Maintaining the security of information systems and associated data resources is vital if an organization is to minimize losses. Access controls are the first line of defense in this process. The primary function of authentication controls is to ensure that only authorized users have access to information systems and electronic resources. Password-based systems remain the predominant means of user authentication despite viable authentication alternatives. Research suggests that password-based systems are often compromised by poor user security practices. This chapter presents the results of a survey of 884 computer users that examines user practice in creating and reusing password keys, and reports the findings on user password composition and security practices for email accounts. Despite a greater awareness of security issues, the results show that many users still select and reuse weak passwords keys that are based on dictionary words and other meaningful information.
TopPassword Security Issues
Password-based authentication remains the most common way to control access to computer-based resources. Passwords remain in widespread use because they are conceptually simple for both system designers and end users and provide cost effective protection for many systems if used correctly. Unfortunately, effective passwords are by nature complex and difficult to for users to remember (Ma, Campbell, Tran, & Kleeman, 2007). Prior research has shown that users are one of the main risks to the effectiveness of security measures (Rhodes, 2004). Organizations often rely on password composition policies to force users to create more secure passwords. These policies are usually implemented in such a way as to provide an explicit framework that constrains user choices during the password creation and replacement process. While this approach may help improve password security, these restrictions make the composition and memorizing of passwords complex and less intuitive (Campbell, Kleeman, & Ma, 2007).
Further, due to the predominance of password authentication systems, many users are required to remember passwords for a range of different systems and applications. As earlier research has demonstrated, the requirement to remember such a large number of passwords can cause a major problem for users (Yan et al., 2004; Zviran & Haga, 1999). Unfortunately, typical users are capable of managing a small number of unique passwords, generally less than five (Adams & Sasse, 1999). Also, remembered information can simply be forgotten, so users typically resort to using information that is easy to recall (Vu et al., 2007). One consequence of this is that while the information is easy to recall, it is also relatively easy to guess. Passwords that are more difficult to remember may be written down, thereby compromising password and system security (Stanton, et al., 2005).