Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine (ATM). The concept is also known as password chaos or more broadly as identity chaos.
The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords. According to a 2002 survey of British online-security consultant NTA Monitor, the typical intensive computer user has 21 accounts that require a password.
Aside from contributing to stress, password fatigue may encourage people to adopt habits that reduce the security of their protected information. For example, an account holder might use the same password for several different accounts, deliberately choose easy-to-remember passwords that are too vulnerable to cracking, or rely on written records of their passwords.
Other factors causing password fatigue are
- unexpected demands that a user create a new password
- unexpected demands that a user create a new password that uses particular pattern of letters, digits, and special characters
- demand that the user type the new password twice
- frequent and unexpected demands for the user to re-enter their password throughout the day as they surf to different parts of an intranet
- blind typing, both when responding to a password prompt and when setting a new password.
Some companies are well organized in this respect and have implemented alternative authentication methods or adopted technologies so that a user's credentials are entered automatically, but others may not focus on ease of use or even worsen the situation by constantly implementing new applications with their own authentication system.
Password fatigue will typically affect users, but can also affect technical departments who manage user accounts as they are constantly reinitializing passwords; this situation ends up lowering morale in both cases. In some cases users end up typing their passwords in cleartext in text files so as to not have to remember them, or even writing them down on paper notes.
Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
Many operating systems provide a mechanism to store and retrieve passwords by using the user's login password to unlock an encrypted password database. Microsoft Windows provides Credential Manager to store user names and passwords used to log on to websites or other computers on a network, Mac OS X has a Keychain feature that provides this functionality, and similar functionality is present in the GNOME and KDE open source desktops.
In addition, web browser developers have added similar functionality to all of the major browsers, and password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password.
Additionally, the majority of password protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account.
These tools pose the problem that if the user's system is corrupted, stolen or compromised; apart from problems of the data being misused, they can also lose access to sites where they rely on the password store or recovery features to remember their login data. For this reason it is often advised to keep a separate record of sites, usernames and passwords that is physically independent of the system.
Many sites, in an attempt to prevent uses from choosing easy-to-guess passwords, add restrictions on password length or composition which contribute to password fatigue. In many cases, the restrictions placed on passwords actually serve to decrease the security of the account (either by preventing good passwords or by making the password so complex the user ends up storing it insecurely, such as on a post-it note). Some sites also block non-ASCII or non-alphanumeric characters.
- Identity management
- Password strength
- Password manager
- Security question
- Single sign-on
- "Password chaos" at TheFreeDictionary
- Hayday, Graham. Security nightmare: How do you maintain 21 different passwords?, Silicon.com, 2002-12-11
- Such as digital certificates, OTP tokens, fingerprint authentication or password hints.