Research
Those Pesky Passwords
Too many and too complicated to remember, passwords make users crazy and incur help desk expense. What should you do about it?
By Larry Ponemon
March 01, 2006 — A study we just completed confirms what many of us already know. We are frustrated with the need to remember multiple passwords to gain access to our various personal accounts, online subscriptions and perhaps a secure location.
Further, most of the companies we work for have policies about the use of passwords to protect the sensitive and proprietary data employees have on their desktop and laptop computers. These policies often require us to change our passwords frequently and to use complex alphanumeric combinations.
Passwords as a security measure do not seem to be working. In Ponemon Institute's newly released Perceptions about Passwords study, most respondents report that in the past two years they have forgotten a password or PIN and had to have it reset by a company (see Bar Chart 1). Moreover, a majority of respondents had to have their password or PIN reset at least three times in the past two years. Many respondents reported that they have to recall five or more uniquely defined passwords or PINs on a routine basis.
The study was designed to find out what consumers think about the use of passwords and PINs and what their preferences are for verifying their identity. We surveyed adults (18 years of age and older) across all major regions of the United States. Our Web-based survey was sent to 7,678 individuals. We received 590 responses and rejected 51 for reliability purposes. The final sample was 539 respondents.
Table 1 provides a further analysis of the respondents' experience in failing to remember their passwords or PINs. As shown, more than 67 percent of those citing that they forgot their password did so three or more times in the past two years.
| If yes, how often was your password or PIN reset in the past two years? | Freq. | Pct% |
|---|---|---|
| Only once | 81 | 17% |
| Two times | 75 | 16% |
| Three times | 124 | 26% |
| Four times | 96 | 20% |
| More than four times | 99 | 21% |
| Total | 475 | 100% |
Password Lessons for IT
We believe our study points to the need for information security professionals to find an alternative method and technology to protect access to personal and sensitive information. Understanding what we don't like about the current use of passwords can be helpful in developing acceptable methods for identity verification.
Limit the types of personal data collected for identification purposes. Most people appear willing to share basic personal information such as name, address, home telephone and even e-mail address with a company that they trust for purposes of identity verification. In contrast, individuals appear to be much more hesitant to provide information such as digital photos, credit card numbers, Social Security numbers, driver's licenses and fingerprints for purposes of verifying their identity—even with a trusted organization.
passwords
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Implementing Best Practices for Web 2.0 Security
- Frost & Sullivan "Overview and Competitive Analysis of the One Time Password (OTP) Market."
- The RSA Authentication Decision Tree: Selecting the Best Authentication Method for Your Business
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- Keeping Your Members Safe from Online Scams and Predators
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
