Abstract
No matter how sophisticated an organization’s security system is, it remains vulnerable due to the human factor. In this study, we surveyed and analyzed the patterns practiced by users when generating passwords at a small-sized university. We found that users are not as aware of security requirements and practices as they think. Moreover, the vast majority of users’ passwords are breakable within days or shorter. Interestingly, we found that the use of numbers and uppercase letters is prevalent among users. However, numbers are mostly used at the end of the passwords and uppercase letters are mostly used at the beginning of passwords. The existence of such trends makes it easier for attackers to generate more effective dictionaries. Based on the analysis in this study, we make recommendations to the IT department to improve the password policy. Additionally, we provide recommendations to the faculty, staff, and students on how to strengthen their passwords.
Highlights
Despite many concerns surrounding their security, text passwords remain the most commonly used authentication methods
Our findings indicate that people believe themselves to be much more knowledgeable of password security than the strength of their passwords indicates
In order to get an idea on how users view their knowledge and of security issues when using Internet services, we asked participants to rate their awareness on a scale from 1-10 with one being entirely unaware of security-related issues and ten being very aware of security issues
Summary
Despite many concerns surrounding their security, text passwords remain the most commonly used authentication methods. Since complicated text passwords can be hard to remember, users tend to choose simple passwords These passwords are easier to guess (Gaw and Felten, 2006). While some falsely believe that this might be acceptable if the password is extremely complicated, such behavior may result in additional vulnerabilities since any social engineering, shoulder surfing, phishing attempt, or database breach could jeopardize multiple independent accounts for the same user. This is especially true if the password is stored in plaintext format in one of the databases, which defeats the purpose or the need for a complicated password. Systems usually require users to comply with a complex password policy that may require the user to use non-dictionary passwords with minimum length and a certain combination of uppercase letter, special characters (symbols) and numbers
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
