Attitudes and Behavior Towards Password Use on the World Wide Web

Jason Hong

Hesham Kamel

John Kodumal

Francis Li

James Lin

 

Conducted from September 28–October 6, 2000

October 11, 2000

 

For:

Survey Project Requirement for IS 271

IS 271 Instructor: Dr. Rashmi Sinha

 

Address inquires to: Jason Hong

E-mail: {jasonh,hesham,jkodumal,fli,jimlin}@cs.berkeley.edu

Address:

SIMS Administrative Office

Attn: Dr. Rashmi Sinha
102 South Hall
Berkeley, CA 94720-4600

 

 


Introduction

There is a usability and security problem caused by an increase in the number of web sites that require password-based logins. Web sites for e-commerce, e-mail, financial services, and even news require users to log in. There is a great deal of variability in sites that require logins. The type of data that these sites protect with passwords ranges from highly sensitive (in the case of financial information) to relatively insensitive (in the case of news services, for instance). The frequency of use varies greatly as well. Many web sites are accessed daily (web-based e-mail, for instance) while others are accessed infrequently.

All of these factors contribute to a password management problem. As a result, users must devise mechanisms to make it easy to remember passwords, such as basing the password of personal information, reusing passwords, or writing passwords down. However, these mechanisms are often at odds with good security guidelines. As additional services are layered onto the web, we believe that this password management problem will only worsen.

We conducted a survey of 125 people to test our hypotheses. The survey results support the broad hypothesis that people deviate from secure password practices.  However, they deviated in many ways, with few discernable trends among the various demographic groups. 

Research Question

We used a survey-based methodology to examine the nature of this problem. For the purposes of this project, we have defined a “secure model of behavior” based on widely accepted security guidelines (see [1] and [2], for example). We assume that failures to adhere to these security guidelines correspond to insecure behavior.

Our primary hypothesis is that experienced and inexperienced web users deviate from the secure model of behavior in different ways. Specifically, experienced users have multiple passwords but tend to write them down, while inexperienced users have a single password but do not write them down. In addition, we believe that users have adopted their own password management schemes, which often involve using the same password for multiple web sites.

We did not expect to find significant correlations with age or gender, although this information was gathered.

Survey Design

Our independent variables include gender, age, number of years using the web, hours spent surfing the web, and access to the Internet at home. We hoped that the latter three variables would give us a measure of web experience. Our dependent variables include password management strategies, passwords forgotten, adherence to password choice guidelines, and number of passwords used on web sites.

Method

We deployed web-based and print versions of the survey. One question in the print survey mistakenly contained an additional response category that was not present in the electronic version (Appendix A).

The web-based survey was prompted via pop-up windows on two web sites (http://www.francisli.com and http://www.peggyli.com). In addition, the survey URL was e-mailed to select individuals (appendix B). The web-based survey was prompted a total of 1579 times, with 103 completed responses, yielding a response rate of 6.5%.

We also solicited 37 responses using a printed version of the survey. Participants were chosen from the International House and from an undergraduate-level foreign language class at Berkeley.

Several participants did not complete the survey or answered questions inconsistently. Their responses were removed from the data set, leaving 125 valid responses.

Results

Correlations

We calculated correlations between most of the questions in the survey. The only questions we did not correlate were concerned with how people dealt with forgetting their password. We also correlated the questions with metrics we created by combining other variables together. For example, EXPR measures experience using the web by adding together a person’s answers for questions 3 and 4 (how long they have been using the web and how many hours per week they use the web, respectively). EXPR2 was created by adding EXPR with Question 6, which asks how many regularly visited sites require logging in. Appendix E shows the correlation values.

None of the significant correlations had an absolute value greater than 0.5, except between Questions 19 and 21 (those who felt that passwords they were concerned about would be difficult to guess are correlated with those who felt that passwords they were not concerned about would be difficult to guess). The high correlation between EXPR and Question 3 or Question 4 is irrelevant since EXPR is based on Questions 3 and 4. The same can be said between EXPR2 and Questions 3, 4, and 6.

