Section 7.5. Results

7.5. Results

Of the 300 students we asked, 288 consented to participate in the experiment. They were allocated randomly to experimental groups as follows:

The selected passwords were, on average, between seven and eight characters long (7.6, 8.0, 7.9, respectively) with no significant difference between the three groups. All experimental groups chose slightly longer passwords than did the comparison sample of 100 students who had not attended the introductory lecture. Mean length of password in that group was 7.3, with analysis of variance (ANOVA) statistically significant at F=8.3, p<.001.

The most successful cracking method was the permuted dictionary attack. Cracking based on user information was not successful in any case, probably because of the very limited amount of user information available in these password files (they do not include first names or forenames, for example). All six-character passwords were cracked successfully using a brute force attack. Table 7-1 summarizes these results (treating brute force attacks separately).

Modern computers are sufficiently fast that all six-character passwords are susceptible to brute force attack. The experimental password selection advice had no effect on this. In each experimental condition, a small number of users ignored the advice regarding password length and chose an insecure password. This also occurred among the comparison sample.

Of the passwords that were longer than six characters, far more of these were cracked successfully in the control group than in either the random character group or the passphrase group (significant at c²=24.8, p<.001). The proportion of passwords cracked in the control group was lower than in the comparison sample. In addition, 13% of the comparison sample (13 out of 100 students) used six-character passwords versus 5% in the control group (5 out of 95 students). Among those cracked, 13 passwords in the comparison sample were verbatim dictionary words versus 3 in the control group.

For those passwords that were cracked successfully in the random-character and passphrase groups, all the cracked passwords were dictionary words, or permutations of dictionary words and numbers, that were not compliant with the advice given to the student. These results, together with the number of six-character passwords, provide a reasonable estimate of the level of user noncompliance with password selection advice.

By examining all cracked passwords, we also observed that nobody used special characters (i.e., neither letters nor numbers) except in the passphrase group, whose instructions had given examples of passwords containing punctuation. So, a strong lead in the direction of passwords containing a mix of alpha, numeric, and special characters seems to be advisable.

Very few users asked the system administrator to reset their passwords. Within a period of three months after the tutorial session, only six users (2%) had requested administrator resets. The proportion of these in each experimental group is shown in Table 7-2. The difference between the three groups is not significant (c²=0.97, p=0.61). As far as we are aware, all reset requests resulted from the user having forgotten his password, although it is possible that other users who forgot their passwords simply stopped using the systemthis possibility is considered in the discussion of survey results, since any such users would then not have responded to the final survey.

A total of 242 students replied to the email survey, of which 13 responses indicated that the students had not used their accounts, or had dropped out of the course. Of the valid responses, there was a clear difference between the groups, as Table 7-3 shows.

Users assigned to the random password group reported that they found their passwords more difficult to remember than did those in the control group (significant at t=8.25, p<.001), and that they carried a written copy of their passwords for far longer than those in the control group (significant at t=6.41, p<.001). This confirms the results of Zviran and Haga in an operational setting. There was no significant difference in reported difficulty between the passphrase group and the control group.

The differences in response rates were not significant, so we do not believe that our results were skewed significantly by students in the random password group finding our advice so difficult that they gave up using the computer facilities.

It is worth noting that 22 members of the random character group were still carrying the written copy of the password at the time of the survey, compared with 3 members of the control group and 2 members of the passphrase group. We cannot compare the effect of our experimental treatment on users' decisions to write down the password, because only the random group was advised to write down the password. Neither of the other groups was specifically asked to write down the password, although some clearly chose to do so.

More interesting is that the random group was specifically advised to destroy the note as soon as they had memorized it. Other groups were not advised to destroy written records, so we might expect (if the initial instructions caused any bias in these results) that more members of the control group and the passphrase group would keep their written records instead of destroying them. However, despite the specific instruction to destroy the written record, 22 members of the random group had not done so, presumably (given the reported difficulty of memorizing) because they had been unable to memorize the password. This indicates the degree of threat that can result from the use of system-generated passwords that must be written down and then destroyed. Worryingly, this is very similar to the advice given by banks when they issue written advice for PIN numbers for card security. We speculate that a similar survey of bank card users might find many of them still carrying the PIN advice slip issued by their bank.