article

Password security: an empirical study

Authors:

William J. HagaAuthors Info & Claims

Journal of Management Information Systems, Volume 15, Issue 4

Pages 161 - 185

https://doi.org/10.1080/07421222.1999.11518226

Published: 01 March 1999 Publication History

Abstract

Organizations are more dependent than ever on the reliable operation of their information systems, which have become a key to their success and effectiveness. While the growing dependence on information systems creates an urgent need to collect information and make it accessible, the proliferation of computer technology has also spawned opportunities for ill-intentioned individuals to violate the information systems' integrity and validity.One of the most common control mechanisms for authenticating users of computerized information systems is the use of passwords. However, despite the widespread use of passwords, little attention has been given to the characteristics of their actual use. This paper addresses the gap in evaluating the characteristics of real-life passwords and presents the results of an empirical study on password usage. It investigates the core characteristics of user-generated passwords and associations among those characteristics.

References

[1]

1. Adams, S. How to keep a secret. Forbes, 157, 7 (April 1996), 108-109.

[2]

2. Ahituv, N.; Lapid, Y.; and Neumann, S. Verifying the authentication of an information system user. Computers and Security, 6, 2 (1987), 152-157.

Digital Library

[3]

3. Avarne, S. How to find out a password. Data Processing & Communication Security, 12, 2 (Spring 1988), 16-17.

[4]

4. Ball, L., and Harris, R. SMIS member: a membership analysis. MIS Quarterly, 6, 1 (March 1982), 19-38.

Digital Library

[5]

5. Barton, B.F., and Barton, M.S., User-friendly password methods for computer-mediated information systems. Computers and Security, 3, 3 (1988), 186-195.

Digital Library

[6]

6. Bishop, M., and Klein, D.V. Improving system security via proactive password checking. Computers and Security, 14, 3 (1995), 233-249.

Digital Library

[7]

7. Botting, J. Security on the Internet: authenticating the user. Telecommunications, 31, 12 (December 1997), 77-79.

[8]

8. Bradner, S. But will they pay attention this time? Network World, 14, 4 (January 1997), 32-34.

[9]

9. Brancbeau, J.C., and Wetherbe, J.C. Key issues in information systems management. MIS Quarterly, 12, 1(March 1987), 23-36.

[10]

10. Brancheau, J.C., and Wetherbe, J.C. Key issues in information systems management: 1994-95 SIM/Delphi results. MIS Quarterly, 20, 2 (June 1996), 225-242.

Digital Library

[11]

11. Broderick, J. Who knows who you are? Infoworld, 19, 24 (June 1997), 108-112.

[12]

12. Cooper, D.R., and Emory, C.W., Business Research Methods, 5th ed. Dubuque, IA: Irwin, 1995.

[13]

13. Cooper, J.A. Computer and Communications Security, Strategies for the 1990s. New York: McGraw-Hill, 1989.

Digital Library

[14]

14. Corbitt, T. Ensure your datafiles are secure even if the Pentagon's are not. Management Services, 41, 5 (May 1997), 24-26.

[15]

15. Cronbach, L. Test validation. In R.L. Thorndike (ed.), Educational Measurement, 2d ed. Washington, DC: American Council on Education, 1971, pp. 443-507.

[16]

16. Denzin, N.K. The Research Act, 3d ed. Englewood Cliffs, NJ: Prentice-Hall, 1989.

[17]

17. Dichter, C. Easy Unix security. Unix Review, 11, 4 (April 1993), 42-51.

[18]

18. DiDio, L. Major hacks raise hackles, spur defenders. ComputerWorld, 32, 13 (April 1998), 49-50.

[19]

19. DiDio, L. Cyberattack prompts DoD to boost security. ComputerWorld, 32, 9 (March 1998), 14.

[20]

20. DoD. Department of Defense Password Management Guideline. Washington, DC: National Computer Security Center, CSC-STD-002-85, 1985.

[21]

21. Ernst & Whinney. U.S. Computer Security Survey of Fortune 500 Industrial Companies. Cleveland: Ernst & Whinney, 1987.

[22]

22. Ernst & Whinney. The 1989 Computer Abuse Survey: A Report. Cleveland: Ernst & Whinney, 1989.

[23]

23. Goodell, J. The Cyber Thief and the Samurai. Menlo Park, CA: Dell, 1996.

[24]

24. Graziano, A.M., and Raulin, M.L. Research Methods, 3d ed. Reading, MA: Addison-Wesley, 1997.

[25]

25. Grossman, W. Net Wars. New York: New York University Press, 1997.

Digital Library

[26]

26. Herschberg, I. The hacker's comfort. Comity, 6, 2 (1987), 133-138.

Digital Library

[27]

27. Highland, J.H. Demise of passwords. Computers and Security, 9, 4 (1990), 196-200.

Digital Library

[28]

28. Highland, J.H. How to prevent the use of weak passwords. EDPACS, 18, 9 (March 1991), 7-12.

[29]

29. Highland J.H. Changing passwords. Computers and Security, 16, 3 (1997), 183-184.

Digital Library

[30]

30. Hoffer, J., and Straub, D.W. The 9 to 5 underground: are you policing computer crimes? Sloan Management Review, 30, 4 (Summer 1989), 35-44.