Many of the significant correlations do not help us answer our hypothesis. For that, we were particularly interested in correlations between Questions 3 and 4, EXPR, and EXPR2 on one hand, and Questions 13, 14, 16, 17, 19, and 21 on the other. That section of the correlation table is reproduced below.


 

 

 

Q13_count

Q14

Q16

Q17

Q19

Q21

Q3

Pearson Correlation

0.173

0.074

0.160

0.340**

-0.019

0.083

 

Sig. (2-tailed)

0.054

0.416

0.079

0.000

0.850

0.397

 

N

125

123

122

125

101

106

Q4

Pearson Correlation

0.130

-0.050

0.066

0.096

-0.014

-0.097

 

Sig. (2-tailed)

0.149

0.580

0.472

0.285

0.886

0.320

 

N

125

123

122

125

101

106

Q6

Pearson Correlation

-0.012

-0.161

-0.069

-0.136

-0.134

-0.142

 

Sig. (2-tailed)

0.894

0.077

0.452

0.131

0.183

0.147

 

N

124

122

121

124

101

105

EXPR

Pearson Correlation

0.179*

0.001

0.118

0.225*

-0.014

-0.028

 

Sig. (2-tailed)

0.046

0.989

0.195

0.012

0.892

0.777

 

N

125

123

122

125

101

106

EXPR2

Pearson Correlation

0.144

-0.051

0.063

0.142

-0.055

-0.070

 

Sig. (2-tailed)

0.110

0.577

0.494

0.116

0.583

0.480

 

N

124

122

121

124

101

105

 

* Correlation is significant at the 0.05 level (2-tailed).

 

** Correlation is significant at the 0.01 level (2-tailed).

As you can see, there are only three significant correlations in this set:

This means that the way inexperienced users of the web violate password security principles in distinctly different ways from those with more experience, but not in as many ways as we expected.


Summary Statistics

 

1.      What is your gender?

¡   Male

¡   Female

 

Response

#People

%

Male

79

63.2%

Female

46

36.8%

N=125

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 1 – Number of males and females that participated in this survey.

 


 

 

2.      What is your age in years?

 

 

Response

#People

%

11-20

32

25.6%

21-30

54

43.2%

31-40

16

12.8%

41-50

14

11.2%

51-60

7

5.6%

61-70

0

0.0%

71-80

1

0.8%

81-90

1

0.8%

Min

15

 

Max

88

 

Median

24

 

Average

29.12

 

Std Dev

12.67

 

N = 125

 

 

Figure 2 – Age distribution of people participating in this survey.

 

This was a freeform answer question. The table above puts the ages into buckets for convenience. We were surprised by the two obvious outliers, one person claiming to be age 75 and another claiming to be 88.

 


 

3.      About how long have you been using the web?

¡   Less than 1 year

¡   1 to 2 years

¡   3 to 4 years

¡   More than 4 years

 

Response

#People

%

<1

8

6.4%

1-2

8

6.4%

3-4

31

24.8%

4+

75

60.0%

Median

4

 

Average

3.45

 

Std Dev

0.90

 

N = 125

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 3 – Number of years participants have been using the web.

 

We were also surprised by how heavily skewed the data was to the right, especially given the large number of new people coming online.

 

 


4.      On average, how many hours per week do you use the web?

¡   Less than 5 hours

¡   5–10 hours

¡   11–15 hours

¡   16–20 hours

¡   More than 20 hours

 

Response

#People

%

<5

19

15.2%

5-10

31

24.8%

11-15

17

13.6%

16-20

13

10.4%

20+

45

36.0%

N = 125

 

 

Figure 4 – Number of hours per week participants used the web.

This set of data has an interesting bimodal distribution. We suspect that the large number of users using the web for more than 20 hours per week is due to people at work that use the web or students that make heavy use of the web.

 

Nielsen / Netratings reports that for the week ending July 30, 2000, the average time spent surfing per week was 3 hours 13 minutes, meaning that we clearly have a skewed group here.

 

 


5.      Do you have access to the Internet at home?

¡   Yes

¡   No

 

Response

#People

%

Yes

120

96.0%

No

5

4.0%

N = 125

 

 

 

 

 

 

Figure 5 – Number of survey participants that have Internet access at home.

 

We had hoped to use this as an indicator of experience, but this data proved to be fairly useless to us, since nearly everyone had Internet access at home. For this reason, this set of data was not used in our analysis.

 

 


6.      How many web sites do you regularly visit require you to log in?

¡   None

¡   1

¡   2–5

¡   6–10

¡   More than 10

 

Response

#People

%

None

2

1.6%

1

13

10.4%

2-5

72

57.6%

6-10

23

18.4%

10+

14

11.2%

N = 124

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 6 – Number of web sites requiring logins. The peak is at the bucket representing 2-5 websites.

 

 


7.      If you do regularly visit web sites that require you to log in, about how many unique passwords do you use for these web sites?

¡   1

¡   2–5

¡   6–10

¡   More than 10

 

Response

#People

%

1

30

24.0%

2-5

81

64.8%

6-10

8

6.4%

10+

2

1.6%

N = 121

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 7 – The number of unique passwords used.

 

As expected, a fair number of people used only one password. The majority of people had between 2-5 passwords, but unfortunately, the bucket we chose for this range may have been too large to be useful.

 

 


8.      Do you have a unique password for each web site that requires you to log in?

¡   Yes

¡   No

 

Response

#People

%

Yes

38

30.4%

No

87

69.6%

N = 124

 

 

 

 

 

Figure 8 – Number of people that use unique passwords for every web site.

 

As expected, the number of people that use unique passwords for every web site is in the minority. However, more people than expected used unique passwords.

 

 

 


9.      If you do not use a unique password for every web site, please check off any of the following that apply to you:

¨   I use a set of passwords for sites I trust and a different set for sites I don’t trust

¨   I use a set of passwords for sites on specific topics (e.g. movies, sports)

¨   I have a set of passwords that I choose from randomly

¨   I use the same password for all sites

¨   Other (Please Specify)  ___________________________________________

 

These answers are not mutually exclusive.

 

Response

#People

%

TRUST

38

30.4%

TOPIC

6

4.8%

RNDM

28

22.4%

SAME

29

23.2%

OTHER

9

7.2%

N = 125

 

 

 

 

 

 


 

10.    Check any of the following services that you use on the web

¨   Web-based Email (e.g. Hotmail or Yahoo Mail)

¨   Shopping

¨   Banking

¨   Stock trading

¨   Bill paying

¨   Other financial services

 

Response

#People

%

Email

26

20.8%

Shop

25

20.0%

Bank

18

14.4%

Stock

4

3.2%

Bill

9

7.2%

Other

5

4.0%

N = 125

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The first choice of web-based e-mail was added after the print survey, so that choice was not used in the correlation analysis.

 

 


11.    Have you ever forgotten a password used on a web site?

¡   Yes

¡   No

 

Response

#People

%

Yes

102

81.6%

No

20

16.0%

N = 122

 

 

 

 

 

 

As expected, the majority of people have forgotten a password.

 

 

 


12.    If you have forgotten a password, check off any of the following that apply to you:

¨   I’ve looked up a password from a list of passwords that I’ve created

¨   I’ve used the web site’s features for retrieving my password (for example, have the password e-mailed to me, asks a question which only I know the response to)

¨   I’ve e-mailed or telephoned customer support to get my password

¨   I’ve created a new account on a site instead of trying to remember my password

¨   I’ve stopped using a site because of a forgotten password

 

 

Response

#People

%

LIST

38

30.4%

EMAIL / Q

76

60.8%

SUPT

25

20.0%

NEWACCT

51

40.8%

STOP

46

36.8%

N = 125

 

 

 

 

 

 

 


 

13.    Check any of the following guidelines for choosing passwords that you follow:

¨   I never choose any word in any language as a password, including names of well-known people and places

¨   I never choose passwords based on personal information (e.g. names, birthdays, phone numbers, etc)

