Attitudes and Behavior Towards Password Use on the World Wide Web
Jason Hong
Hesham Kamel
John Kodumal
Francis Li
James Lin
Conducted from September 28–October 6, 2000
October 11, 2000
For:
Survey Project Requirement for IS 271
IS 271 Instructor: Dr. Rashmi Sinha
Address inquires to: Jason Hong
E-mail: {jasonh,hesham,jkodumal,fli,jimlin}@cs.berkeley.edu
Address:
SIMS Administrative Office
Attn: Dr. Rashmi Sinha
102 South Hall
Berkeley, CA 94720-4600
Introduction
There is a usability and security problem caused by an increase in the number of web sites that require password-based logins. Web sites for e-commerce, e-mail, financial services, and even news require users to log in. There is a great deal of variability in sites that require logins. The type of data that these sites protect with passwords ranges from highly sensitive (in the case of financial information) to relatively insensitive (in the case of news services, for instance). The frequency of use varies greatly as well. Many web sites are accessed daily (web-based e-mail, for instance) while others are accessed infrequently.
All of these factors contribute to a password management problem. As a result, users must devise mechanisms to make it easy to remember passwords, such as basing the password of personal information, reusing passwords, or writing passwords down. However, these mechanisms are often at odds with good security guidelines. As additional services are layered onto the web, we believe that this password management problem will only worsen.
We conducted a survey of 125 people to test our hypotheses. The survey results support the broad hypothesis that people deviate from secure password practices. However, they deviated in many ways, with few discernable trends among the various demographic groups.
Research Question
We used a survey-based methodology to examine the nature of this problem. For the purposes of this project, we have defined a “secure model of behavior” based on widely accepted security guidelines (see [1] and [2], for example). We assume that failures to adhere to these security guidelines correspond to insecure behavior.
Our primary hypothesis is that experienced and inexperienced web users deviate from the secure model of behavior in different ways. Specifically, experienced users have multiple passwords but tend to write them down, while inexperienced users have a single password but do not write them down. In addition, we believe that users have adopted their own password management schemes, which often involve using the same password for multiple web sites.
We did not expect to find significant correlations with age or gender, although this information was gathered.
Survey Design
Our independent variables include gender, age, number of years using the web, hours spent surfing the web, and access to the Internet at home. We hoped that the latter three variables would give us a measure of web experience. Our dependent variables include password management strategies, passwords forgotten, adherence to password choice guidelines, and number of passwords used on web sites.
Method
We deployed web-based and print versions of the survey. One question in the print survey mistakenly contained an additional response category that was not present in the electronic version (Appendix A).
The web-based survey was prompted via pop-up windows on two web sites (http://www.francisli.com and http://www.peggyli.com). In addition, the survey URL was e-mailed to select individuals (appendix B). The web-based survey was prompted a total of 1579 times, with 103 completed responses, yielding a response rate of 6.5%.
We also solicited 37 responses using a printed version of the survey. Participants were chosen from the International House and from an undergraduate-level foreign language class at Berkeley.
Several participants did not complete the survey or answered questions inconsistently. Their responses were removed from the data set, leaving 125 valid responses.
Results
Correlations
We calculated correlations between most of the questions in the survey. The only questions we did not correlate were concerned with how people dealt with forgetting their password. We also correlated the questions with metrics we created by combining other variables together. For example, EXPR measures experience using the web by adding together a person’s answers for questions 3 and 4 (how long they have been using the web and how many hours per week they use the web, respectively). EXPR2 was created by adding EXPR with Question 6, which asks how many regularly visited sites require logging in. Appendix E shows the correlation values.
None of the significant correlations had an absolute value greater than 0.5, except between Questions 19 and 21 (those who felt that passwords they were concerned about would be difficult to guess are correlated with those who felt that passwords they were not concerned about would be difficult to guess). The high correlation between EXPR and Question 3 or Question 4 is irrelevant since EXPR is based on Questions 3 and 4. The same can be said between EXPR2 and Questions 3, 4, and 6.
