<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
With an average of 130 accounts registered to one email in the US, it's not surprising that 73% of users have [duplicate passwords|password Reuse]. To remember 130 different passwords would be extremely difficult for anyone — and probably send password retrieval requests through the roof

Roughly 20% of users use the same passwords that they did ten years ago. 

Almost half use the same passwords that they invented five years ago.

All the rules you invent for [Password Policy] will not stop the issues [Usability]

!! [Password ]

!! August of 2014
The results point to the need for a new kind of identity management solution that goes beyond the simple username and [password] concept. 
The survey was conducted in both the US and UK by recording the answers of 1000 people in each country to a series of questions that teased out these findings in August of 2014.
* Companies waste over $400 dollars per year per employee on lost productivity stemming from password management issues.
* Rampant poor password management and other bad security habits are putting companies at risk for data breach, including 49% of US respondents who use their personal device for business purposes.
* 37% of US respondents have created more than 50 new account profiles, with “new” user names and passwords (how much do you want to bet they are the same or similar to all their other accounts’ log in credentials?) over the course of a year, or about 1 per week.
* Two thirds of respondents needing to put in up to 10 different usernames and passwords a day.
* Respondents claimed that forgetting a username/password combo for an account they need to access is more annoying than losing car keys or cell phone die, and a full quarter thought that managing passwords was more irritating than waiting in line at the DMV.
* Only 12% of US respondents thought their passwords were “very secure.” Correspondingly, over four fifths of respondents fear identity theft, with about a third thinking they’ve been a victim of it at some point.

!! Survey of Office Workers 
The third annual survey into office scruples conducted by Infosecurity Europe 2004 found that office workers are still not information security savvy. A survey of office workers found that 71% were willing to part with their password for a chocolate bar. 

Security Watch [Password] Survey [1] 
* Fifty percent of employees still write their passwords down 
* Over one-third of the respondents share their passwords 
* More than 80 percent have three or more passwords 
* Respondents use these passwords to access an increased number of applications: 67 percent access 5 or more; and another 31 percent access 9 or more 
* Forty-seven percent require their passwords reset at least once a year 

Using a survey conducted outside of Liverpool Street Station[2], the results showed that: 
* a little more than twenty percent of people gave up their passwords when offered a free chocolate bar. (This is sixty-four percent less than in 2007). 
* women were forty-five percent more like to reveal information about their passwords than men. 


!! High Level Statistics 
* Fifty percent (50%) of employees still write their [passwords] down
* Over one-third (33%) of the respondents share their passwords
* More than 80 percent have three or more passwords for use at work.
* Respondents use these passwords to access an increased number of applications:
** 67 percent access 5 or more; and another
** 31 percent access 9 or more
* Forty-seven percent or organizations require their passwords reset at least once a year
* Password reset costs: $50.00 (Forrester)
** Average person calls help desk 19 times a year x 20% or 4 of those are for passwords  (Gartner)
* 67% of users use the same password on multiple different sites. [3]

!! Why Users Do this? 
As [Password Policy] are being made more complex, the dificulty of remembering passwords is increasing. 
One of the issues is that the password policy ignores the &quot;people factor&quot;. As Security experts contiually site statistics of how much stronger passwords can be made by making them more complex. The experts seem to forget that they used a computer to generate the statistics and yet expect employees to remember complex passwords that score high in [Password Strength].

The as the employee is forced to change their password more frequently, they must write down the password or they use some simple sequence to try to remember the password. 

!! The result to the organization 
Based on the statistics, in an organization of of size, 200,000 people we provide some information on the situation.

! Serious Security Issues
These statistics indicates that organizations still face some serious security issues. Based on the statistics, in an organization of of size, 200,000 people; 
* 100,000 people would write their passwords down 
* 66,000 people would share their passwords 
We will not attempt to perform the cost analysis for an organization in generic terms, but you get the idea.

! [Password Resets] Costs
As 94,000 would perform [Password Reset] at least once a year 

At an estimated cost of $50 per [Password Reset], the company could spend $ 4,700,000 performing [Password Resets].

! Login Costs
* Avg login takes 5 seconds.
* Avg person has 5 logins per day $65/year in lost time per year.

At an estimated cost of $65 per login per person per year, the company could loose $ 13,000,000 performing logons to applications per year.


!! How do our passwords fall? 
In every imaginable way: [4]
* They’re guessed
* lifted from a password dump
* cracked by brute force
* stolen with a keylogger
* reset completely by conning a company’s customer support department.

! [CAPTCHA] [5]
Stanford University conducted an interesting study examining just how effective CAPTCHA is at minimizing that [friction]. A few takeaways:
* 3 people looking at the same [CAPTCHA] agreed on the reading __only 71%__ of the time.
* Average time to solve a text-based [CAPTCHA] __was 9.8 seconds__.
* 3 people listening to the same audio [CAPTCHA] came up with the same value __only 31.2%__ of the time.
* Average time to solve an audio [CAPTCHA] was __28.4 seconds__.
* Time to solve was even longer for Non-native English speakers
* Most people hate [CAPTCHA] (like me)
!! Password Breaches 
Today, (2013-05-05) over 50% of web applications are storing passwords in plaintext and/or authenticating over unencrypted HTTP.[6]


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
* [#1] - [Security Watch Password Survey|http://www.securityinfowatch.com/Computer+%2526+Network+Security+Announcements/safenet-announces-results-global-password-survey] 
* [#2] -  [survey conducted outside of Liverpool Street Station,|http://www.securitywatch.co.uk/2008/04/17/only-21-reveal-passwords/]
* [#3] - [http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html] retrieved 2012-12-16
* [#4] - [http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/]  retrieved 2012-12-16
* [#5] - [http://www.stormpath.com/blog/5-myths-password-security]  2013-05-05
* [#6] - [http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf] - retrieved 2013-05-05
</pre>