One would assume that improving the security of your computer against intruders would be universally acceptable.
But, in a research study at Virginia Tech, an overwhelming number of users resisted changing their passwords even when the change was mandatory.
Indeed, three months after the university announced that information systems account holders would be required to change their passwords by July 1, 2011 — or be locked out if they didn’t — only 63 of the 488 respondents to a survey had complied. Meanwhile, 425 account holders had not … and waited until just prior to July 1 (or after) to do so. Roughly 20% waited until they were denied access to their computers before making the change.
"If they hadn’t been locked out, I’m guessing they still wouldn’t have changed their password," says France Bélanger, professor of accounting and information systems at Virginia Tech and lead researcher on the project.
According to the study, those who considered themselves more technically competent regarding security were less likely to have a positive attitude toward the mandatory change of passwords.
"We believe that is because they were frustrated with what they considered the triviality and mandatory nature of the change," Bélanger says.
Despite organizations’ security policies, people very often find ways to thwart them, she says, which is why "people remain the weakest link in security. Our goal was to look at various ways to handle compliance."
"Their passive-resistance behavior wasn’t 'I’m not going to do it' mainly because they had no choice," she explains. "It was more like 'I’m going to wait as long as possible' or 'I’m going to find the easiest password I can that will meet the minimum requirements.' "
A good example of passive resistance is users who create new passwords — and then write them on sticky notes and attach them to their keyboards or monitors.
Bélanger says she was most surprised by how difficult it was to make users aware of the university’s new mandatory policy.
"Three months after the university made the announcement, the majority of users still weren’t aware of it," she says, "despite having sent out a weekly email, advertising it in the campus and local newspapers, posting it on the university’s computer system, and even placing signs on every cafeteria table."
The one trigger that made the most difference was "branding" the new policy with a logo and a "Be Secure, Be Unique. Change Your Pa55w*rd" slogan.
Virginia Tech branded its mandatory password policy withimages like this one. Credit: Virginia Tech
Based on the research, Bélanger’s recommendations to managers and system administrators include:
Bélanger and her team are continuing their research in order to determine what would motivate a user to improve the security of their computer.
"For instance," she says, "would you be more careful about choosing–or changing–your password if your computer had been previously hacked or infected by a virus? Unfortunately, even though we’ve just started the research, people seem to be just as lax about security even after they’ve suffered through these problems."
Paul Hyman was editor-in-chief of several hi-tech publications at CMP Media, including Electronic Buyers' News.
In my opinion you've missed the most pervasive concern: it is that people have a hard time remembering their passwords! They resist because they don't have a mechanism that works to remember them and they don't want to be locked out because they can't recall a password. --Jim
Perhaps by evaluating the password strength and grant the user with longer password change cycle may provide some extra incentive for stronger passwords?
Agree with the above. We all just have too many passwords. I stick with a pattern that has to be adjusted to reflect the different requirements of different applications and websites for passwords otherwise I would just have to do what the article mentions and write them all down.
I also struggle with having to change two of my work passwords every 90 days - it's too much.
Displaying all 3 comments