Many of the significant correlations do not help us answer our hypothesis. For that, we were particularly interested in correlations between Questions 3 and 4, EXPR, and EXPR2 on one hand, and Questions 13, 14, 16, 17, 19, and 21 on the other. That section of the correlation table is reproduced below.
|
|
|
Q13_count |
Q14 |
Q16 |
Q17 |
Q19 |
Q21 |
|
Q3 |
Pearson Correlation |
0.173 |
0.074 |
0.160 |
0.340** |
-0.019 |
0.083 |
|
|
Sig. (2-tailed) |
0.054 |
0.416 |
0.079 |
0.000 |
0.850 |
0.397 |
|
|
N |
125 |
123 |
122 |
125 |
101 |
106 |
|
Q4 |
Pearson Correlation |
0.130 |
-0.050 |
0.066 |
0.096 |
-0.014 |
-0.097 |
|
|
Sig. (2-tailed) |
0.149 |
0.580 |
0.472 |
0.285 |
0.886 |
0.320 |
|
|
N |
125 |
123 |
122 |
125 |
101 |
106 |
|
Q6 |
Pearson Correlation |
-0.012 |
-0.161 |
-0.069 |
-0.136 |
-0.134 |
-0.142 |
|
|
Sig. (2-tailed) |
0.894 |
0.077 |
0.452 |
0.131 |
0.183 |
0.147 |
|
|
N |
124 |
122 |
121 |
124 |
101 |
105 |
|
EXPR |
Pearson Correlation |
0.179* |
0.001 |
0.118 |
0.225* |
-0.014 |
-0.028 |
|
|
Sig. (2-tailed) |
0.046 |
0.989 |
0.195 |
0.012 |
0.892 |
0.777 |
|
|
N |
125 |
123 |
122 |
125 |
101 |
106 |
|
EXPR2 |
Pearson Correlation |
0.144 |
-0.051 |
0.063 |
0.142 |
-0.055 |
-0.070 |
|
|
Sig. (2-tailed) |
0.110 |
0.577 |
0.494 |
0.116 |
0.583 |
0.480 |
|
|
N |
124 |
122 |
121 |
124 |
101 |
105 |
|
* Correlation is significant at the 0.05 level (2-tailed). | |
|
|
** Correlation is significant at the 0.01 level (2-tailed). |
As you can see, there are only three significant correlations in this set:
- EXPR / Q13_count: a lot of experience with the web correlates positively with using many guidelines for creating passwords
- EXPR / Q17: a lot of experience with the web correlates positively with not sharing passwords
- Q3 / Q17: using the web for a long time correlates positively with not sharing passwords
This means that the way inexperienced users of the web violate password security principles in distinctly different ways from those with more experience, but not in as many ways as we expected.
Summary Statistics
1. What is your gender?
¡ Male
¡ Female
|
Response |
#People |
% |
|
|
Male |
79 |
63.2% | |
|
Female |
46 |
36.8% | |
|
N=125 |
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
Figure 1 – Number of males and females that participated in this survey.
2. What is your age in years?
|
Response |
#People |
% |
|
11-20 |
32 |
25.6% |
|
21-30 |
54 |
43.2% |
|
31-40 |
16 |
12.8% |
|
41-50 |
14 |
11.2% |
|
51-60 |
7 |
5.6% |
|
61-70 |
0 |
0.0% |
|
71-80 |
1 |
0.8% |
|
81-90 |
1 |
0.8% |
|
Min |
15 |
|
|
Max |
88 |
|
|
Median |
24 |
|
|
Average |
29.12 |
|
|
Std Dev |
12.67 |
|
|
N = 125 |
|
|
Figure 2 – Age distribution of people participating in this survey.
This was a freeform answer question. The table above puts the ages into buckets for convenience. We were surprised by the two obvious outliers, one person claiming to be age 75 and another claiming to be 88.
3. About how long have you been using the web?
¡ Less than 1 year
¡ 1 to 2 years
¡ 3 to 4 years
¡ More than 4 years
|
Response |
#People |
% |
|
|
<1 |
8 |
6.4% | |
|
1-2 |
8 |
6.4% | |
|
3-4 |
31 |
24.8% | |
|
4+ |
75 |
60.0% | |
|
Median |
4 |
| |
|
Average |
3.45 |
| |
|
Std Dev |
0.90 |
| |
|
N = 125 |
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
Figure 3 – Number of years participants have been using the web.
We were also surprised by how heavily skewed the data was to the right, especially given the large number of new people coming online.
4. On average, how many hours per week do you use the web?
¡ Less than 5 hours
¡ 5–10 hours
¡ 11–15 hours
¡ 16–20 hours
¡ More than 20 hours
|
Response |
#People |
% |
|
<5 |
19 |
15.2% |
|
5-10 |
31 |
24.8% |
|
11-15 |
17 |
13.6% |
|
16-20 |
13 |
10.4% |
|
20+ |
45 |
36.0% |
|
N = 125 |
|
|
Figure 4 – Number of hours per week participants used the
web.
