Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Living with Passwords

Created: 25 Mar 2010 • Updated: 25 Mar 2010 • 2 comments
khaley's picture
+2 4 Votes
Login to vote

I recently ran a survey on password management.  You can see my original blog and even take the survey yourself here.   At best, I thought 20 or so of you would take the time to fill out the survey…and that would include most of my close relatives.  However, instead we got more than 400 responses in a few short days (not even including my relatives).  So, thank you to all who took the time to complete the survey.  I’ve posted the results below. 
 
I want to comment on some of the results.  It may be a stretch to draw too many definitive conclusions from the data, but it will be fun nonetheless.  If anyone wants to comment, correct or vehemently disagree with any of my conclusions please feel free to do so.

Let’s get started!

1. On how many different networks, websites, etc. do you have a password-protected account? Count your business accounts (work network, business websites) as well as your personal accounts (online banking, websites, etc.).
0   2 0%
1-2   10 2%
3-5   34 8%
6-10   104 23%
11-20   100 22%
More than 20   196 44%
Total 446 100%

My answer to question 1 was in the 11-20 group, but on reflection, it’s clearly more than that.  Though there are probably only 11-20 that I could name at any given time, there are probably at least 11-20 more that I have forgotten about and will have to request a new password the next time I go to the site. It’s interesting to contrast this with question 6.

6. How do you remember your passwords? Mark all that apply.
My browser keeps track of my password   101 23%
Post-it note or typed list near my computer   33 7%
Word document on my computer   47 11%
Memory   263 59%
Password management software   145 33%
Other, please specify   49 11%

Almost 80 percent of us have six or more password protected accounts, yet almost 60 percent of us are also using our memory to keep track of them.  I have to confess that after memory failed me repeatedly, I moved to a password manager.  Memory is still my main method, but the password manager is a critical back-up as my cranial hard drive seems to fail me constantly.  Speaking of hard drive failures, how many of you password management software users back that up?  I lost a hard drive last year and spared myself a lot of pain by having the database of my password manager backed up.

2. How do you choose passwords for these sites?
They are all the same password   37 8%
I have just a few passwords that I alternate for all my accounts   199 45%
I have a few duplicate passwords, but mostly they are unique   130 29%
I have a different password for each account   80 18%
Total 446 100%

According to the results of question 2, only eight percent of respondents use the same password everywhere.  This was an encouraging result and again proves that our readers are pretty darn smart. I fall into the 28 percent that have a few duplicate passwords.  Maybe it’s pure laziness on my part, but it’s certainly convenient for my faulty memory, and those three extra mouse clicks to create an entry in the password manager can tire me out.  But seriously, I’m working my way out of the habit.  I hope the other 28 percent of you are as well.  As a first step, do what I do and at least evaluate the risk involved before you use a duplicate password.  Ask yourself, Is there a risk to my money, data or identity if I use a duplicate password here?  How many accounts will I be putting at risk if I lose this password?  No doubt you have accounts where a stolen password really wouldn’t matter, but the number of those accounts may be less than you think.  A year ago, many people probably thought they could afford to lose their login and password on Facebook.  Then their “friends” started asking for plane fare to get home from London

3. Which of the following are the most important factors when selecting a new password? Mark all that apply.
Easy to remember   206 46%
Short and easy to enter   36 8%
Fun or interesting   39 9%
Strength (i.e., hard to guess)   318 71%
Other, please specify   32 7%

Question 3 featured my favorite results in the whole survey.  My answer was the same as that of the majority: I want my password to be easy to remember, but hard to guess.  I suppose life is full of such contradictions (I’ll provide a word on how to actually accomplish this in just a minute).  The good news is that most of us have figured out that using certain methods to make our passwords easier to remember, does not make them harder to guess.  This is indicated in the results to question 5 below.

5. Which of the following have you used at some point as a password? Mark all that apply.
Your middle name   23 5%
Your birthday   38 9%
Your pet's name   45 10%
123456 (or variation thereof, like 12345 or 1234567)   22 5%
"Password"   14 3%
Obama (or variation thereof, like BHO, Barrack, etc.)   2 0%
None of the above   322 72%
Other, please specify   41 9%

Now, I don’t doubt that three percent of us have accounts where “password” is the password, but people, why on earth would you admit it?  Thanks for your honesty, but shame on you for doing it.   For the rest of you that are still using middle names, birth dates and pet names, what are you thinking?  Security by obscurity?  That no one but your friends and family could possibly know your pet’s name?   Well, if you use a social networking site, I bet I can figure it out in less than 20 minutes.
 
