security archives

Password Change Survey Results

So here’s the results of that password changing survey. Let me preface this by saying that this survey was done purely to satisfy our curiosity. We are NOT looking to this survey to help make any decisions here at the Church. We acknowledge that this survey was not scientific and thus the results need to be taken with a grain of salt. That said, I still think that we learned some interesting things. Just don’t go around quoting statistics from this survey and expect them to stand up to scrutiny.

Another point that I want to make clear is that this survey doesn’t really address how secure our passwords are. We know that the best passwords are truly random characters and numbers without any logical order and the longer the better. Our survey doesn’t specifically figure out if you’re using a “secure password.” We only tired to figure out what happens when it comes time to change that password.

Question #1: When forced to change a password I…
42.98% – Just increment a number. Password1, Password2, Password3, etc
8.77% – Change a topic. Ford1, Chevy1, BMW1, etc
23.68% – Some other pattern (explain in comments below)
21.05% – Come up with a completely unique password
3.51% – Other

There really weren’t that many surprises in this question. I had anticipated that an overwhelming majority of people would use some sort of pattern. Only 21% of us come up with a unique password every time we change our password. That means that 75% of us are using some form of an “easy to remember” password.

Again, please don’t use this to infer a sense of the of general security of a system. “Easy to remember” ≠ “easy to guess.” An incremented password of th55myp55wrd3 is more secure than the unique password of stapler. That said if someone figures out the root portion of the incremented password that gives them a much smaller number of possibilities to try.

Question #2: How do you remember the new password?
69.30% – I use a pattern so it’s fairly easy to remember
10.53% – I have to write it down for a while, but eventually toss the paper
6.14% – I have to write it down and keep it until the next change
14.04% – Other

Based on the answers to the first question, it wasn’t surprising to see that most of us don’t need to write our passwords down. We know that writing passwords down is one of the least secure ways of remembering it. I think that is why we develop these patterns. We know that writing it down is bad, but remembering a bunch of random characters is hard, so we adapt.

From the comments it appears that many of us are using password management software like 1Password, LastPass, etc. Personally, I’ve been looking into these programs and they seem like a good solution. The theory is that they allow you to set a truly random password for each site. So no two sites use the same password. Sounds great, as long as every system (computer, mobile, etc.) you use has that software installed. The other downside is that if your laptop/mobile phone is stolen they only need to crack your master password to get access to everything. But I suppose that it’s easier to remember one complex password than hundreds of them.

Question #3: If you didn’t have to change your password (or at least MUCH less frequently) you would…
35.09% – Still do whatever easy option I did above
35.96% – Make a semi-complex password that would be more secure
28.95% – Make a considerably more complex password that would be more secure

Here’s one question that surprised me a bit. I’ll admit that I assumed most people would continue to do whatever is easiest. We’re human, we’re lazy, we’re creatures of habit. Surprisingly, nearly 65% of you would use a more complex (read: more secure) password if we didn’t have to change it so frequently. That’s probably the biggest take away from this survey. Changing passwords is supposed to make a system more secure, but making those changes too frequently could have the opposite effect.

Question#4: How often are you forced to upgrade?
2.63% – Every few weeks
6.14% – Every month
8.77% – > 1 month ≤ 2 months
50.88% – > 2 months ≤ 3 months
31.58% – More then 3 months

Question #5: Personal desire for security
5.36% – I don’t think the stuff in my account is that sensitive so I don’t need a complex password
41.07% – I understand why I need security, but I can’t try to remember a new complex password every X months, so I make it easy for me.
50.00% – If I could have the same password for > 1 year I would make it complex and thus more secure.
3.57% – I’d keep my password easy no matter what. My ability to remember is more important then my account security.

So this was probably a question we should have worked through a bit more. Personally, I would have answered with both the 2nd and 3rd options if possible, but we just kind of threw this together. Still the take away from this question is that we understand why we need to be secure, but we need to access stuff, so we compromise. But, if we didn’t have to change so frequently we’d compromise less.

posted by kgarner 8 hours ago · 0 comments

After his latest round of password expiration, Aaron decided to put together a short survey to see how people are really handling security. I’m posting it here because I would like to see a large sample of participants.

If you have a minute (it’s short, I promise) I’d appreciate it. I’ll write up a follow-up article on the results. Maybe we can start ending the tyranny of password expirations (or at least get something more sane).

Take the Survey

posted by kgarner on Friday, Mar 26, 2010

The End of the Asterisk?

Jakob Nielsen’s Alertbox today proclaims that we we should Stop Masking Passwords. He claims the usability costs are too high, especially on mobile devices where typos are more common.

I was skeptical, but he has some great points, the most important being that the greatest security risks when you are entering a password are really electronic—someone snooping your password through an unsecure connection. Someone watching your screen can just as easily watch your keyboard to see what keys you tap. But most of the time this is irrelevant, since you are at home and not really being stalked by an over-the-shoulder snooper.

And to cover the occasional Internet kiosk scenario, he suggests providing a checkbox that will let users decide whether they want to mask their password. I like it! Virtual equivalent of cupping your hand around the keypad at an ATM.

Now that I think about it, I have recently noticed that when I type a password on my mobile phone, it briefly shows the last character I typed before replacing it with an asterisk. (Is that an Opera Mobile feature?) That seems to be a concession to some of Nielsen’s points regarding mobile password entry. But I wonder whether it really makes sense either. If it’s visible to you briefly, then it’s visible to a snooper briefly too. But what are the chances that someone can see that teeny tiny text you are taptapping on your phone anyway???

So I guess he’s convinced me! Death to the Asterisk!

posted by ted on Wednesday, Jun 24, 2009 · 7 comments

8 More Sign-In Design Mistakes from Jared Spool, following up on his previous sign-in design article. My pet peeve out of this new list is Mistake #10: Requiring Stricter Password Requirements Than The NSA. I hate sites that make me think of a password so cryptic that I can’t remember it myself! Especially if I don’t think the data is worth safeguarding in the first place!!!

posted by ted on Wednesday, Jan 16, 2008

Spool on Sign-In Design

Jared Spool writes in a recent article, “Designing an account registration and sign-in process that doesn’t frustrate users turns out to be very difficult to achieve. It looks easy at the outset, but a pile of subtleties can sneak up on your experience, making something that should be simple become stressful for the users.” He’s right; something that should be so easy is so easy to get wrong. Here’s a summary of Spool’s “8 Design Mistakes to Avoid” for account sign-in, along with a few of my own observations:

For more discussion and examples, see the full article . Also see Aaron Cannon’s post on the impact captchas could have on disabled users as part of a sign-in process.

Also see Spool’s follow-up article with 8 more sign-in design mistakes.

posted by ted on Friday, Jan 04, 2008 · 0 comments

“The first day ended with myself and a technical staff member from the Church of Jesus Christ of Latter-Day Saints – not exactly who you’d expect to end up competing at the end of the first day of the biggest security conference in the planet.”
Jordan Wiens, in a post about winning a web application security contest, in which David “Blackbeard” Lindsay, one of the Church’s lead QA engineers, made it into the semifinals

posted by jason on Sunday, Feb 18, 2007