Passwords are the most prevalent method used by the public and private sectors for controlling user access to systems. Organizations establish security policies and password requirements on how users should generate and maintain their passwords, and use the passwords to authenticate and gain access to systems. This research investigated United States (US) government employees password management behaviors, attitudes and experiences with the policies in order to develop effective password policies that include usability considerations. We designed a survey to investigate the relationships between the length, complexity, and change interval of passwords and password management behaviors and security behaviors on work-related accounts that require authentications. A total of 4,573 Department of Commerce employees completed the survey. The results show that employees are juggling multiple passwords at work and are overwhelmed by tasks required in the password management lifecycle. The research shows that employees attitudes toward cybersecurity policies affect their behaviors and experiences. Positive attitudes about password requirements correlate with more secure behaviors such as choosing stronger passwords and writing down passwords less often. Positive attitudes are also tied to less frustration with authentication procedures, and better understanding and respecting the significance of the need to protect passwords and system security.
Citation: NIST Interagency/Internal Report (NISTIR) - 7991
NIST Pub Series: NIST Interagency/Internal Report (NISTIR)
Pub Type: NIST Pubs
Password management behavior, computer security, user perception, user attitudes, usability