Why we hate IT: two surveys on pre-generated and expiring passwords in an academic setting

• Published in: Security and communication networks Vol. 8; no. 13; pp. 2361 - 2373
• Main Authors: Farcasin, Michael, Chan-tin, Eric
• Format: Journal Article
• Language: English
• Published: London Blackwell Publishing Ltd 10.09.2015; John Wiley & Sons, Inc
• Subjects: Demographics; Expiration; expire; Habits; password; Passwords; pre-generated; Security; Strategy; survey; Surveys; Universities; university; usability
• ISSN: 1939-0114; 1939-0122
• DOI: 10.1002/sec.1184

We performed two surveys to understand how members of a university managed their passwords. At password creation, the university offered people four pre‐generated random passwords, with the option of creating their own subject to stringent requirements. All passwords expired after 120 days. We found that most respondents chose to create their own password and utilized coping strategies that undermined the security of the requirements, as well as reporting that the expiration times were too short. We also attempt to connect these behaviors to respondents' other password habits and demographics. We conclude that pre‐generated random passwords, stringent password requirements, and rapid password expiration dates are unusable security requirements for most people and lead users to subvert password requirements and reuse passwords. Copyright © 2015 John Wiley & Sons, Ltd. We performed two surveys to understand how members of a university managed their passwords when the university offered four pre‐generated random passwords or the option for users to create their own subject to stringent requirements. We found that most respondents chose to create their own password and utilized coping strategies that undermined the security of the requirements. We also attempt to connect these behaviors to respondents' other password habits and demographics and analyzed participant comments.