Section 32.1. The Study | Security and Usability: Designing Secure Systems That People Can Use

32.1. The Study

A web-based questionnaire was used to obtain initial quantitative and qualitative data on user behaviors and perceptions relating to password systems. The questionnaire focused mainly on password-related user behaviors (password construction, frequency of use, password recall, and work practices) and in particular, memorability issues. A total of 139 responses were received, approximately half from employees of Organization A (a technology company), and the other half from users in organizations throughout the world. There was a wide range of frequency and duration of password use among respondents. The questionnaire was followed by 30 semistructured in-depth interviews with a variety of users in Organization A and Organization B (a company in the construction sector). Interview questions covered password generation and recall along with systems and organizational issues raised by respondents in the questionnaire. The interview format allowed participants to introduce new issues to the discussion that they regarded as related to password usage. Results from the open-ended sections of the questionnaire were brought together with results from the in-depth interviews to give a wide sample for analysis.

The analysis, using a social science-based method called Grounded Theory,^[9] provided a framework of issues affecting user behavior, with a step-by-step account of password usage problems and possible intervention points. Four major factors influencing effective password usage were identified within the framework:

^[9] A. Strauss and J. Corbin, Basics of Qualitative Research: Grounded Theory Procedures and Techniques (Newbury Park, CA: Sage, 1990).

Multiple passwords
Password content
Perceived compatibility with work practices
Users' perceptions of organizational security and information sensitivity

Because the findings from the study are too numerous to discuss in detail here, key points of interest from each factor are presented.

Many users have to remember multiple passwords, that is, use different passwords for different applications and/or change passwords frequently because of password expiration mechanisms. Having a large number of passwords reduces their memorability and increases insecure work practices, such as writing passwords down50% of questionnaire respondents wrote their passwords down in one form or another.^[10] One employee emphasized this relationship when he said "...because I was forced into changing it every month I had to write it down." Poor password design (for example, using "password" as the password) was also found to be related to multiple passwords. "Constantly changing passwords" were blamed by another employee for producing "...very simple choices that are easy to guess, or break, within seconds of using 'Cracker'.^[11] Hence, there is no security." It is interesting to note here that users, again, perceive their behavior to be caused by a mechanism designed to increase security. At the same time, users often devise their own procedures to increase password memorability and security. Some users devise their own methods for creating memorable multiple passwords through related passwords (linking their passwords via some common element)50% of questionnaire respondents employed this method. Many users try to comply with security rules by varying elements in these linked passwords (name1, name2, name3, and so forth). However, instead of improving memorability and security, this method actually decreases password memorability because of within-list interference,^[12] causing users to write down passwords, and this, of course, compromises password security levels.

^[10] The response was the same for all users who answered these questionsthe other 50% of users left these questions blank.

^[11] A password dictionary checker.

^[12] C. D. Wickens, Engineering Psychology and Human Performance, 2nd Edition (New York: Harper Collins, 1992).

Users' knowledge of what constitutes secure password content (the character content of the password) was inadequate. Without feedback from security experts, users created their own rules on password design that were often anything but secure. Dictionary words and names are the most vulnerable forms of passwords, but many users do not understand how password cracking works. Members of the security department in Organization A were appalled to discover that one of their employees suggested: "I would have thought that if you picked something like your wife's maiden name or something, then the chances of a complete stranger guessing *********, in my case, were pretty remote."

At the same time, restrictions introduced to create more secure password content may produce less memorable passwords, leading to increased password disclosure (because users write passwords down). Many users circumvent such restrictions to produce passwords they find easy to remember. However, the resulting passwords tend to be less secure in terms of content. Even worse, having to circumvent security procedures lowers users' regard for the overall security arrangements in the organization, which, in turn, increases password disclosure.

Another new finding of this study is the importance of compatibility between work practices and password procedures. Organization A employed individually owned passwords for group working that users perceived as incompatible with their working procedures (they advocated shared passwords for themselves). Users in Organization B experienced this incompatibility in reverse: they emphatically rejected the departmental policy of group passwords for individual personal information (such as email).

One reason why Organization A insisted on individual passwords was to establish the users' perception of accountability through audit trails of system usage. We found, however, that most users had not considered the possibility that their actions might be tracked. It is telling that the only user who made the connection cheerfully revealed that he avoided being tracked by using other users' passwords for certain transactions so that "...if there's any problem, they get it in the neck, not you."

The study clearly showed that users are not sufficiently informed about security issues. This causes them to construct their own model of possible security threats and the importance of security, and these are often wildly inaccurate. Users tend to be guided by what they actually seeor don't. As one manager stated: "I don't think that hacking is a problemI've had no visibility of hacking that may go on. None at all." Another employee observed that "...security problems are more by word of mouth...." This lack of awareness was corroborated by results from the web questionnaire. A complex interaction between users' perceptions of organizational security and information sensitivity was identified. Users identified certain systems as worthy of secure password practices, and others were perceived as "not important enough." Without any feedback from the organization, users rated confidential information about individuals (personnel files, email) as sensitive; but commercially sensitive information (such as customer databases and financial data) was often seen as less sensitive. Some users stated that they appreciated printed document classifications (for example, Confidential, Not for Circulation), indicating their need for information sensitivity guidance and rules for levels of protection in online documentation.

Two main problems in password usage were identified:

System factors, which users perceive they are forced to circumvent
External factors, which are perceived as incompatible with working procedures

Both of these problems result from a lack of communication between security departments and users: users do not understand security issues, and security departments lack an understanding of users' perceptions, tasks, and needs. The result is that security departments typecast users as "inherently insecure": at best, they are a security risk that needs to be controlled and managed; at worst, they are the enemy within. Users, on the other hand, perceive many security mechanisms as laborious and unnecessaryan overhead that gets in the way of their real work.