This set of data has an interesting bimodal distribution. We suspect that the large number of users using the web for more than 20 hours per week is due to people at work that use the web or students that make heavy use of the web.
Nielsen / Netratings reports that for the week ending July 30, 2000, the average time spent surfing per week was 3 hours 13 minutes, meaning that we clearly have a skewed group here.
5. Do you have access to the Internet at home?
¡ Yes
¡ No
|
Response |
#People |
% |
|
|
Yes |
120 |
96.0% | |
|
No |
5 |
4.0% | |
|
N = 125 |
|
| |
|
|
|
|
Figure 5 – Number of survey participants that have Internet access at home.
We had hoped to use this as an indicator of experience, but this data proved to be fairly useless to us, since nearly everyone had Internet access at home. For this reason, this set of data was not used in our analysis.
6. How many web sites do you regularly visit require you to log in?
¡ None
¡ 1
¡ 2–5
¡ 6–10
¡ More than 10
|
Response |
#People |
% |
|
|
None |
2 |
1.6% | |
|
1 |
13 |
10.4% | |
|
2-5 |
72 |
57.6% | |
|
6-10 |
23 |
18.4% | |
|
10+ |
14 |
11.2% | |
|
N = 124 |
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
Figure 6 – Number of web sites requiring logins. The peak is at the bucket representing 2-5 websites.
7. If you do regularly visit web sites that require you to log in, about how many unique passwords do you use for these web sites?
¡ 1
¡ 2–5
¡ 6–10
¡ More than 10
|
Response |
#People |
% |
|
|
1 |
30 |
24.0% | |
|
2-5 |
81 |
64.8% | |
|
6-10 |
8 |
6.4% | |
|
10+ |
2 |
1.6% | |
|
N = 121 |
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
Figure 7 – The number of unique passwords used.
As expected, a fair number of people used only one password. The majority of people had between 2-5 passwords, but unfortunately, the bucket we chose for this range may have been too large to be useful.
8. Do you have a unique password for each web site that requires you to log in?
¡ Yes
¡ No
|
Response |
#People |
% |
|
|
Yes |
38 |
30.4% | |
|
No |
87 |
69.6% | |
|
N = 124 |
|
| |
|
|
|
|
Figure 8 – Number of people that use unique passwords for every web site.
As expected, the number of people that use unique passwords for every web site is in the minority. However, more people than expected used unique passwords.
9. If you do not use a unique password for every web site, please check off any of the following that apply to you:
¨ I use a set of passwords for sites I trust and a different set for sites I don’t trust
¨ I use a set of passwords for sites on specific topics (e.g. movies, sports)
¨ I have a set of passwords that I choose from randomly
¨ I use the same password for all sites
¨ Other (Please Specify) ___________________________________________
These answers are not mutually exclusive.
|
Response |
#People |
% |
|
|
TRUST |
38 |
30.4% | |
|
TOPIC |
6 |
4.8% | |
|
RNDM |
28 |
22.4% | |
|
SAME |
29 |
23.2% | |
|
OTHER |
9 |
7.2% | |
|
N = 125 |
|
| |
|
|
|
|
10. Check any of the following services that you use on the web
¨ Web-based Email (e.g. Hotmail or Yahoo Mail)
¨ Shopping
¨ Banking
¨ Stock trading
¨ Bill paying
¨ Other financial services
|
Response |
#People |
% |
|
|
|
26 |
20.8% | |
|
Shop |
25 |
20.0% | |
|
Bank |
18 |
14.4% | |
|
Stock |
4 |
3.2% | |
|
Bill |
9 |
7.2% | |
|
Other |
5 |
4.0% | |
|
N = 125 |
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
The first choice of web-based e-mail was added after the print survey, so that choice was not used in the correlation analysis.
11. Have you ever forgotten a password used on a web site?
¡ Yes
¡ No
|
Response |
#People |
% |
|
|
Yes |
102 |
81.6% | |
|
No |
20 |
16.0% | |
|
N = 122 |
|
| |
|
|
|
|
As expected, the majority of people have forgotten a password.
