Communications of the ACM

ACM News

Study Reveals Resistance to Strong Password Security

By Paul Hyman
November 15, 2011
Comments (3)

One would assume that improving the security of your computer against intruders would be universally acceptable.

But, in a research study at Virginia Tech, an overwhelming number of users resisted changing their passwords even when the change was mandatory.

Indeed, three months after the university announced that information systems account holders would be required to change their passwords by July 1, 2011 — or be locked out if they didn’t — only 63 of the 488 respondents to a survey had complied. Meanwhile, 425 account holders had not … and waited until just prior to July 1 (or after) to do so. Roughly 20% waited until they were denied access to their computers before making the change.

"If they hadn’t been locked out, I’m guessing they still wouldn’t have changed their password," says France Bélanger, professor of accounting and information systems at Virginia Tech and lead researcher on the project.

According to the study, those who considered themselves more technically competent regarding security were less likely to have a positive attitude toward the mandatory change of passwords.

"We believe that is because they were frustrated with what they considered the triviality and mandatory nature of the change," Bélanger says.

Despite organizations’ security policies, people very often find ways to thwart them, she says, which is why "people remain the weakest link in security. Our goal was to look at various ways to handle compliance."

"Their passive-resistance behavior wasn’t 'I’m not going to do it' mainly because they had no choice," she explains. "It was more like 'I’m going to wait as long as possible' or 'I’m going to find the easiest password I can that will meet the minimum requirements.' "

A good example of passive resistance is users who create new passwords — and then write them on sticky notes and attach them to their keyboards or monitors.

Bélanger says she was most surprised by how difficult it was to make users aware of the university’s new mandatory policy.

"Three months after the university made the announcement, the majority of users still weren’t aware of it," she says, "despite having sent out a weekly email, advertising it in the campus and local newspapers, posting it on the university’s computer system, and even placing signs on every cafeteria table."

The one trigger that made the most difference was "branding" the new policy with a logo and a "Be Secure, Be Unique. Change Your Pa55w*rd" slogan. 

 

Virginia Tech branded its mandatory password policy withimages like this one. Credit: Virginia Tech

Based on the research, Bélanger’s recommendations to managers and system administrators include:

• Never assume that just telling people that lax security poses a threat to their computer and the organization’s computer system is sufficient.
• Security policies must be made mandatory or they will not work.
• Make sure the mandatory requirements are clearly communicated.
• The best way to make people aware of any new security policy is to "brand" it with some sort of logo or marketing program.
• Educate employees with "password testing" Web sites, such as Microsoft’s, that teach how to create strong passwords.
•  Know that, despite all your best efforts, people will resist even when you insist on compliance.

Bélanger and her team are continuing their research in order to determine what would motivate a user to improve the security of their computer.

"For instance," she says, "would you be more careful about choosing–or changing–your password if your computer had been previously hacked or infected by a virus? Unfortunately, even though we’ve just started the research, people seem to be just as lax about security even after they’ve suffered through these problems."

Paul Hyman was editor-in-chief of several hi-tech publications at CMP Media, including Electronic Buyers' News.

---

Comments

---

Displaying all 3 comments