Research
Those Pesky Passwords
Too many and too complicated to remember, passwords make users crazy and incur help desk expense. What should you do about it?
By Larry Ponemon
Table 2 reports the number of separate data elements that people are willing to share to verify their identity with a company they trust. Only 25 percent of respondents are willing to share three or more pieces of their personal information for identity verification purposes.
| How many pieces of information (separate data elements) are you willing to share to verify your identity? | Freq. | Pct% |
|---|---|---|
| One piece of information about myself. | 126 | 23% |
| Two pieces of information about myself. | 275 | 51% |
| Three pieces of information about myself. | 102 | 19% |
| As much as needed by the organization to prove it is me. | 34 | 6% |
| Total | 537 | 100% |
Keep it simple. Table 3 provides the approximate number of passwords or PINs that respondents are required to remember today.
| Approximately, how many different passwords or PINs are you required to remember today? | Freq. | Pct% |
|---|---|---|
| Between 1 and 3 | 93 | 17% |
| Between 3 and 5 | 113 | 21% |
| Between 5 and 7 | 132 | 24% |
| Between 7 and 9 | 105 | 19% |
| Between 10 and 15 | 31 | 6% |
| More than 15 | 65 | 12% |
| Total | 539 | 100% |
More than 62 percent of individuals say they are required to recall five or more passwords and PINs today. Respondents were also asked if they ever forgot their password or PIN and, hence, had to have it reset to gain access to their private accounts. Bar Chart 1 shows that more than 88 percent said they did forget their password at least once in the past two years.
It is not a good idea to require both a password and personal facts for identity verification purposes. Table 4 asks whether a trusted company should ask individuals to provide a unique password in addition to using personal facts such as name, telephone or last four digits of a Social Security number. As shown, 59 percent of respondents do not think it is a good idea for a company to require both a password and personal facts for identity verification purposes.
| In addition to verifying your identity from personal facts, do you think the company should ask you to recall a unique password before allowing you to have access to your private accounts? | Freq. | Pct% |
|---|---|---|
| Yes | 218 | 41% |
| No | 318 | 59% |
| Total | 536 | 100% |
Passwords are not viewed as a good way to protect personal information. As indicated in Table 5, of those who do not want to have to remember a unique password, the two biggest objections are the inconvenience of having to remember the password (63 percent) and the belief that "passwords are not necessary if the company has other ways of determining who I am" (60 percent). Forty-two percent don't think a password increases security, and 24 percent don't trust the company to keep the password private.
passwords
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Implementing Best Practices for Web 2.0 Security
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
