I am convinced that the readers of the Symantec Security Response blog are the smartest around! The results from our Password Survey prove it. Actually, the number of responses itself proves it to me. At best, I thought 20 or so of you would take the time to fill out the survey—and that would include most of my close relatives. Instead, we got more than 400 responses in a few short days (not even including my relatives). So, thank you to all who took the time to complete the survey.
I want to comment on some of the results. It may be a stretch to draw too many definitive conclusions from the data, but it will be fun nonetheless. If anyone wants to comment, correct, or vehemently disagree with any of my conclusions, I’ve set up a place to do all that here.
Let’s get started!
My answer to question 1 was in the 11-20 group, but on reflection, it’s clearly more than that. Though there are probably only 11-20 that I could name at any given time, there are probably at least 11-20 more that I have forgotten about and will have to request a new password the next time I go to the site. It’s interesting to contrast this with question 6:
Almost 80 percent of us have six or more password-protected accounts, yet almost 60 percent of us are also using our memory to keep track of them. I have to confess that after memory failed me repeatedly, I moved to a password manager. Memory is still my main method, but the password manager is a critical backup since my cranial hard drive seems to fail me constantly. Speaking of hard drive failures, how many of you password management software users back that up? I lost a hard drive last year and spared myself a lot of pain by having the database of my password manager backed up.
According to the results of question 2, only 8 percent of respondents use the same password everywhere. This was an encouraging result and again proves that our readers are pretty darn smart. I fall into the 28 percent that have a few duplicate passwords. Maybe it’s pure laziness on my part, but it’s certainly convenient for my faulty memory, and those three extra mouse clicks to create an entry in the password manager can tire me out. But seriously, I’m working my way out of the habit. I hope the other 28 percent of you are as well. As a first step, do what I do and at least evaluate the risk involved before you use a duplicate password. Ask yourself, Is there a risk to my money, data, or identity if I use a duplicate password here? How many accounts will I be putting at risk if I lose this password? No doubt you have accounts where a stolen password really wouldn’t matter, but the number of those accounts may be less than you think. A year ago, many people probably thought they could afford to lose their login and password on Facebook. Then their “friends” started asking for plane fare to get home from London.
Question 3 featured my favorite results in the whole survey. My answer was the same as that of the majority: I want my password to be easy to remember, but hard to guess. I suppose life is full of such contradictions (I’ll provide a word on how to actually accomplish this in just a minute). The good news is that most of us have figured out that using certain methods to make our passwords easier to remember does not make them harder to guess. This is indicated in the results to question 5 below:
Now, I don’t doubt that 3 percent of us have accounts where “password” is the password, but people, why on earth would you admit it? Thanks for your honesty, but shame on you for doing it. For the rest of you that are still using middle names, birth dates and pet names, what are you thinking? Security by obscurity? That no one but your friends and family could possibly know your pet’s name? Well, if you use a social networking site, I bet I can figure it out in less than 20 minutes.
So how do you make passwords easy to remember yet hard to crack? I’ll repeat my advice from the previous blog entry introducing the survey:
• Use a mix of numbers, letters, punctuation, and symbols
• Take a word or phrase that’s meaningful to you and alter it
• Replace the first few characters in your password with numbers or symbols
• The longer the better
• Avoid personal information, repetition, sequences, and dictionary word
Thanks again for taking part in the survey. See below for the complete list of results. And remember, if you have comments to make, you can do it here.