12. If you have forgotten a password, check off any of the following that apply to you:
¨ I’ve looked up a password from a list of passwords that I’ve created
¨ I’ve used the web site’s features for retrieving my password (for example, have the password e-mailed to me, asks a question which only I know the response to)
¨ I’ve e-mailed or telephoned customer support to get my password
¨ I’ve created a new account on a site instead of trying to remember my password
¨ I’ve stopped using a site because of a forgotten password
|
Response |
#People |
% |
| |
|
LIST |
38 |
30.4% | ||
|
EMAIL / Q |
76 |
60.8% | ||
|
SUPT |
25 |
20.0% | ||
|
NEWACCT |
51 |
40.8% | ||
|
STOP |
46 |
36.8% | ||
|
N = 125 |
|
| ||
|
|
|
| ||
13. Check any of the following guidelines for choosing passwords that you follow:
¨ I never choose any word in any language as a password, including names of well-known people and places
¨ I never choose passwords based on personal information (e.g. names, birthdays, phone numbers, etc)
¨ I never choose passwords based on a pattern of letters or numbers (e.g. “1234” or “qwerty”)
¨ I always have at least three character classes in my password (e.g., upper-case, lower-case, digits, punctuation)
¨ I always choose a password that is at least 6 characters
|
Response |
#People |
% |
|
WORD |
50 |
40.0% |
|
PRSNL |
56 |
44.8% |
|
PATTERN |
70 |
56.0% |
|
CRAZY |
25 |
20.0% |
|
LEN |
67 |
53.6% |
|
N = 125 |
|
|
One of the ways we processed this data was to create a “password complexity metric,” where the higher the harder it would be to guess someone’s password. This metric was calculated by adding the number of boxes checked off.
|
Metric |
#People |
% |
|
|
0 |
15 |
0.12 | |
|
1 |
38 |
0.304 | |
|
2 |
24 |
0.192 | |
|
3 |
22 |
0.176 | |
|
4 |
14 |
0.112 | |
|
5 |
12 |
0.096 | |
|
Average |
2.14 |
| |
|
Std Dev |
1.50 |
| |
|
N = 125 |
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
Figure 13-2. Password complexity metric, measuring how hard it would be to guess someone’s password. Higher values are better.
14. On average, how often do you change your password for a web site?
¡ More than once per week
¡ Once per week
¡ Once or twice per month
¡ Once or twice per year
¡ Less than once per year
¡ Never
|
Response |
#People |
% |
|
|
week+ |
3 |
2.4% | |
|
1/wk |
4 |
3.2% | |
|
1/mon |
6 |
4.8% | |
|
1/yr |
18 |
14.4% | |
|
1/yr- |
22 |
17.6% | |
|
never |
70 |
56.0% | |
|
N = 123 |
|
| |
|
|
|
|
As expected, the majority of people (56%) never changed their password. However, we were quite surprised that some people claimed to change a password once a week or more! We are uncertain whether this is spurious data or if these are people quite concerned with security.
15. If you use the same password for more than one web site, how often do you stop using that password and start using another one for those web sites?
¡ More than once per week
¡ Once per week
¡ Once or twice per month
¡ Once or twice per year
¡ Less than once per year
¡ Never
This question was clearly confusing, given the low number of responses (86 out of 125).
|
Response |
#People |
% |
|
|
week+ |
2 |
1.6% | |
|
1/wk |
2 |
1.6% | |
|
1/mon |
4 |
3.2% | |
|
1/yr |
9 |
7.2% | |
|
1/yr- |
20 |
16.0% | |
|
never |
49 |
39.2% | |
|
N = 86 |
|
| |
|
|
|
|
16. How often do you write down passwords that you use on the web?
¡ Always
¡ Often
¡ Sometimes
¡ Seldom
¡ Never
|
Response |
#People |
% |
|
|
Always |
19 |
15.2% | |
|
Often |
15 |
12.0% | |
|
Sometime |
12 |
9.6% | |
|
Seldom |
26 |
20.8% | |
|
Never |
50 |
40.0% | |
|
Average |
3.59 |
| |
|
Std Dev |
1.50 |
| |
|
N = 122 |
|
| |
|
|
|
|
There was a surprising number of people that never wrote down passwords (40.0%). We were expecting a much lower number.
