Overview#

With an average of 130 accounts registered to one email in the US, it's not surprising that 73% of users have duplicate passwords. To remember 130 different passwords would be extremely difficult for anyone — and probably send password retrieval requests through the roof

Roughly 20% of users use the same passwords that they did ten years ago.

Almost half use the same passwords that they invented five years ago.

All the rules you invent for Password Policy will not stop the issues Usability

Password #

August of 2014#

The results point to the need for a new kind of identity management solution that goes beyond the simple username and password concept. The survey was conducted in both the US and UK by recording the answers of 1000 people in each country to a series of questions that teased out these findings in August of 2014.

• Companies waste over $400 dollars per year per employee on lost productivity stemming from password management issues.
• Rampant poor password management and other bad security habits are putting companies at risk for data breach, including 49% of US respondents who use their personal device for business purposes.
• 37% of US respondents have created more than 50 new account profiles, with “new” user names and passwords (how much do you want to bet they are the same or similar to all their other accounts’ log in credentials?) over the course of a year, or about 1 per week.
• Two thirds of respondents needing to put in up to 10 different usernames and passwords a day.
• Respondents claimed that forgetting a username/password combo for an account they need to access is more annoying than losing car keys or cell phone die, and a full quarter thought that managing passwords was more irritating than waiting in line at the DMV.
• Only 12% of US respondents thought their passwords were “very secure.” Correspondingly, over four fifths of respondents fear identity theft, with about a third thinking they’ve been a victim of it at some point.

Survey of Office Workers #

The third annual survey into office scruples conducted by Infosecurity Europe 2004 found that office workers are still not information security savvy. A survey of office workers found that 71% were willing to part with their password for a chocolate bar.

Security Watch Password Survey [1]

• Fifty percent of employees still write their passwords down
• Over one-third of the respondents share their passwords
• More than 80 percent have three or more passwords
• Respondents use these passwords to access an increased number of applications: 67 percent access 5 or more; and another 31 percent access 9 or more
• Forty-seven percent require their passwords reset at least once a year

Using a survey conducted outside of Liverpool Street Station[2], the results showed that:

• a little more than twenty percent of people gave up their passwords when offered a free chocolate bar. (This is sixty-four percent less than in 2007).
• women were forty-five percent more like to reveal information about their passwords than men.

High Level Statistics #

• Fifty percent (50%) of employees still write their passwords down
• Over one-third (33%) of the respondents share their passwords
• More than 80 percent have three or more passwords for use at work.
• Respondents use these passwords to access an increased number of applications:
  • 67 percent access 5 or more; and another
  • 31 percent access 9 or more
• Forty-seven percent or organizations require their passwords reset at least once a year
• Password reset costs: $50.00 (Forrester)
  • Average person calls help desk 19 times a year x 20% or 4 of those are for passwords (Gartner)
• 67% of users use the same password on multiple different sites. [3]

Why Users Do this? #

As Password Policy are being made more complex, the dificulty of remembering passwords is increasing. One of the issues is that the password policy ignores the "people factor". As Security experts contiually site statistics of how much stronger passwords can be made by making them more complex. The experts seem to forget that they used a computer to generate the statistics and yet expect employees to remember complex passwords that score high in Password Strength.

The as the employee is forced to change their password more frequently, they must write down the password or they use some simple sequence to try to remember the password.

The result to the organization #

Based on the statistics, in an organization of of size, 200,000 people we provide some information on the situation.

Serious Security Issues#

These statistics indicates that organizations still face some serious security issues. Based on the statistics, in an organization of of size, 200,000 people;

• 100,000 people would write their passwords down
• 66,000 people would share their passwords

We will not attempt to perform the cost analysis for an organization in generic terms, but you get the idea.

Password Resets Costs#

As 94,000 would perform Password Reset at least once a year

At an estimated cost of $50 per Password Reset, the company could spend $ 4,700,000 performing Password Resets.

Login Costs#

• Avg login takes 5 seconds.
• Avg person has 5 logins per day $65/year in lost time per year.

At an estimated cost of $65 per login per person per year, the company could loose $ 13,000,000 performing logons to applications per year.

How do our passwords fall? #

In every imaginable way: [4]

• They’re guessed
• lifted from a password dump
• cracked by brute force
• stolen with a keylogger
• reset completely by conning a company’s customer support department.

CAPTCHA [5]#

Stanford University conducted an interesting study examining just how effective CAPTCHA is at minimizing that friction. A few takeaways:

• 3 people looking at the same CAPTCHA agreed on the reading only 71% of the time.
• Average time to solve a text-based CAPTCHA was 9.8 seconds.
• 3 people listening to the same audio CAPTCHA came up with the same value only 31.2% of the time.
• Average time to solve an audio CAPTCHA was 28.4 seconds.
• Time to solve was even longer for Non-native English speakers
• Most people hate CAPTCHA (like me)

Password Breaches #

Today, (2013-05-05) over 50% of web applications are storing passwords in plaintext and/or authenticating over unencrypted HTTP.[6]

More Information#

There might be more information for this subject on one of the following:

• CAPTCHA
• Password Authentication is Broken
• Password Management
• ROI IDM Estimation Information
• What To Do About Passwords

---

• [#1] - Security Watch Password Survey
• [#2] - survey conducted outside of Liverpool Street Station,
• [#3] - http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html retrieved 2012-12-16
• [#4] - http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/ retrieved 2012-12-16
• [#5] - http://www.stormpath.com/blog/5-myths-password-security 2013-05-05
• [#6] - http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf - retrieved 2013-05-05