no to the idea of a mandatory password requirement.
Give us a choice. We also attempted to determine how respondents view three different identity verification or authentication options, defined as follows:
- The company provides the consumer with a choice of a password or the use of three pieces of personal data to verify identity.
- The company makes it mandatory that the company uses a password to verify identity.
- The company makes it mandatory that it collects and uses three known facts to verify identity.
Bar Chart 3 shows that 69 percent of respondents choose option 1; that is, a choice of either a unique password or three separate pieces of information is most preferred.
The final item asked respondents if they believe that new governmental regulations should require companies to use passwords as a necessary condition for identity management. As shown in Table 6, only 12 percent of respondents stated yes. The remaining individuals were either unsure (38 percent) or stated no (50 percent).
|Do you think new governmental regulations are needed that make it a requirement for companies to verify your identity using a password?||Freq.||Pct%|
As our study seems to show, authentication using passwords is viewed as inconvenient and perhaps outdated. Based on the results from our study, I believe consumers are eager for companies to develop an identity management and authentication solution that has the necessary safeguards to protect them from identity theft but streamlines the process of gaining access to their personal accounts. Biometrics would seem to offer both the security and convenience companies and consumers are seeking.
For more information about Ponemon Institute's study, please contact us at firstname.lastname@example.org.
Larry Ponemon is founder and chairman of Ponemon Institute. The Institute is dedicated to independent research and education that advances responsible information and privacy management practices in business and government.