17. How often do you share passwords for web sites with other people?
¡ Always
¡ Often
¡ Sometimes
¡ Seldom
¡ Never
|
Response |
#People |
% |
| |
|
Always |
4 |
3.2% | ||
|
Often |
1 |
0.8% | ||
|
Sometime |
6 |
4.8% | ||
|
Seldom |
21 |
16.8% | ||
|
Never |
93 |
74.0% | ||
|
Average |
4.58 |
| ||
|
Std Dev |
0.88 |
| ||
|
N = 125 |
|
| ||
|
|
|
| ||
18. Do you have any passwords that you are concerned about someone figuring out?
¡ Yes
¡ No
|
Response |
#People |
% |
|
Yes |
106 |
84.8% |
|
No |
19 |
15.2% |
|
N = 125 |
|
|
19. If you do have passwords you are concerned about, how hard do you think it would be for someone to guess any of these passwords?
Easy Difficult
1 2 3 4 5 6 7
|
Response |
#People |
% |
|
|
1 EASY |
7 |
5.6% | |
|
2 |
2 |
1.6% | |
|
3 |
13 |
10.4% | |
|
4 |
21 |
16.8% | |
|
5 |
13 |
10.4% | |
|
6 |
11 |
8.8% | |
|
7 DIFFICULT |
34 |
27.2% | |
|
|
|
| |
|
AVG = 4.98 |
|
| |
|
STD DEV = 1.87 |
|
| |
|
N = 101 |
|
| |
|
|
|
|
20. Do you have any passwords that you are not concerned about someone figuring out?
¡ Yes
¡ No
|
Response |
#People |
%. |
|
Yes |
106 |
0.848 |
|
No |
19 |
0.152 |
21. If you do have passwords you are not concerned about, how hard do you think it would be for someone to guess any of these passwords?
Easy Difficult
1 2 3 4 5 6 7
|
#People |
% |
| |
|
1 EASY |
12 |
9.6% | |
|
2 |
7 |
5.6% | |
|
3 |
7 |
5.6% | |
|
4 |
16 |
12.8% | |
|
5 |
17 |
13.6% | |
|
6 |
9 |
7.2% | |
|
7 Difficult |
38 |
30.4% | |
|
|
|
| |
|
AVG = 4.87 |
|
| |
|
STD DEV = 2.09 |
|
| |
|
N = 106 |
|
| |
|
|
|
|
Discussion
Our summary statistics showed that our sample is probably not representative of the Internet population. This is probably due to our sampling technique. Due to time constraints, we used three techniques for recruiting participants: popup windows on two web sites, classmates in college classes, and personal acquaintances. This, not surprisingly, yielded a noticeably skewed data set.
Through correlation analysis, we found that using many guidelines to create passwords and not sharing passwords were the only two types of security-related behavior that correlated significantly with web experience. We had difficulty finding other meaningful correlations in our data. This appears to be due to our large bin sizes for many of our questions. Scatterplots of two variables almost universally resembled rectangles, often with equally spaced points and no obvious trends or correlations. Finer-grained response categories would make it easier to find correlations.
To try to detect badly written questions, we conducted a pilot study with two participants. Although the study helped us detect several confusing questions, we found that people were still confused by some questions in the general study, as deduced from missing or inconsistent answers. We were forced to remove 15 participants from our data set as a result of incomplete or inconsistent responses. An example inconsistent response is answering “None” for question 6, but providing a response for question 7. In other cases, we changed the participants’ answers to make them consistent. For example, if a participant responded No for question 18, but then provided a response for question 19, we changed his or her answer for question 18 to Yes. A more extensive pilot test and using survey software that supports branching questions (for example, not showing question 19 if the answer to question 18 was No) could have eliminated these problems.
References
[2] Purdue University North Central Password Information, http://www.purduenc.edu/is/faq/passwd.html
Appendix A: Survey
The document below reflects the questions used in the web-based version of the survey. Question 3 of the printed survey contained an option for “More than 5 years,” which was not present in the web-based version of our survey. In addition, the web-based survey contained an option for “web-based e-mail” in question 10, which was not present in the printed survey.
Attitudes and Behavior Towards Password Use on the World Wide Web
Statement of Information Use
This survey is completely anonymous. We will not collect any kind of information that could potentially be used to discern your identity. We will not ask you to reveal any of your passwords. We will not use the information gathered in this survey for any purpose other than the analysis of attitudes and behaviors towards password use on the World Wide Web.
This survey will take approximately 10 minutes to complete.
