It All Makes Sense Now

The blog of Mats Gefvert.

Password Management Survey Results

Posted 4/16/2019 in Reflections

(Please scroll to the bottom to see a few simple password recommendations and guidelines.)

A week or two ago, I sent out a request on Facebook and LinkedIn for people to participate in my survey about password management. My interest was to see, given how complex passwords are becoming and how easy it really is to crack most passwords, how people on various technical levels approach password management.

I did get a handful of responses - not overwhelming by any means, but still enough to put together a survey result, which I think is interesting to analyze. The initial results confirmed my suspicions that there is a discernible divide between people who rated themselves "high" on an IT competence scale (security experts, software developers, people who have to manage IT security) and "low" (at-home users or people who get exposed to security issues at work).

Let's dig in.

1. How do you manage passwords?

Most people use either a few passwords for all their needs, or rely on an online manager to remember their passwords. What's interesting is the divide between higher or lower IT competence - people who manage computer security need more complex passwords and use password managers to remember their passwords, while everyday users use a few lower-complexity passwords to get around.

We're really today at the point where some kind of manager is necessary - with widespread hacks of online services and multi-million password dumps on the internet, it is no longer viable to use a single password or a few - the recommendation is to use a different one for every website you visit, and no one can remember those.

At a minimum, email accounts, social media accounts, and financial/bank accounts must have separate, individual passwords.

It's also interesting to note the low score of Google/Facebook sign-in responses. They both provide a fully functional trust mechanism to authenticate yourself online, but seem unpopular for some reason.

2. Two-factor authentication

On the lower end of IT competence, most users responded that they did not know what 2FA (two-factor authentication) was. On the higher end, the trend was to secure a few accounts with 2FA (presumably the most important ones).

Two-factor authentication means that not only do you have a password to secure your account with, you're also sent login codes through SMS, or more preferably these days, an authentication software such as Google Authenticator.

My guess is that most people are not aware of why this is necessary, and perceive it as an unnecessary complexity. However, given the fact that with someone's email account, you can usually recover a major portion of the passwords from every other website, securing your email and social media accounts with SMS codes or app verification is absolutely vital.

3. Online banking authentication methods

Because I wanted full anonymity, I disabled IP address tracking in my survey; however, that also meant I lost the capability to check the origin country of the survey results, which would have been interesting.

It seems largely evenly split between using some kind of authentication service (Bank-ID was mentioned in the options) and using passwords with security questions.

My guess is that it's rather evenly split between U.S. banks and Swedish banks. U.S. banks typically use passwords with security questions (which is rather behind the curve and poor security for banks), while Swedish banks rely on the BankID infrastructure - which is much more cryptographically secure.

An increasing trend seems to be sending security codes with email or text messaging - which is already outdated and once again proves the absolute necessity of securing your email account - and very few rely on one-time passwords (codes written on paper), which is highly secure but pose more cost and complexity in administration.

4. Password recovery

The most interesting divide between users with higher IT competence and not is the method to remembering or recovering passwords. IT professionals mostly use passwords stored online, while common users rely more on their memory. Unfortunately the human mind is not suited well to remembering complex passwords - the more random, the better, and the mind wants to remember patterns which can easily be exploited.

An interesting point is that so many rely on online password storage, while very few rely on offsite storage. The danger, of course, with online storage is that you also rely on the protection mechanisms of the online provider - and should that get breached, your entire online life is fully and completely exposed.

5. Password complexity

As expected, most common users rely on variations of word patterns, with capitalization and the odd digit thrown in. As IT security competence increases, so does password complexity, and it's good to note that security professionals are trending towards full randomization of passwords with included punctuation. While horribly difficult to remember and in some cases to type in, one would assume that these passwords are protecting administrative accounts to a larger extent, which could exponentially increase the severity of a hack.

However, there is still a firm reliance on using words as passwords. Given that the English language has about 250,000 words; and a modern, GPU-powered password cracker can easily try 100 million passwords per second on lower-complexity password hashes; using variations of words is becoming increasingly dangerous.

With proper security implementations - for instance, using salted bcrypt/scrypt hashes or similar for password storage - trying brute-force attacks on passwords should be infeasible; but as we've so often seen, developers frequently use poor hashes to store passwords - or even storing them as plain text.

The danger here is that if one password is used for many websites, it only takes one breakthrough on a poor-security website to access the password, and hackers can then move laterally through different systems in the search for deeper security access.

6. Training

I added this question to gauge the interest in either online videos or local classes when it comes to computer security. Among the people responding, almost half would be interested in watching an online video, while the rest felt that they did not need training or that they already knew enough. There was a trend among security professionals to not be interested (because they already knew enough), but not completely.

Perhaps it would be interesting to put together a training video and see if it's possible to educate people on online security and password management. I have to wonder if I'm the best instructor, though, since I rely on KeePass for offline password storage and other rather complex mechanisms... :)

Final thoughts and recommendations

It is clear to me that passwords have outlived their usefulness, and that we're heading for authentication tokens instead - long, cryptographically complex strings that allow us to access resources and identify us with - which are, of course, impossible to memorize but can easily be handled by computers.

However, the infrastructure today doesn't really exist. In the meantime, online password management seems to be a clear trend, and with each cell phone iteration we're looking at more biometric security systems... which have the unfortunate drawback that once they're hacked, it's practically impossible to change the biometric signature (your iris or fingerprint).

My short recommendations are as follows:

  • Use different passwords for every website.
  • Use the password memory feature of your web browser (Firefox, Google Chrome) to remember the passwords. It's a good idea to enable synchronization - the web browser should be doing that automatically if you're logged in to it.
  • You may also want to look into password managers - LastPass, 1Password and others are popular. If you have the skill to do so, you may want to use an offline manager such as KeePass or KeePassX - but do take backups!
  • For higher-value websites, such as email, social media and financial institutions, do enable 2-factor authentication if at all possible.
  • For banks or any other websites which can have dramatic life implications if they get hacked, avoid letting any web browser store the password. Use a good password manager or write it down somewhere out of sight.

For work users, it's very important to stay vigilant, follow the work security policy and keep the rules above in mind. Surprisingly often, hackers gain entry to a high-value target by hacking a regular user and then moving laterally through the inside systems, looking for further security weaknesses to exploit.

Thank you for participating!

Add a comment

Please log in to post a comment. (It's quick and painless!)