kory garner archives

Password Change Survey Results

So here’s the results of that password changing survey. Let me preface this by saying that this survey was done purely to satisfy our curiosity. We are NOT looking to this survey to help make any decisions here at the Church. We acknowledge that this survey was not scientific and thus the results need to be taken with a grain of salt. That said, I still think that we learned some interesting things. Just don’t go around quoting statistics from this survey and expect them to stand up to scrutiny.

Another point that I want to make clear is that this survey doesn’t really address how secure our passwords are. We know that the best passwords are truly random characters and numbers without any logical order and the longer the better. Our survey doesn’t specifically figure out if you’re using a “secure password.” We only tired to figure out what happens when it comes time to change that password.

Question #1: When forced to change a password I…
42.98% – Just increment a number. Password1, Password2, Password3, etc
8.77% – Change a topic. Ford1, Chevy1, BMW1, etc
23.68% – Some other pattern (explain in comments below)
21.05% – Come up with a completely unique password
3.51% – Other

There really weren’t that many surprises in this question. I had anticipated that an overwhelming majority of people would use some sort of pattern. Only 21% of us come up with a unique password every time we change our password. That means that 75% of us are using some form of an “easy to remember” password.

Again, please don’t use this to infer a sense of the of general security of a system. “Easy to remember” ≠ “easy to guess.” An incremented password of th55myp55wrd3 is more secure than the unique password of stapler. That said if someone figures out the root portion of the incremented password that gives them a much smaller number of possibilities to try.

Question #2: How do you remember the new password?
69.30% – I use a pattern so it’s fairly easy to remember
10.53% – I have to write it down for a while, but eventually toss the paper
6.14% – I have to write it down and keep it until the next change
14.04% – Other

Based on the answers to the first question, it wasn’t surprising to see that most of us don’t need to write our passwords down. We know that writing passwords down is one of the least secure ways of remembering it. I think that is why we develop these patterns. We know that writing it down is bad, but remembering a bunch of random characters is hard, so we adapt.

From the comments it appears that many of us are using password management software like 1Password, LastPass, etc. Personally, I’ve been looking into these programs and they seem like a good solution. The theory is that they allow you to set a truly random password for each site. So no two sites use the same password. Sounds great, as long as every system (computer, mobile, etc.) you use has that software installed. The other downside is that if your laptop/mobile phone is stolen they only need to crack your master password to get access to everything. But I suppose that it’s easier to remember one complex password than hundreds of them.

Question #3: If you didn’t have to change your password (or at least MUCH less frequently) you would…
35.09% – Still do whatever easy option I did above
35.96% – Make a semi-complex password that would be more secure
28.95% – Make a considerably more complex password that would be more secure

Here’s one question that surprised me a bit. I’ll admit that I assumed most people would continue to do whatever is easiest. We’re human, we’re lazy, we’re creatures of habit. Surprisingly, nearly 65% of you would use a more complex (read: more secure) password if we didn’t have to change it so frequently. That’s probably the biggest take away from this survey. Changing passwords is supposed to make a system more secure, but making those changes too frequently could have the opposite effect.

Question#4: How often are you forced to upgrade?
2.63% – Every few weeks
6.14% – Every month
8.77% – > 1 month ≤ 2 months
50.88% – > 2 months ≤ 3 months
31.58% – More then 3 months

Question #5: Personal desire for security
5.36% – I don’t think the stuff in my account is that sensitive so I don’t need a complex password
41.07% – I understand why I need security, but I can’t try to remember a new complex password every X months, so I make it easy for me.
50.00% – If I could have the same password for > 1 year I would make it complex and thus more secure.
3.57% – I’d keep my password easy no matter what. My ability to remember is more important then my account security.

So this was probably a question we should have worked through a bit more. Personally, I would have answered with both the 2nd and 3rd options if possible, but we just kind of threw this together. Still the take away from this question is that we understand why we need to be secure, but we need to access stuff, so we compromise. But, if we didn’t have to change so frequently we’d compromise less.

posted by kgarner 4 days ago · 0 comments

After his latest round of password expiration, Aaron decided to put together a short survey to see how people are really handling security. I’m posting it here because I would like to see a large sample of participants.

If you have a minute (it’s short, I promise) I’d appreciate it. I’ll write up a follow-up article on the results. Maybe we can start ending the tyranny of password expirations (or at least get something more sane).

Take the Survey

posted by kgarner on Friday, Mar 26, 2010