Sign In

Communications of the ACM

ACM News

Study Reveals Resistance to Strong Password Security


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
France Blanger

France Blanger, professor of accounting and information systems at Virginia Tech, and lead researcher on the mandatory passwords project.

Credit: Virginia Tech

One would assume that improving the security of your computer against intruders would be universally acceptable.

But, in a research study at Virginia Tech, an overwhelming number of users resisted changing their passwords even when the change was mandatory.

Indeed, three months after the university announced that information systems account holders would be required to change their passwords by July 1, 2011 — or be locked out if they didn’t — only 63 of the 488 respondents to a survey had complied. Meanwhile, 425 account holders had not … and waited until just prior to July 1 (or after) to do so. Roughly 20% waited until they were denied access to their computers before making the change.

"If they hadn’t been locked out, I’m guessing they still wouldn’t have changed their password," says France Bélanger, professor of accounting and information systems at Virginia Tech and lead researcher on the project.

According to the study, those who considered themselves more technically competent regarding security were less likely to have a positive attitude toward the mandatory change of passwords.

"We believe that is because they were frustrated with what they considered the triviality and mandatory nature of the change," Bélanger says.

Despite organizations’ security policies, people very often find ways to thwart them, she says, which is why "people remain the weakest link in security. Our goal was to look at various ways to handle compliance."

"Their passive-resistance behavior wasn’t 'I’m not going to do it' mainly because they had no choice," she explains. "It was more like 'I’m going to wait as long as possible' or 'I’m going to find the easiest password I can that will meet the minimum requirements.' "

A good example of passive resistance is users who create new passwords — and then write them on sticky notes and attach them to their keyboards or monitors.

Bélanger says she was most surprised by how difficult it was to make users aware of the university’s new mandatory policy.

"Three months after the university made the announcement, the majority of users still weren’t aware of it," she says, "despite having sent out a weekly email, advertising it in the campus and local newspapers, posting it on the university’s computer system, and even placing signs on every cafeteria table."

The one trigger that made the most difference was "branding" the new policy with a logo and a "Be Secure, Be Unique. Change Your Pa55w*rd" slogan. 

 

Virginia Tech password logo Virginia Tech branded its mandatory password policy withimages like this one. Credit: Virginia Tech

Based on the research, Bélanger’s recommendations to managers and system administrators include:

  • Never assume that just telling people that lax security poses a threat to their computer and the organization’s computer system is sufficient.
  • Security policies must be made mandatory or they will not work.
  • Make sure the mandatory requirements are clearly communicated.
  • The best way to make people aware of any new security policy is to "brand" it with some sort of logo or marketing program.
  • Educate employees with "password testing" Web sites, such as Microsoft’s, that teach how to create strong passwords.
  •  Know that, despite all your best efforts, people will resist even when you insist on compliance.

Bélanger and her team are continuing their research in order to determine what would motivate a user to improve the security of their computer.

"For instance," she says, "would you be more careful about choosing–or changing–your password if your computer had been previously hacked or infected by a virus? Unfortunately, even though we’ve just started the research, people seem to be just as lax about security even after they’ve suffered through these problems."

Paul Hyman was editor-in-chief of several hi-tech publications at CMP Media, including Electronic Buyers' News.


Comments


Anonymous

In my opinion you've missed the most pervasive concern: it is that people have a hard time remembering their passwords! They resist because they don't have a mechanism that works to remember them and they don't want to be locked out because they can't recall a password. --Jim


Jay Liang

Perhaps by evaluating the password strength and grant the user with longer password change cycle may provide some extra incentive for stronger passwords?


Anonymous

Agree with the above. We all just have too many passwords. I stick with a pattern that has to be adjusted to reflect the different requirements of different applications and websites for passwords otherwise I would just have to do what the article mentions and write them all down.

I also struggle with having to change two of my work passwords every 90 days - it's too much.


Displaying all 3 comments