[31]

31. Hoffman, L.J. Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall, 1977.

[32]

32. Hunt Sparkman, R.D., Jr., and Wilcox J.B. The pretest in survey research: issues and preliminary findings. Journal of Marketing Research, 19, 2 (1982), 269-273.

[33]

33. Icove, D. Computer Crime: A Crime Fighter's Handbook. Sebastopol, CA: O'Reilly & Associates, 1995.

Digital Library

[34]

34. Jobusch, D.L., and Oldhoeft, A.E. A survey of password mechanisms: weaknesses and potential improvements, part 1. Computers and Security, 8, 7 (1989), 587-601.

Digital Library

[35]

35. Jobusch, D.L., and Oldhoeft, A.E. A survey of password mechanisms: weaknesses and potential improvements, part 2. Computers and Security, 8, 8 (1989), 675-689.

Digital Library

[36]

36. Kearns, D. Paying attention to passwords. Network World, 13, 23 (June 1996), 28-29.

[37]

37. LaPlante, A. Computer fraud threat increasing, study says. Infoworld, 18 (May 1987), 47.

[38]

38. Loch, K.R.; Carr, H.H., and Warkentin, M.E. Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly, 16, 2 (June, 1992), 173-186.

[39]

39. Menkus, B. Understanding the use of passwords. Computers and Security, 7, 2 (1988), 132-136.

Digital Library

[40]

40. Miller, G.A. The magical number seven, plus or minus two: some limits on our capacity for processing information. Psychological Review, 63, 3 (March 1956), 81-97.

[41]

41. Morrey, B. Beefing up NT's security out of the box. Inforworld, 19, 24 (June 1997), 122-124.

[42]

42. Morris, R., and Thompson, K. Password security: a case history. Communications of the ACM, 22, 11 (November 1979), 594-597.

Digital Library

[43]

43. Neiderman, F., Brancheau, J.C.; and Wetherbe, J.C. Information systems issues for the 1990s. MIS Quarterly, 15, 4 (December 1991), 475-502.

[44]

44. Nelson, M. PGP's Business Security Suite spotlights corporate users. ComputerWorld, 31, 21 (October 1997), 88.

[45]

45. Paans, R., and Herschberg, I.S. Computer security: the long road ahead. Computers and Security, 6, 5 (1987), 403-416.

Digital Library

[46]

46. Parker, D. Fighting Computer Crime. New York: Charles Scribner's Sons, 1983.

Digital Library

[47]

47. Pfleeger, C.P. Security in Computing, 2d ed. Englewood Cliffs, NJ: Prentice-Hall, 1997.

Digital Library

[48]

48. Porter, S.N. A password extension for human factors. Computers and Security, 1, 1 (1982), 54-56.

[49]

49. Seeley D. Password cracking: a game of wits. Communications of the ACM, 32, 6(June 1989), 700-703.

Digital Library

[50]

50. Siand Castellan, J.N. Nonparametric Statistics for the Behavioral Sciences, 2d ed. Boston: McGraw-Hill, 1988.

[51]

51. Spafford, E. The Internet worm: crisis and aftermath. Communications of the ACM, 32, 6 (June 1989), 203-227.

Digital Library

[52]

52. Spender, J.C. Identifying computer users with authentication devices (tokens). Computers and Security, 6, 6 (1987), 385-395.

Digital Library

[53]

53. Stoll, C. The Cuckoo's Egg. New York: Pocket Books, 1995.

Digital Library

[54]

54. Stoll, C. Stalking the willy hacker. Communications of the ACM, 31, 5 (May 1988), 484-497.

Digital Library

[55]

55. Straub, D.W. Computer abuse and computer security: update on an empirical study. Security, Audit and Control Review, 4, 2(Spring 1986), 21-31.

Digital Library

[56]

56. Straub, D.W. Validating instruments in MIS research. MIS Quarterly, 13, 2 (June 1989), 146-169.

Digital Library

[57]

57. Straub, D.W., and Nance, W.D. Discovering and disciplining computer abuse in organizations: a field study. MIS Quarterly, 14, 1 (March 1990), 45-60.

Digital Library

[58]

58. Tom, P.L. Managing Information as a Corporate Resource, 2d ed. New York: HarperCollins, 1991.

Digital Library

[59]

59. Ungoed-Thomas, J. The schoolboy spy. Sunday Times (London) (March 29, 1998), section 5, 1-2.

[60]

60. Wood, C.C. Effective information system security with password controls. Computers and Security, 2, 1 (1983), 5-10.

[61]

61. Wu, T.C., and Sung, H.S. Authenticating passwords over an insecure channel. Computers and Security, 15, 5 (1996), 431-439.