Questions
1. What is your gender?
¡ Male
¡ Female
2. What is your age in years? _____
3. How long have you been using the web?
¡ Less than 1 year
¡ 1–2 years
¡ 3–4 years
¡ More than 4 years
4. On average, how many hours per week do you use the web?
¡ Less than 5 hours
¡ 5–10 hours
¡ 11–15 hours
¡ 16–20 hours
¡ More than 20 hours
5. Do you have access to the Internet at home?
¡ Yes
¡ No
6. How many web sites that you regularly visit require you to log in?
¡ None
¡ 1
¡ 2–5
¡ 6–10
¡ More than 10
7. If your answer to question 6 was not None, about how many unique passwords do you use at these web sites?
¡ 1
¡ 2–5
¡ 6–10
¡ More than 10
8. Do you have a unique password for each web site that requires you to log in?
¡ Yes
¡ No
9. If your answer to the above question is No, check any of the following that apply to you:
¨ a. I use a set of passwords for sites I trust and a different set for sites I don’t trust
¨ b. I use a set of passwords for sites on specific topics (e.g. movies, sports)
¨ c. I have a set of passwords that I choose from randomly
¨ d. I use the same password for all sites
¨ e. Other (please specify):
10. Check any of the following services that you use on the web
¨ Web-based e-mail
¨ Shopping
¨ Banking
¨ Stock trading
¨ Bill paying
¨ Other financial services
11. Have you ever forgotten a password used on a web site?
¡ Yes
¡ No
12. If you have forgotten a password, check off any of the following that apply to you:
¨ a. I’ve looked up a password from a list of passwords that I’ve created
¨ b. I’ve used the web site’s features for retrieving my password (for example, have the password e-mailed to me, asks a question which only I know the response to)
¨ c. I’ve e-mailed or telephoned customer support to get my password
¨ d. I’ve created a new account on a site instead of trying to remember my password
¨ e. I’ve stopped using a site because of a forgotten password
13. Check any of the following guidelines for choosing passwords that you follow:
¨ a. I never choose any word in any language as a password, including names of well-known people and places
¨ b. I never choose passwords based on personal information, such as names, birthdays, telephone numbers, or license plate numbers
¨ c. I never choose passwords based on a pattern of letters or numbers, such as “1234” or “qwerty”
¨ d. I always have at least three character classes in my password (e.g., upper-case, lower-case, digits, punctuation)
¨ e. I always choose a password that at least 6 characters
14. On average, how often do you change your password for a web site?
¡ More than once per week
¡ Once per week
¡ Once or twice per month
¡ Once or twice per year
¡ Less than once per year
¡ Never
15. If you use a password for more than one web site, how often do you stop using that password and start using another one for those web sites?
¡ More than once per week
¡ Once per week
¡ Once or twice per month
¡ Once or twice per year
¡ Less than once per year
¡ Never
16. How often do you write down passwords that you use on the web?
¡ Always
¡ Often
¡ Sometimes
¡ Seldom
¡ Never
17. How often do you share passwords for web sites with other people?
¡ Always
¡ Often
¡ Sometimes
¡ Seldom
¡ Never
18. Do you have any passwords that you are concerned about someone figuring out?
¡ Yes
¡ No
19. If you answered Yes for the above question, how hard do you think it would be for someone to guess any of the passwords you are concerned about?
Easy Difficult
1 2 3 4 5 6 7
20. Do you have any passwords that you are not concerned about someone figuring out?
¡ Yes
¡ No
21. If you answered Yes for the above question, how hard do you think it would be for someone to guess any of the passwords you are not concerned about?
Easy Difficult
1 2 3 4 5 6 7
Appendix B: Survey Instructions
Personal acquaintances were also invited to take the survey. The following e-mail was sent to these individuals:
I'm taking a course on evaluation methods. One of the assignments is to run a survey, and ours is on password attitudes and behavior. Feel free to redistribute.
It only takes about 10 minutes, is anonymous, and is at:
No further instructions were provided to these participants.
Appendix C: Pilot Test
We asked two participants to fill out the pilot survey form shown below. The survey was conducted on paper, and a member of the survey team was present to answer or clarify questions while the participant completed the form. Question 24 was used to identify ambiguous or unclear questions. Questions 21-23 were used to determine how apprehensive participants might be about completing a web-based survey on password usage. Based on the reactions of the pilot participants, we determined that we could deploy a web-based version of the survey without introducing security concerns among participants.