¨   I never choose passwords based on a pattern of letters or numbers (e.g. “1234” or “qwerty”)

¨   I always have at least three character classes in my password (e.g., upper-case, lower-case, digits, punctuation)

¨   I always choose a password that is at least 6 characters

 

Response

#People

%

WORD

50

40.0%

PRSNL

56

44.8%

PATTERN

70

56.0%

CRAZY

25

20.0%

LEN

67

53.6%

N = 125

 

 

 

One of the ways we processed this data was to create a “password complexity metric,” where the higher the harder it would be to guess someone’s password. This metric was calculated by adding the number of boxes checked off.

 

Metric

#People

%

0

15

0.12

1

38

0.304

2

24

0.192

3

22

0.176

4

14

0.112

5

12

0.096

Average

2.14

 

Std Dev

1.50

 

N = 125

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 13-2. Password complexity metric, measuring how hard it would be to guess someone’s password. Higher values are better.

 


 

14.    On average, how often do you change your password for a web site?

¡   More than once per week

¡   Once per week

¡   Once or twice per month

¡   Once or twice per year

¡   Less than once per year

¡   Never

 

Response

#People

%

week+

3

2.4%

1/wk

4

3.2%

1/mon

6

4.8%

1/yr

18

14.4%

1/yr-

22

17.6%

never

70

56.0%

N = 123

 

 

 

 

 

 

As expected, the majority of people (56%) never changed their password. However, we were quite surprised that some people claimed to change a password once a week or more! We are uncertain whether this is spurious data or if these are people quite concerned with security.

 

 


15.    If you use the same password for more than one web site, how often do you stop using that password and start using another one for those web sites?

¡   More than once per week

¡   Once per week

¡   Once or twice per month

¡   Once or twice per year

¡   Less than once per year

¡   Never

 

This question was clearly confusing, given the low number of responses (86 out of 125).

 

Response

#People

%

week+

2

1.6%

1/wk

2

1.6%

1/mon

4

3.2%

1/yr

9

7.2%

1/yr-

20

16.0%

never

49

39.2%

N = 86

 

 

 

 

 

 

 

 


16.    How often do you write down passwords that you use on the web?

¡   Always

¡   Often

¡   Sometimes

¡   Seldom

¡   Never

 

Response

#People

%

Always

19

15.2%

Often

15

12.0%

Sometime

12

9.6%

Seldom

26

20.8%

Never

50

40.0%

Average

3.59

 

Std Dev

1.50

 

N = 122

 

 

 

 

 

 

There was a surprising number of people that never wrote down passwords (40.0%). We were expecting a much lower number.

 

 


17.    How often do you share passwords for web sites with other people?

¡   Always

¡   Often

¡   Sometimes

¡   Seldom

¡   Never

 

Response

#People

%

Always

4

3.2%

Often

1

0.8%

Sometime

6

4.8%

Seldom

21

16.8%

Never

93

74.0%

Average

4.58

 

Std Dev

0.88

 

N = 125

 

 

 

 

 

 

 

 

 


18.    Do you have any passwords that you are concerned about someone figuring out?

¡   Yes

¡   No

 

Response

#People

%

Yes

106

84.8%

No

19

15.2%

N = 125

 

 

 

 

 

19.    If you do have passwords you are concerned about, how hard do you think it would be for someone to guess any of these passwords?

Easy                                                       Difficult
1          2          3          4          5          6          7

 

Response

#People

%

1 EASY

7

5.6%

2

2

1.6%

3

13

10.4%

4

21

16.8%

5

13

10.4%

6

11

8.8%

7 DIFFICULT

34

27.2%

 

 

 

AVG = 4.98

 

 

STD DEV = 1.87

 

 

N = 101

 

 

 

 

 

 

 

 


20.    Do you have any passwords that you are not concerned about someone figuring out?

¡   Yes

¡   No

 

Response

#People

%.

Yes

106

0.848

No

19

0.152

 

 

 

21.    If you do have passwords you are not concerned about, how hard do you think it would be for someone to guess any of these passwords?

