Those Pesky Passwords
Too many and too complicated to remember, passwords make users crazy and incur help desk expense. What should you do about it?
By Larry Ponemon
March 01, 2006 — A study we just completed confirms what many of us already know. We are frustrated with the need to remember multiple passwords to gain access to our various personal accounts, online subscriptions and perhaps a secure location.
Further, most of the companies we work for have policies about the use of passwords to protect the sensitive and proprietary data employees have on their desktop and laptop computers. These policies often require us to change our passwords frequently and to use complex alphanumeric combinations.
Passwords as a security measure do not seem to be working. In Ponemon Institute's newly released Perceptions about Passwords study, most respondents report that in the past two years they have forgotten a password or PIN and had to have it reset by a company (see Bar Chart 1). Moreover, a majority of respondents had to have their password or PIN reset at least three times in the past two years. Many respondents reported that they have to recall five or more uniquely defined passwords or PINs on a routine basis.
The study was designed to find out what consumers think about the use of passwords and PINs and what their preferences are for verifying their identity. We surveyed adults (18 years of age and older) across all major regions of the United States. Our Web-based survey was sent to 7,678 individuals. We received 590 responses and rejected 51 for reliability purposes. The final sample was 539 respondents.
Table 1 provides a further analysis of the respondents' experience in failing to remember their passwords or PINs. As shown, more than 67 percent of those citing that they forgot their password did so three or more times in the past two years.
|If yes, how often was your password or PIN reset in the past two years?||Freq.||Pct%|
|More than four times||99||21%|
Password Lessons for IT
We believe our study points to the need for information security professionals to find an alternative method and technology to protect access to personal and sensitive information. Understanding what we don't like about the current use of passwords can be helpful in developing acceptable methods for identity verification.
Limit the types of personal data collected for identification purposes. Most people appear willing to share basic personal information such as name, address, home telephone and even e-mail address with a company that they trust for purposes of identity verification. In contrast, individuals appear to be much more hesitant to provide information such as digital photos, credit card numbers, Social Security numbers, driver's licenses and fingerprints for purposes of verifying their identityeven with a trusted organization.