Password handling: challenges, costs, and current behaviour (now with infographic)

Online passwords are a pain, and not just when you have to type them to access your online bank account or shop at your favorite digital emporium. Password pain extends to the people who have to manage them. A few weeks ago we shared some initial findings from a recent poll of 2,129 U.S. adults (aged 18 and over) conducted for ESET by Harris Interactive. Now that we’ve had more time to drill down into the data we will explore the state of passwords and online authentication in more detail, starting with an infographic full of interesting password-related statistics:

How do people handle passwords, an infographicConsider how people react to a request to change their online password. Here’s how people answered when we asked: If a social media site or online company with whom you have an account requests that you change your password, which of the following would you most likely do?

  • Always change my password: 31%
  • Sometimes change my password: 19%
  • Ignore the request: 18%
  • Contact company to see if request is genuine: 32%

In other words, a company asking its online account users to change their password can only count on 3 out of 10 them making the change. Half of the requests will either be ignored or, in a reflection of the sad state of online trust, generate some sort of customer service contact seeking verification of the request.

This finding provides a fresh way of looking at the cost of distrust. If a security breach creates a need to request 3 million users to reset their online passwords, you could be looking at 1 million unbudgeted customer service contacts. If you can keep average cost per contact as low as $1 that is still a $1 million bill.

Password change is coming, slowly

Switching to a user perspective on passwords, I think many of us share the feeling that password changing is burdensome. That burden can mean passwords are not changed as often as they should be to properly protect accounts.

Nevertheless, our survey revealed that some people are making an effort. We asked “How frequently do you change the password for the online account you use most often?” Here’s a breakdown of the responses:

  • About once a year: 46%
  • About once every 6 months: 31%
  • At least once a month: 8%
  • Never: 16%

Of course, when you map those frequencies against the current levels of online attack they might not seem adequate, but frankly they are better than I expected (I would like to research the extent to which some of these changes were due to the online account itself forcing a change, as opposed to the self-motivated diligence of the respondents).

Password Patterns

The need to create and manage more and more passwords is one of the distinct downsides to living your life online. When it comes to password creation we all have our own strategies but in the survey we tried to get a sense of the elements people were using. We asked: “Which of the following do you use when creating a password for an online account?”

  • Something unique and random: 39%
  • Familiar name (e.g. of person, pet, or place): 21%
  • Name of a location: 6%
  • Sports team: 5%
  • Something else: 37%
  • Decline to answer: 19%

Again, I think these numbers are somewhat encouraging. The use of a familiar name is too high, but the number of people who were using something random, unique, or outside of the other categories was better than I expected. I also liked that almost 1 in 5 people declined to answer. The responses were pretty much the same across different demographic groups but, perhaps not surprisngly, men were more likely than women to use a sports team (7% to 4%). Women more likely to use a familiar name than men (24% to 16%).

Strategies for password management

Safe password behavior scoreWhen we published our first findings, we indicated that “safe” behavior (choosing complex passwords and using different passwords and PINs for different accounts), was more prevalent in older people.

For example, if you combine the responses to our three survey questions in this area you can see how they stack up in the chart on the left. The 55+ group scored “safer” than the group as a whole, with the 18-34 group lagging behind.

However, one commentator questioned the idea that younger people were less diligent with passwords, possibly because they were comfortable using technology to manage passwords.So here’s what we found when we asked: How do you store and help yourself remember your online password(s)?

  • Memorize them all: 41%
  • Write them on a peice of paper: 29%
  • Store them in a file on my computer: 9%
  • Store them in email: 4%
  • Other: 11%
  • Decline to answer: 12%

The responses were pretty much the same across all demographics, although men were more likely than women to store passwords in a computer file (12% to 6%). However, women were more likely to write down their passwords on a peice of paper than men (31% to 26%).

But what about the use of password manager apps or web browsers to store online passwords. We found that just under 1 in 10 people are taking this approach.

Demographically speaking, the use of both of these strategies–password managers and browser storage–was more common in men than women (12% to 7%); at the same time, it was less common in people earning higher incomes. This may reflect the fact that higher earners tend to be older, because we did find that younger people are twice as likely to use technology to aid their password management as older people.

These findings suggest we should look more closely as technology for managing passwords. How helpful is it? How secure is it? Reply with a comment if you would like to share your experience with password managers. Do you use one? Do you like it? Let us know,

 

Abbreviated Methodology: This survey was conducted online within the United States by Harris Interactive on behalf of ESET. from August 27-29, 2012 among 2,129 adults age 18+. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please contact stephen dot cobb at eset dot com.

Stephen Cobb
ESET Security Expert


One thought on “Password handling: challenges, costs, and current behaviour (now with infographic)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s