Easy                                                       Difficult
1          2          3          4          5          6          7

 

 

Response

#People

%

1 EASY

12

9.6%

2

7

5.6%

3

7

5.6%

4

16

12.8%

5

17

13.6%

6

9

7.2%

7 Difficult

38

30.4%

 

 

 

AVG = 4.87

 

 

STD DEV = 2.09

 

 

N = 106

 

 

 

 

 

 

 

Discussion

Our summary statistics showed that our sample is probably not representative of the Internet population. This is probably due to our sampling technique. Due to time constraints, we used three techniques for recruiting participants: popup windows on two web sites, classmates in college classes, and personal acquaintances. This, not surprisingly, yielded a noticeably skewed data set.

Through correlation analysis, we found that using many guidelines to create passwords and not sharing passwords were the only two types of security-related behavior that correlated significantly with web experience. We had difficulty finding other meaningful correlations in our data. This appears to be due to our large bin sizes for many of our questions. Scatterplots of two variables almost universally resembled rectangles, often with equally spaced points and no obvious trends or correlations. Finer-grained response categories would make it easier to find correlations.

To try to detect badly written questions, we conducted a pilot study with two participants. Although the study helped us detect several confusing questions, we found that people were still confused by some questions in the general study, as deduced from missing or inconsistent answers. We were forced to remove 15 participants from our data set as a result of incomplete or inconsistent responses. An example inconsistent response is answering “None” for question 6, but providing a response for question 7. In other cases, we changed the participants’ answers to make them consistent. For example, if a participant responded No for question 18, but then provided a response for question 19, we changed his or her answer for question 18 to Yes. A more extensive pilot test and using survey software that supports branching questions (for example, not showing question 19 if the answer to question 18 was No) could have eliminated these problems.

References

[1]  University of Massachusetts Computer Security and Usage Guidelines, http://www.umassp.edu/policy/data/itcsecuse.html

[2]  Purdue University North Central Password Information, http://www.purduenc.edu/is/faq/passwd.html


Appendix A: Survey

The document below reflects the questions used in the web-based version of the survey. Question 3 of the printed survey contained an option for “More than 5 years,” which was not present in the web-based version of our survey. In addition, the web-based survey contained an option for “web-based e-mail” in question 10, which was not present in the printed survey.

Attitudes and Behavior Towards Password Use on the World Wide Web

 

Statement of Information Use

This survey is completely anonymous. We will not collect any kind of information that could potentially be used to discern your identity. We will not ask you to reveal any of your passwords. We will not use the information gathered in this survey for any purpose other than the analysis of attitudes and behaviors towards password use on the World Wide Web.

This survey will take approximately 10 minutes to complete.

 

Questions

1.            What is your gender?

¡     Male

¡     Female

2.            What is your age in years?  _____

3.            How long have you been using the web?

¡     Less than 1 year

¡     1–2 years

¡     3–4 years

¡     More than 4 years

4.            On average, how many hours per week do you use the web?

¡     Less than 5 hours

¡     5–10 hours

¡     11–15 hours

¡     16–20 hours

¡     More than 20 hours

5.            Do you have access to the Internet at home?

¡     Yes

¡     No


6.            How many web sites that you regularly visit require you to log in?

¡     None

¡     1

¡     2–5

¡     6–10

¡     More than 10

7.            If your answer to question 6 was not None, about how many unique passwords do you use at these web sites?

¡     1

¡     2–5

¡     6–10

¡     More than 10

8.            Do you have a unique password for each web site that requires you to log in?

¡     Yes

¡     No

9.            If your answer to the above question is No, check any of the following that apply to you:

¨   a.   I use a set of passwords for sites I trust and a different set for sites I don’t trust

¨   b.   I use a set of passwords for sites on specific topics (e.g. movies, sports)

¨   c.   I have a set of passwords that I choose from randomly

¨   d.   I use the same password for all sites

¨   e.   Other (please specify):

                                                                                 

