Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites
by: Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer
From email to online banking, passwords are an essential component of modern internet use. Yet, users do not always have good password security practices, leaving them vulnerable to online attacks. We conducted a study which combines self-report survey responses with measures of actual online behavior gathered from 134 participants over the course of six weeks. We find that people do tend to re-use each password on 1.7–3.4 different websites, their reused passwords tend to be stronger than other passwords, and mostly they tend to re-use passwords that they have to enter frequently. We also investigated whether self-report measures are accurate indicators of actual behavior, finding that though people understand password security, their self-reported intentions have only a weak correlation with reality. These findings suggest that users manage the challenge of having many passwords by choosing a strong password on a website where they have to enter it frequently in order to memorize that password, and then re-using that strong password across other websites.
Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. “Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites” Proceedings of the Symposium on Usable Privacy and Security (SOUPS). Denver, Colorado. June 2016.