Task Analysis

In order to analyze the task of password authentication, we interviewed thirty people about their password behavior. While the sample size is small, our findings mirror the results of other larger surveys on the subject [AS99].

• We find that while participants have 10 - 50 instances where passwords are required, our users have only 1-7 unique passwords, which they use for multiple situations. Many of these unique passwords are variations on each other to aid memorability.
• Users have a variety of ways for coming up with passwords that they can remember. In most cases, people choose something that is personally meaningful to them (e.g., their own names, family members names, phone numbers, favorite movies). When asked to change passwords, most use a variation on a previous password. The average password length is 6 characters and the majority of passwords are composed of alphabetic characters appended by one or two numerical characters.
• The vast majority of participants write their passwords down (independently of whether they are novices or experts, or have been trained in password security). Some have a policy of writing all passwords down, while others just write down passwords initially until they remember them or only write down infrequently used passwords. Some users store their passwords in PDAs.
• System restrictions do impact password behavior. In general, users expend the minimum effort that is required to manage their passwords. For example, some will only make passwords alphanumeric or insert special characters if required, and most users did not ever change their passwords unless required to do so. However, restrictions do not prevent users from finding workarounds or engaging in other insecure behavior. One user likes having only one password to remember, so when she is required to change any password, she will change all of her other passwords to be the same.
• The level of security education or training also does not appear to have any impact on behavior. Although most users have received some sort of password security training, they ignored it stating that it was too cumbersome or simply not practical to follow.
• Some users who spoke foreign languages reported that they used their own names or words common in their native language as passwords, because ``if it is not in English, it is hard for hackers to break''. Apparently our users were not aware of the existence of multi-lingual password cracking dictionaries.
• An interesting finding is that people viewed the ability to share passwords with others as a feature. Almost all participants shared their bank PIN with family or friends and several users shared account passwords with others because this was a convenient way to collaborate, share information or transfer files.
• All participants expressed strong feelings of dislike and frustration with their experiences remembering, using and losing passwords. Yet surprisingly, most people preferred them to alternatives. For example many disliked hardware tokens because of experiences losing or misplacing them. A couple of participants who had experience with biometrics (fingerprint readers) felt that these systems were unreliable and performed poorly compared to passwords. Others disliked biometrics because of perceived privacy threats.