10.        Check any of the following services that you use on the web

¨  Web-based e-mail

¨   Shopping

¨   Banking

¨   Stock trading

¨   Bill paying

¨   Other financial services

11.        Have you ever forgotten a password used on a web site?

¡     Yes

¡     No

12.        If you have forgotten a password, check off any of the following that apply to you:

¨   a.   I’ve looked up a password from a list of passwords that I’ve created

¨   b.   I’ve used the web site’s features for retrieving my password (for example, have the password e-mailed to me, asks a question which only I know the response to)

¨   c.   I’ve e-mailed or telephoned customer support to get my password

¨   d.   I’ve created a new account on a site instead of trying to remember my password

¨   e.   I’ve stopped using a site because of a forgotten password

13.        Check any of the following guidelines for choosing passwords that you follow:

¨   a.   I never choose any word in any language as a password, including names of well-known people and places

¨   b.   I never choose passwords based on personal information, such as names, birthdays, telephone numbers, or license plate numbers

¨   c.   I never choose passwords based on a pattern of letters or numbers, such as “1234” or “qwerty”

¨   d.   I always have at least three character classes in my password (e.g., upper-case, lower-case, digits, punctuation)

¨   e.   I always choose a password that at least 6 characters

 

14.        On average, how often do you change your password for a web site?

¡     More than once per week

¡     Once per week

¡     Once or twice per month

¡     Once or twice per year

¡     Less than once per year

¡     Never

15.        If you use a password for more than one web site, how often do you stop using that password and start using another one for those web sites?

¡     More than once per week

¡     Once per week

¡     Once or twice per month

¡     Once or twice per year

¡     Less than once per year

¡     Never

16.        How often do you write down passwords that you use on the web?

¡     Always

¡     Often

¡     Sometimes

¡     Seldom

¡     Never

17.        How often do you share passwords for web sites with other people?

¡     Always

¡     Often

¡     Sometimes

¡     Seldom

¡     Never


18.        Do you have any passwords that you are concerned about someone figuring out?

¡     Yes

¡     No

 

19.        If you answered Yes for the above question, how hard do you think it would be for someone to guess any of the passwords you are concerned about?

Easy                                                       Difficult
1          2          3          4          5          6          7

20.        Do you have any passwords that you are not concerned about someone figuring out?

¡     Yes

¡     No

21.        If you answered Yes for the above question, how hard do you think it would be for someone to guess any of the passwords you are not concerned about?

Easy                                                       Difficult
1          2          3          4          5          6          7

 

 


Appendix B: Survey Instructions

Personal acquaintances were also invited to take the survey. The following e-mail was sent to these individuals:

 

I'm taking a course on evaluation methods. One of the assignments is to run a survey, and ours is on password attitudes and behavior. Feel free to redistribute.

It only takes about 10 minutes, is anonymous, and is at:

 

No further instructions were provided to these participants.

       
Appendix C: Pilot Test

We asked two participants to fill out the pilot survey form shown below. The survey was conducted on paper, and a member of the survey team was present to answer or clarify questions while the participant completed the form. Question 24 was used to identify ambiguous or unclear questions. Questions 21-23 were used to determine how apprehensive participants might be about completing a web-based survey on password usage. Based on the reactions of the pilot participants, we determined that we could deploy a web-based version of the survey without introducing security concerns among participants.

Attitudes and Behavior Towards Password Use on the World Wide Web

 

Statement of Information Use

This survey is completely anonymous. We will not collect any kind of information that could potentially be used to discern your identity. We will not ask you to reveal any of your passwords. We do not use tracking techniques such as cookies on this website. We will not collect information such as your IP address, Internet service provider, or browser type. We will not use the information gathered in this survey for any purpose other than the analysis of attitudes and behaviors towards password use on the World Wide Web.

This survey will take approximately 15 minutes to complete.

