"The four most-used passwords are love, sex, secret, and god": Password security and training in different user groups

Abstract

Picking good passwords is a cornerstone of computer security. Yet already since the early days (e.g. The Stockings Were Hung by the Chimney with Care from 1973; we have also borrowed our title from the 1995 movie Hackers), insecure passwords have been a major liability. Ordinary users want simple and fast solutions - they either choose a trivial (to remember and to guess) password, or pick a good one, write it down and stick the paper under the mouse pad, inside the pocket book or to the monitor. They are also prone to reflecting their personal preferences in their password choices, providing telling hints online and giving them out on just a simple social engineering attack. Kevin Mitnick has said that security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology. This applies fully to password security as well. We studied several different groups (students, educators, ICT specialists etc - more than 300 people in total) and their password usage. The methods included password practices survey, password training sessions, discussions and also simulated social engineering attacks (the victims were informed immediately about their mistakes). We suggest that password training should be adjusted for different focus groups. For example, we found that schoolchildren tend to grasp new concepts faster - often, a simple explanation is enough to improve the password remarkably. Thus, we would stress the people and process aspects of the Mitnick formula mentioned above.At the same time, many officials and specialists tend to react to password training with dismissal and scorn (our study suggests that 'you cannot guess my password' is an alarmingly common mindset). Examples like 'admin', 'Password', '123456' etc have occurred even at qualified security professionals, more so at educators. Yet, as Estonia is increasingly relying on the E-School system, these passwords are becoming a prime target. Therefore, for most adult users we suggest putting the emphasis on policy and technology aspects (strict, software-enforced lower limits of acceptable password length, character variability checks, but also clearly written rulesets etc). © 2013 Springer-Verlag Berlin Heidelberg.