Most people familiar with the hacking side of computer security know how easy it is to break a password if it’s only a few characters long or if it’s based on a word in the dictionary. That’s why choosing the right (i.e. strong) password is very difficult not only for them, but also for any regular Internet user.
In addition to that, there are so many things that require passwords these days that remembering all of them can be a real problem. Consequently, a lot of people choose their passwords very badly. Not only do they set weak passwords, therefore quite easy to guess, but also they use identical passwords on different sites.
A simple search on the Internet reveals huge repositories of hackers’ “acquisitions” in this respect: lists of users who set the same password on different sites that require a login process. For example, one regular user who set weak passwords like: “brazil”, “football” or “12345”- on different sites: from e-mail to a social network account and gaming sites.
And this is just an example. A half an hour search on the Internet revealed that hundreds of users resort to the same method when choosing their passwords.
I was curious about how people choose their passwords and I wanted to find out if they think that they have picked the best ones, so I created a questionnaire that would help me find these answers. The questionnaire was taken by a sample of 1,000 persons randomly chosen to participate in this experiment. The sex ratio was ~1:1, mean age = 29.5 years, nationality: 16 countries.
The questionnaire was built in such a manner as to cover 2 different aspects: how many accounts on different sites people have and whether they consider their passwords to these accounts to be “strong/secure“.
15 questions – distributed in 3 sections were formulated: Section 1 was about the number of accounts people have, Section 2 was related to their passwords (i.e: Does your password contain special characters? Or How many characters does your password have? ), and Section 3 covered demographic details (age, sex, nationality).
The method used to apply the questionnaire was the interview and all questions were discussed individually, with each participant.
The first idea was to find out how many accounts the investigated users have on different sites. The majority (67%) recognized that they have more than 5 accounts that require a password for access. The results are presented in Figure 1.
Figure 1: Number of accounts/user
When asked if they use the same password for almost all their accounts, 73% of the respondents gave a positive answer. Based on these findings, it is therefore possible to assume that someone who finds out or guesses one single password, can access all of the respective person’s accounts.
As for the complexity of their passwords, 25% of interviewed users recognized they use a simple 6-characters password. Only 1% of the total number of respondents uses a password longer than 15 characters.
Figure 2: Number of characters/password
However, passwords’ complexity is not determined only based on their length, but also on the type of characters they contain. The experiment showed that more than 60% of the respondents use only upper or only lower case letters in their passwords, while 21% use a combination of the two. Only 5% of the respondents use complex passwords formed of letters (upper and lower case), numbers and of special characters.
Figure 3: Type of characters used in passwords
As usual, unexpected results are the most interesting part of an experiment. I have to admit it: I was curious to see what they would be this time. To my surprise, even though the interview was not very long and it took just 5 minutes to complete, when getting to questions 7-8 –related to the password’s complexity- more than 12% of the respondents said: “ok, this is my password: $%^*(*I, it is ok, is it strong enough?”.
My advice? Use different passwords for different sites and try to choose complex passwords, containing letters (upper and lower case), numbers and special characters.
And remember: always keep your passwords to yourself!
No private information or other content arising or deriving from this inquiry has been collected. No data or confidential information pertaining to individuals or companies was or will be disclosed, used for any other purposes or against the persons who revealed it.