 

Questions

1.            What is your gender?

¡     Male

¡     Female

2.            What is your age in years?

¡     Less than 14

¡     14–22

¡     23–31

¡     32–40

¡     41–49

¡     More than 49

3.            How long have you been using the web?

¡     Less than 1 year

¡     1–2 years

¡     3–4 years

¡     4–5 years

¡     More than 5 years

4.            On average, how many hours per day do you use the web?

¡     Less than 1 hour

¡     1–3 hours

¡     4–6 hours

¡     More than 6 hours

5.            Do you have access to the Internet at home?

¡     Yes

¡     No

6.            How many web sites that you visit require you to log in?

¡     None

¡     1

¡     2–5

¡     6–10

¡     More than 10

7.            About how many unique passwords do you use at these web sites?

¡     None

¡     1

¡     2–5

¡     6–10

¡     More than 10

8.            Do you have a unique password for each web site that requires one?

¡     Yes

¡     No

9.            If your answer to the above question is No, check any of the following that apply to you:

¨   a.   I use a set of passwords for sites I trust and a different set for sites I don’t trust

¨   b.   I use a set of passwords for sites on specific topics (e.g. movies, sports)

¨   c.   I have a set of passwords that I choose from randomly

¨   d.   I use the same password for all sites

¨   e.   Other (please specify):

                                                                                 

10.        Have you ever forgotten a password used on a web site?

¡     Yes

¡     No

11.        If you have forgotten a password, check off any of the following that apply to you:

¨   a.   I’ve looked up a password from a list of passwords that I’ve created

¨   b.   I’ve used the web site’s features for retrieving my password (for example, have the password e-mailed to me, asks a question which only I know the response to)

¨   c.   I’ve e-mailed or telephoned customer support to get my password

¨   d.   I’ve created a new account on a site instead of trying to remember my password

¨   e.   I’ve stopped using a site because of a forgotten password

12.        Check any of the following guidelines for choosing passwords that you follow:

¨   a.   I never choose any word in any language as a password, including names of well-known people and places

¨   b.   I never choose passwords based on personal information, such as names, birthdays, telephone numbers, or license plate numbers

¨   c.   I never choose passwords based on a pattern of letters or numbers, such as “1234” or “qwerty”

¨   d.   I always have at least three character classes in my password (e.g., upper-case, lower-case, digits, punctuation)

¨   e.   I always choose a password that is longer than 4 characters

 

13.        On average, how often do you change your password for a web site?

¡     More than once per week

¡     Once per week

¡     Once or twice per month

¡     Once or twice per year

¡     Less than once per year

14.        If you use a password for more than one web site, how often do you stop using that password and start using another one for those web sites?

¡     More than once per week

¡     Once per week

¡     Once or twice per month

¡     Once or twice per year

¡     Less than once per year

15.        How often do you write down passwords that you use on the web?

¡     Never

¡     Seldom

¡     Sometimes

¡     Often

¡     Always

16.        How often do you share passwords for web sites with other people?

¡     Never

¡     Seldom

¡     Sometimes

¡     Often

¡     Always


17.        Do you have any passwords that you are concerned about someone figuring out?

¡     Yes

¡     No

 

18.        If you answered Yes for the above question, how hard do you think it would be for someone to figure out any of the passwords you are concerned about?

Difficult                                                       Easy
1          2          3          4          5          6          7

19.        Do you have any passwords that you are not concerned about someone figuring out?

¡     Yes

¡     No

20.        If you answered Yes for the above question, how hard do you think it would be for someone to figure out any of the passwords you are not concerned about?

Difficult                                                       Easy
1          2          3          4          5          6          7

 

Questions for Pilot Respondents

21.        Are you concerned that this information could be used to discover your passwords?

¡     Yes

¡     No

 

22.        If so, did that affect your answers?

¡     Yes

¡     No

 

23.        Which would you be more willing to take, a paper-based or a computer-based version of this survey?

¡     Paper

¡     Computer

 

24.        Which questions were unclear or misleading?

 

 

 

25.        Please write any other comments you have about this survey.

 


Appendix D: URL 

                                   

Data and analysis for SPSS and Excel are located at:

UC Berkeley Home SIMS Home Rashmi Home IS 271 Home