So how do you make passwords easy to remember yet hard to crack?  I’ll repeat my advice from the previous blog entry introducing the survey: 

  • Use a mix of numbers, letters, punctuation, and symbols
  • Take a word or phrase that’s meaningful to you and alter it
  • Replace the first few characters in your password with numbers or symbols
  • The longer the better
  • Avoid personal information, repetition, sequences, and dictionary word

 
Thanks again for taking part in the survey.  See below for the complete list of results.

1. On how many different networks, websites, etc. do you have a password-protected account? Count your business accounts (work network, business websites) as well as your personal accounts (online banking, websites, etc.).
0   2 0%
1-2   10 2%
3-5   34 8%
6-10   104 23%
11-20   100 22%
More than 20   196 44%
Total 446 100%
       
       
2. How do you choose passwords for these sites?
They are all the same password   37 8%
I have just a few passwords that I alternate for all my accounts   199 45%
I have a few duplicate passwords, but mostly they are unique   130 29%
I have a different password for each account   80 18%
Total 446 100%
       
       
3. Which of the following are the most important factors when selecting a new password? Mark all that apply.
Easy to remember   206 46%
Short and easy to enter   36 8%
Fun or interesting   39 9%
Strength (i.e., hard to guess)   318 71%
Other, please specify   32 7%
       
       
4. How often do you change your passwords?
At least once a month   20 4%
Once a quarter   78 17%
Once a year   41 9%
Not very often   282 63%
Wait, you can change passwords?   25 6%
Total 446 100%
       
       
5. Which of the following have you used at some point as a password? Mark all that apply.
Your middle name   23 5%
Your birthday   38 9%
Your pet's name   45 10%
123456 (or variation thereof, like 12345 or 1234567)   22 5%
"Password"   14 3%
Obama (or variation thereof, like BHO, Barrack, etc.)   2 0%
None of the above   322 72%
Other, please specify   41 9%
       
       
6. How do you remember your passwords? Mark all that apply.
My browser keeps track of my password   101 23%
Post-it note or typed list near my computer   33 7%
Word document on my computer   47 11%
Memory   263 59%
Password management software   145 33%
Other, please specify   49 11%
       
       
7. Who have you given your password to in the past? Mark all that apply.
Co-worker   34 8%
Boss   22 5%
Spouse   115 26%
System admin   52 12%
A friend   46 10%
None of the above   254 57%
Other, please specify   21 5%
       
       
8. Windows 7 has a robust password management system that can be set up to make you change your password on a regular basis and won't let you use a password you have recently used. Is this a good thing?
Yes, that will make things more secure for me.   157 35%
Maybe, but I hope it isn't too often.   179 40%
I would prefer not to change my passwords.   110 25%
Total 446 100%
       
9. What operating system(s) are you currently using? Mark all that apply.
Windows 7   196 44%
Vista   174 39%
XP   274 61%
MacOS   76 17%
Linux   86 19%
Other, please specify   11 2%

Comments 2 CommentsJump to latest comment

senlamy's picture

This is really nice survey! But I don't understand those people, who have lot of hard passwords and each of them different for all those accounts without using password manager in browser or some external application. Since I have more then 100 accounts and I want to have strong passwords there (15+ characters) and since I want to have different passwords for each web account, I don't have any option then using password management. Since I don't trust the browsers password manager, I use Sticky Password (http://www.stickypassword.com). There is also software called Roboform, but this is in a toolbar mode, which I hate and also Lastpass, but that is an online, wich I don't trust.

+1
Login to vote
deepak.vasudevan's picture

I don't use any password tool.As a matter of fact in another thread I  have requested someone in Symantec connect to comment on Keepass tool. Currently I use Todolist (http://www.codeproject.com/KB/applications/todolis...) to create one more tasklist to store username and passwords along with encrypting the tasklist itself.

+3
Login to vote