[62]

62. Yager, T. Taking command of Windows NT. Unix Review, 15, 12 (November 1997), pp.33-42.

[63]

63. Zviran, M., and Haga, W.J. Cognitive passwords: the key for easy access control. Computers and Security, 9, 8 (1990), 723-736.

Digital Library

[64]

64. Zviran, M., and Haga, W.J. Evaluating password techniques for multilevel authentication mechanisms. Computer Journal, 36, 3 (1993), 227-237.

[65]

65. Zwass, V. Foundations of Information Systems. Boston: Irwin/McGraw-Hill, 1997.

Digital Library

Cited By

Khern-am-nuai WHashim MPinsonneault AYang WLi N(2023)Augmenting Password Strength Meter Design Using the Elaboration Likelihood ModelInformation Systems Research10.1287/isre.2022.112534:1(157-177)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1125
Mahdad ASaxena NBoureanu ISchneider SReaves BTippenhauer N(2023)SoK: A Comprehensive Evaluation of 2FA-based Schemes in the Face of Active Concurrent Attacks from User TerminalProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590183(175-186)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3558482.3590183
Zafar H(2022)Detecting and Rectifying the Non-Malicious Insider Threat in a Healthcare SettingInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.31576613:1(1-20)Online publication date: 30-Dec-2022
https://dl.acm.org/doi/10.4018/IJSSSP.315766
Show More Cited By

Index Terms

Password security: an empirical study
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Journal of Management Information Systems

Journal of Management Information Systems Volume 15, Issue 4

March 1999

228 pages

ISSN:0742-1222

Issue’s Table of Contents

Publisher

M. E. Sharpe, Inc.

United States

Publication History

Published: 01 March 1999

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
66
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Khern-am-nuai WHashim MPinsonneault AYang WLi N(2023)Augmenting Password Strength Meter Design Using the Elaboration Likelihood ModelInformation Systems Research10.1287/isre.2022.112534:1(157-177)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1125
Mahdad ASaxena NBoureanu ISchneider SReaves BTippenhauer N(2023)SoK: A Comprehensive Evaluation of 2FA-based Schemes in the Face of Active Concurrent Attacks from User TerminalProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590183(175-186)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3558482.3590183
Zafar H(2022)Detecting and Rectifying the Non-Malicious Insider Threat in a Healthcare SettingInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.31576613:1(1-20)Online publication date: 30-Dec-2022
https://dl.acm.org/doi/10.4018/IJSSSP.315766
Falmari VBrindha MKo S(2022)Secure Covid-19 Electronic Health Records Management for Telediagnosis and Travel Ticket Assistant System Using Cryptographic ApproachesSN Computer Science10.1007/s42979-022-01284-w3:5Online publication date: 28-Jul-2022
https://dl.acm.org/doi/10.1007/s42979-022-01284-w
Xu MWang CYu JZhang JZhang KHan WKim YKim JVigna GShi E(2021)Chunk-Level Password Guessing: Towards Modeling Refined Password Composition RepresentationsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484743(5-20)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484743
Furnell SHelkala KWoods N(2021)Disadvantaged by Disability: Examining the Accessibility of Cyber SecurityUniversal Access in Human-Computer Interaction. Design Methods and User Experience10.1007/978-3-030-78092-0_13(197-212)Online publication date: 24-Jul-2021
https://dl.acm.org/doi/10.1007/978-3-030-78092-0_13
Jayakrishnan GSirigireddy GVaddepalli SBanahatti VLodha SPandit SLipford H(2020)PassworldProceedings of the Sixteenth USENIX Conference on Usable Privacy and Security10.5555/3488905.3488906(1-18)Online publication date: 10-Aug-2020
https://dl.acm.org/doi/10.5555/3488905.3488906
Brumen B(2020)System-Assigned PasswordsInformatica10.15388/20-INFOR40831:3(459-479)Online publication date: 17-Apr-2020
https://dl.acm.org/doi/10.15388/20-INFOR408
Kusumastuti SRosoff HJohn R(2019)Characterizing Conflicting User Values for Cyber Authentication Using a Virtual Public Values ForumDecision Analysis10.1287/deca.2018.038316:3(157-171)Online publication date: 15-Aug-2019
https://dl.acm.org/doi/10.1287/deca.2018.0383
Li ZLi TZhu F(2019)An Online Password Guessing Method Based on Big DataProceedings of the 2019 3rd International Conference on Intelligent Systems, Metaheuristics & Swarm Intelligence10.1145/3325773.3325779(59-62)Online publication date: 23-Mar-2019
https://dl.acm.org/doi/10.1145/3325773.3325779
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents