Essential lessons still not learned? examining the password practices of end-users and service providers

Abstract

Password authentication remains the dominant form of user authentication for online systems. As such, from a user perspective, it is an approach that they are very much expected to understand and use. However, a survey of 246 users revealed that about one third chose weak passwords, including personal information or dictionary words. To prevent such forms of bad security behavior, service providers should offer support, but the reality of the situation suggests that tangible weaknesses can exist amongst both parties, and thus despite their long-recognised importance, good password practices have yet to become an established part of our security culture. An experimental study was conducted in order to investigate the effect of providing password guidance upon end users' password choices. The findings revealed that the mere presentation of guidance (without any accompanying enforcement of good practice) had a significant effect upon the resulting password quality. © 2013 Springer-Verlag Berlin Heidelberg.