Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

United States Federal Employees' Password Management Behaviors – A Department of Commerce Case Study



Yee-Yin Choong, Mary F. Theofanos, Hung-Kung Liu


Passwords are the most prevalent method used by the public and private sectors for controlling user access to systems. Organizations establish security policies and password requirements on how users should generate and maintain their passwords, and use the passwords to authenticate and gain access to systems. This research investigated United States (US) government employees’ password management behaviors, attitudes and experiences with the policies in order to develop effective password policies that include usability considerations. We designed a survey to investigate the relationships between the length, complexity, and change interval of passwords and password management behaviors and security behaviors on work-related accounts that require authentications. A total of 4,573 Department of Commerce employees completed the survey. The results show that employees are juggling multiple passwords at work and are overwhelmed by tasks required in the password management lifecycle. The research shows that employees’ attitudes toward cybersecurity policies affect their behaviors and experiences. Positive attitudes about password requirements correlate with more secure behaviors such as choosing stronger passwords and writing down passwords less often. Positive attitudes are also tied to less frustration with authentication procedures, and better understanding and respecting the significance of the need to protect passwords and system security.
NIST Interagency/Internal Report (NISTIR) - 7991
Report Number


Password management behavior, computer security, user perception, user attitudes, usability


Choong, Y. , Theofanos, M. and Liu, H. (2014), United States Federal Employees' Password Management Behaviors – A Department of Commerce Case Study, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 23, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created April 8, 2014, Updated November 10, 2018