Many users do not fully understand and exploit the available tools but do employ a range of strategies to manage online identities. To manage a high volume of accounts, with varying password complexity requirements, and often the need for frequent sign-on, users select log in information to reduce the burden of designing and remembering unique passwords; however, some of the often-used tools and tricks compromise online security. This study proposes that once identified, common strategies for designing, reusing, and recording passwords can be used design more appropriate password management tools. New tools might build on these existing patterns, channelling users into more secure practices.
The study is based on interviews with 27 individuals about use of passwords and use of tools such as password managers. Interviewers used screenshot images of various situations as visual prompts to encourage reflection on real-life habits. Based on individuals’ accounts of their own password managing behaviour, Stobert and Biddle develop a model of the strategies people use in creating, remembering, and reusing passwords. Common habits include reusing passwords across different accounts, selecting passwords using algorithms or personal information, linking username and password for easier recall, and writing down passwords for later reference sometimes in easily accessible – and sometimes physically insecure – locations.
The authors found that these activities reflect careful systems of adapting, to ration the cognitive resources required to manage online identities and accounts. Although non-expert users do not always fully grasp the security risk that might be posed by their habits, their password managing efforts reflect a rational intent to handle the challenge of multiple passwords. Respondents report engaging more than one approach, in a way that often reflects a personalised strategy. In creating and committing passwords to memory, users are prioritising the security of some passwords at the expense of others. For example, by reusing or writing down passwords for lower priority accounts, users can conserve their energy for creating and remembering unique passwords for purposes with greater importance.
The results of this research can be used to inform the design of realistic password management tools. The findings demonstrate that users are striving to follow advice about password security, but also budgeting the investment of energy across many accounts. To capitalise on this effort, new tools can improve on the coping strategies that people already use, for example single sign on, proving physically secure options for storage of password reminders, cues to remind the user of their password, and password management software.
Users have password strategies based on assessed risk; password tools and policies would be better if they strengthened these tactics rather than dismissing them.