TY - GEN
T1 - Password management strategies for online accounts
AU - Gaw, Shirley
AU - Felten, Edward W.
PY - 2006
Y1 - 2006
N2 - Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.
AB - Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.
KW - Password
KW - Security
KW - Survey
KW - User behavior
UR - http://www.scopus.com/inward/record.url?scp=34250729756&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34250729756&partnerID=8YFLogxK
U2 - 10.1145/1143120.1143127
DO - 10.1145/1143120.1143127
M3 - Conference contribution
AN - SCOPUS:34250729756
SN - 1595934480
SN - 9781595934482
T3 - ACM International Conference Proceeding Series
SP - 44
EP - 55
BT - ACM International Conference Proceeding Series - Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006
T2 - 2nd Symposium on Usable Privacy and Security, SOUPS 2006
Y2 - 12 July 2006 through 14 July 2006
ER -