The “Open Sesame!” many people use to log-on and to enter shopping, banking and other password-protected sites presents a security risk because of a very human factor. A recent study notes that considerable attention has been paid to the hardware and software aspects of user-name password system security, but little to poor practices by users that open the door to identity thieves and other wrongdoers.
The international study, “Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users,” presented at the 2009 annual meeting of the Human Factors and Ergonomics Society, shows humans and the way they interact with computer systems are the weakest link in computer and information security (CIS). Authors Peter Hoonakker, Nis Bornoe and Pascale Carayon developed a questionnaire to investigate the ways users break CIS rules and possible reasons for their deviations, noting that the “research can help identify solutions for improving CIS-related behaviors of end users.”
Rule-conscious users formulate a completely different user name-password set for every online account, and change them often. They choose gibberish “words” – a jumbled string of numbers and upper and lower case letters that can’t be found in any dictionary. Using real words, people’s names and pet names is like posting a “Welcome!” notice on the front door for burglars. So is writing down the combination to sidestep the need to remember which belongs to which account.
Rule breaking is common. A 2006 study cited by the authors examined 34,000 MySpace usernames and passwords. Results showed that 65 percent of all passwords contained eight characters or less. The most frequently used password were: password1; abc123; myspace1; and password.
In short, the study found that the rules are broken because they are not user-friendly; that humans have little innate ability to remember their combinations, and even less to remember which set belongs to which account.
The authors cited one study showing that two thirds of participants preferred the device that they perceived the least secure, but most user-friendly. Other researchers they cited noted that “a better balance has to be found between the limitations of human beings and the desire for increased security. . . . Perceived usefulness, ease of use and user satisfaction determine (correct) use of technology, not the other way around.”
Source: Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users by Peter Hoonakker, Nis Bornoe and Pascale Carayon: Proceedings of the Human Factors and Ergonomics Society 53rd Annual Meeting—2009