Attitudes and Behavior Towards Password Use on the World Wide Web
Statement of Information Use
This survey is completely anonymous. We will not collect any kind of information that could potentially be used to discern your identity. We will not ask you to reveal any of your passwords. We do not use tracking techniques such as cookies on this website. We will not collect information such as your IP address, Internet service provider, or browser type. We will not use the information gathered in this survey for any purpose other than the analysis of attitudes and behaviors towards password use on the World Wide Web.
This survey will take approximately 15 minutes to complete.
Questions
1. What is your gender?
¡ Male
¡ Female
2. What is your age in years?
¡ Less than 14
¡ 14–22
¡ 23–31
¡ 32–40
¡ 41–49
¡ More than 49
3. How long have you been using the web?
¡ Less than 1 year
¡ 1–2 years
¡ 3–4 years
¡ 4–5 years
¡ More than 5 years
4. On average, how many hours per day do you use the web?
¡ Less than 1 hour
¡ 1–3 hours
¡ 4–6 hours
¡ More than 6 hours
5. Do you have access to the Internet at home?
¡ Yes
¡ No
6. How many web sites that you visit require you to log in?
¡ None
¡ 1
¡ 2–5
¡ 6–10
¡ More than 10
7. About how many unique passwords do you use at these web sites?
¡ None
¡ 1
¡ 2–5
¡ 6–10
¡ More than 10
8. Do you have a unique password for each web site that requires one?
¡ Yes
¡ No
9. If your answer to the above question is No, check any of the following that apply to you:
¨ a. I use a set of passwords for sites I trust and a different set for sites I don’t trust
¨ b. I use a set of passwords for sites on specific topics (e.g. movies, sports)
¨ c. I have a set of passwords that I choose from randomly
¨ d. I use the same password for all sites
¨ e. Other (please specify):
10. Have you ever forgotten a password used on a web site?
¡ Yes
¡ No
11. If you have forgotten a password, check off any of the following that apply to you:
¨ a. I’ve looked up a password from a list of passwords that I’ve created
¨ b. I’ve used the web site’s features for retrieving my password (for example, have the password e-mailed to me, asks a question which only I know the response to)
¨ c. I’ve e-mailed or telephoned customer support to get my password
¨ d. I’ve created a new account on a site instead of trying to remember my password
¨ e. I’ve stopped using a site because of a forgotten password
12. Check any of the following guidelines for choosing passwords that you follow:
¨ a. I never choose any word in any language as a password, including names of well-known people and places
¨ b. I never choose passwords based on personal information, such as names, birthdays, telephone numbers, or license plate numbers
¨ c. I never choose passwords based on a pattern of letters or numbers, such as “1234” or “qwerty”
¨ d. I always have at least three character classes in my password (e.g., upper-case, lower-case, digits, punctuation)
¨ e. I always choose a password that is longer than 4 characters
13. On average, how often do you change your password for a web site?
¡ More than once per week
¡ Once per week
¡ Once or twice per month
¡ Once or twice per year
¡ Less than once per year
14. If you use a password for more than one web site, how often do you stop using that password and start using another one for those web sites?
¡ More than once per week
¡ Once per week
¡ Once or twice per month
¡ Once or twice per year
¡ Less than once per year
15. How often do you write down passwords that you use on the web?
¡ Never
¡ Seldom
¡ Sometimes
¡ Often
¡ Always
16. How often do you share passwords for web sites with other people?
¡ Never
¡ Seldom
¡ Sometimes
¡ Often
¡ Always
17. Do you have any passwords that you are concerned about someone figuring out?
¡ Yes
¡ No
18. If you answered Yes for the above question, how hard do you think it would be for someone to figure out any of the passwords you are concerned about?
Difficult Easy
1 2 3 4 5 6 7
19. Do you have any passwords that you are not concerned about someone figuring out?
¡ Yes
¡ No
20. If you answered Yes for the above question, how hard do you think it would be for someone to figure out any of the passwords you are not concerned about?
Difficult Easy
1 2 3 4 5 6 7
Questions for Pilot Respondents
21. Are you concerned that this information could be used to discover your passwords?
¡ Yes
¡ No
22. If so, did that affect your answers?
¡ Yes
¡ No
23. Which would you be more willing to take, a paper-based or a computer-based version of this survey?
¡ Paper
¡ Computer
24. Which questions were unclear or misleading?
25. Please write any other comments you have about this survey.
Appendix D: URL
Data and analysis for SPSS and Excel are located at: