Password fatigue
Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine (ATM). The concept is also known as password chaos or more broadly as identity chaos.[1]
Causes
The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords.
According to a 2002 survey of British online-security consultant NTA Monitor, the typical intensive computer user has 21 accounts that require a password.[2]
Some factors causing password fatigue are:
- unexpected demands that a user create a new password
- unexpected demands that a user create a new password that uses particular pattern of letters, digits, and special characters
- demand that the user type the new password twice
- frequent and unexpected demands for the user to re-enter their password throughout the day as they surf to different parts of an intranet
- blind typing, both when responding to a password prompt and when setting a new password.
Related issues
Aside from contributing to stress, password fatigue may encourage people to adopt habits that reduce the security of their protected information. For example, an account holder might use the same password for several different accounts, deliberately choose easy-to-remember passwords that are too vulnerable to cracking, or rely on written records of their passwords.
Many sites, in an attempt to prevent users from choosing easy-to-guess passwords, add restrictions on password length or composition which contribute to password fatigue. In many cases, the restrictions placed on passwords actually serve to decrease the security of the account (either by preventing good passwords or by making the password so complex the user ends up storing it insecurely, such as on a post-it note). Some sites also block non-ASCII or non-alphanumeric characters.
Password fatigue will typically affect users, but can also affect technical departments who manage user accounts as they are constantly reinitializing passwords; this situation ends up lowering morale in both cases. In many cases users end up typing their passwords in cleartext in text files so as to not have to remember them, or even writing them down on post-it notes which they then stick in a desk drawer.
Solutions
Some companies are well organized in this respect and have implemented alternative authentication methods[3] or adopted technologies so that a user's credentials are entered automatically, but others may not focus on ease of use or even worsen the situation by constantly implementing new applications with their own authentication system.
- Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
- Integrated password management software - Many operating systems provide a mechanism to store and retrieve passwords by using the user's login password to unlock an encrypted password database. Microsoft Windows provides Credential Manager to store user names and passwords used to log on to websites or other computers on a network, Mac OS X has a Keychain feature that provides this functionality, and similar functionality is present in the GNOME and KDE open source desktops. In addition, web browser developers have added similar functionality to all of the major browsers. Although, if the user's system is corrupted, stolen or compromised, they can also lose access to sites where they rely on the password store or recovery features to remember their login data.
- Password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password. However, this presents problems similar to that of Single sign-on in that losing the single password prevents access to all the other passwords while someone else gaining it will have access to them.
- Password recovery - The majority of password protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account. However, this system has itself become a target of social engineering attacks by criminals who obtain enough information about the target to impersonate them and request a reset email, which is then redirected through other means to an account under the attacker's control, enabling the attacker to hijack the account.
See also
- BugMeNot
- Decision fatigue
- Identity management
- Password manager
- Password strength
- Security question
- Usability of web authentication systems
Notes
- ^ "Password chaos" at TheFreeDictionary
- ^ Hayday, Graham. Security nightmare: How do you maintain 21 different passwords? Archived 2009-12-06 at the Wayback Machine, Silicon.com, 2002-12-11
- ^ Such as digital certificates, OTP tokens, fingerprint authentication or password hints.
External links
- Noguchi, Yuki. Access Denied, Washington Post, 23 September 2006.
- Catone, Josh. Bad Form: 61% Use Same Password for Everything, 17 January 2008.
- identitychaos.com, MIIS & ILM blog