You are on page 1of 5

Allied Academies International Internet Conference 88

_____________________________________________________________________________________________

USER ATTITUDES TOWARD PASSWORD POLICIES:
PRELIMINARY ANALYSIS
Norman Pendegraft, University of Idaho
ABSTRACT

Preliminary analysis of a survey of user attitudes toward password lengths and durations
is reported. In particular, users were asked to rank their preferred lengths and lifetimes for
passwords in several situations. The data reveal that users preferences are non homogeneous,
but that there are clusters of users who have homogeneous preferences. The most common
shapes of the preference function are concave. Users seem to prefer to increase security with
longer passwords of longer duration.

INTRODUCTION and BACKGROUND

In earlier work (Pendegraft & Rounds, 2007; Pendegraft, 2008) we simulated the value
evolution of an information system under attack. That work assumed that users of the system
viewed security as a pure cost. In the 2008 paper, some users (i.e. consumers) were assumed to
prefer some security. This paper reports on an empirical study investigating these assumptions.
Others have studied user attitudes toward security, but they tend to address behaviors such as
selecting passwords. For example, Stanton et.al (2005) found that among naïve benevolent
users, password “hygiene” was generally poor.
We examine here two commonly used policy variables: password length and password
lifetime. For the purposes of this research, we indentify three scenarios in which we hypothesize
that users will have different preferences over these policy variables. These scenarios are as
follows.
1. Job: in this scenario, users access data which is not about themselves.
2. ATM: users directly accesses data about themselves.
3. Teller: users do not directly access data about themselves, but someone else does.
Thus we have six cases, each of these three scenarios evaluated for password length and for
password duration.

HYPOTHESES

For purposes of this analysis, we hypothesize that users within each case will be non-
homogeneous. We further hypothesize that users will have dissimilar attitudes toward security
among all six cases. This formulation of the null hypotheses facilitates the statistical analysis of
the data.

H0.1 User preferences will not be concordant across all scenarios.
H0.2 User preferences will not be concordant within each scenario.

_____________________________________________________________________________________________

Proceedings of the Allied Academies Internet Conference, Volume 12 2010

Volume 12 2010 . RESULTS Data from the first analysis are summarized in Table 1 Table 1 GROUP COMPARISONS SCENARIO W Entire data set / Length 0.Allied Academies International Internet Conference 89 _____________________________________________________________________________________________ METHODOLOGY A survey instrument was developed and then administered via the web.301 TEL / Length 0. While these are clearly sufficient to reject H01 and H02.252 ATM / Duration 0. This might occur if there were more than one group. we show: N: the number of observations in the cluster W: Kendall’s W for the cluster P: the calculated p-value for W Shape: the overall shape of a second order regression curve coded as follows B: bell shaped I: increasing D: decreasing F: flat or U shaped The clusters display generally large values of W and very low values of p. Second. 84 answered yielding 77 usable responses for a response rate of about 38%. suggesting that the clusters are reliably representative of user preferences. Data for the cluster analysis is summarized in Table 2. each of the cases was subjected to a cluster analysis using k-means. _____________________________________________________________________________________________ Proceedings of the Allied Academies Internet Conference. The data were subject to two statistical tests. For each cluster.136 In all cases. The data reported here include respondents’ preferences for password length and password duration in each of the 6 cases discussed above.263 TEL / Duration 0. W>0 with a p value on the order of 10-10 or less was obtained.293 JOB / Duration 0. the values of W are nonetheless small.306 JOB / Length 0.367 ATM / Length 0. We conducted a cluster analysis to address this possibility. First Kendall’s W was calculated for the entire data set and then for each case. and Kendall’s W was calculated for each cluster. Students in four large Business College principles courses were asked to respond (approximately 200 people). suggesting a low degree of concordance.

First is that the data set is small. The second largest cluster for length in all cases displays a preference for longer (more secure) passwords.e.517 0 B 27 .205 .573 0 I 15 . The purpose of this work is to shed light on user preferences toward password security policies. Second.Allied Academies International Internet Conference 90 _____________________________________________________________________________________________ DISCUSSION The data in bold are clearly significant.e. There are. Volume 12 2010 . but that there are meaningful patterns of preferences.165 . less secure) passwords.75 0 B 28 . Third. a bell shaped preference is very common.236 F/D teller 31 . but who differ from the other groups. while a bell shaped function is found in all 6 cases. In particular.484 0 B 13 . This makes sense from the basic economics of security: it suggests a recognition that some security is desirable. more secure) and for longer duration (i. Initial analysis reveals that users are not homogeneous. This suggests that policy makers should be more considerate of user preferences in designing policy. In particular.067 . Further.64 0 I 16 .743 0 I 18 .813 0 I 22 .291 F PWD Duration (longer is less secure) Cluster 1 Cluster 2 Cluster 3 CASE N W P shape N W P shape N W P shape job 42 .386 F atm 40 .757 0 B 28 . We hope to collect further data in the coming year and to expand the audience beyond the business college. users express a preference for longer (i.042 F teller 34 . but that too much creates a cost. it remains to study the correlations between user attitudes toward password length and lifetime and to estimate the proportion of users with each sort of preference function. It is not clear to what extent they constitute a good model for society at large.822 0 B 22 . limitations to the study.021 F atm 37 . we conclude that policy makers should make a better effort to understand user preferences. _____________________________________________________________________________________________ Proceedings of the Allied Academies Internet Conference. the respondents are all college students. Thus. TABLE 2 KENDALL’s W for CLUSTERS PWD Length (longer is more secure) Cluster 1 Cluster 2 Cluster 3 CASE N W P shape N W P shape N W P shape job 31 .467 0 D P=0 indicates that the P value was of the order 10-9 or less. further analysis of the data is warranted.059 . They suggest that there are groups of users who display concordant preferences within the group.678 0 I 18 . For password lifetime the two top clusters are bell shaped and preference for longer (less secure) lifetimes. In particular. It is clear that users are not uniform in their preferences for these aspects of password security. in many cases the value of W is high.809 0 I 14 . of course.087 .64 0 B 26 .

Stam. Rounds (2007). P. Jolton (2005). J.M. Analysis of end user security behaviors. Mountain Plains Management Conference. K. Volume 12 2010 . Pocatello. 1 Pendegraft.sciencedirect. Stanton. Retrieved 17 June 2010 from http://www.. A simulation model of IS security. International Journal of Information Security and Privacy. N.Allied Academies International Internet Conference 91 _____________________________________________________________________________________________ REFERENCES Pendegraft.R. 124-133. & M.com/science?_ob=ArticleURL&_udi=B6V8G-4D98XGR- 3&_user=854313&_coverDate=03%2F01%2F2005&_alid=1373164181&_rdoc=1&_fmt=high&_orig=sea rch&_cdi=5870&_sort=r&_docanchor=&view=c&_ct=1&_acct=C000046079&_version=1&_urlVersion= 0&_userid=854313&md5=69049e4b5ea3adb0c72e43244b6d0403. A simulation of IS security with two user types. J. (2008). _____________________________________________________________________________________________ Proceedings of the Allied Academies Internet Conference. Computers and Security 24. N. Mastrangelo.

However. or email articles for individual use. users may print. download.Copyright of Summer Internet Proceedings is the property of Dreamcatchers Group. . LLC and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.