Superconductor

"The password must be impossible to remember and never written down."

Richard E. Smith, Authentication: from Passwords to Public Keys

Passwords are an interesting technology. They're one of the few security technologies for which there's currently no standard. The only attempt at such a standard was the Department of Defense Password Management Guideline (CSC-STD-002-85), which only  provides general guidance and hasn't been updated since 1985. They're also probably the clearest demonstration of the balancing act between security and usability: security administrators want users to use strong passwords, but users can't remember strong passwords, and there seems to be no way to keep both groups happy at the same time.

One of the more interesting studies of passwords is "A Large-Scale Study of Web Password Habits" by Dinei Florêncio and Cormac Herley of Microsoft Research. Florêncio and Herley looked at roughly 500,000 passwords over a three-month period and summarized their findings in this paper. Some of their findings include:

• The average user has 6.5 passwords which are shared across 3.9 web sites
• The average user has about 25 accounts that require passwords
• The average user types an average of about 8 passwords per day
• The average user chooses a password with about 40.54 bits of entropy
• About 4 percent of users forget their password over a three-month period

Of these findings, one looks a bit suspicious: the estimate of 40.54 bits of entropy for a typical password. That's based on just the space from which the characters comprising passwords are drawn. This means that it assumes that users will pick the letter 'q' as often as they pick the letter 'e.' This probably doesn't happen, so the actual entropy of passwords is probably much lower.

The estimate that 4 percent of users forget their password over a three-month quarter is also interesting. That means that about 15 percent of users forget a password over a one-year period. Let's assume that it takes 10 minutes of an administrator's time that's worth $50 per hour to do a reset. This means that the cost of resetting a password is probably roughly $1.25 per user per year, which is much less that the estimates the vendors of password-management products would have us believe.

Another study indicates that most users just use lower-case letters for their passwords and just make the first character upper case and append a number to the end if stronger passwords are required by their security policy. And if they have to change passwords regularly, they tend to just increment the number at the end of their password, turning "Password1" into "Password2," for example. So even passwords that are supposed to be somewhat strong often really aren't any stronger than weak passwords.

Passwords may not be one of the strongest means of authentication, but they're relatively inexpensive compared to the more secure alternatives and they seem to work well most of the time. This means that we'll probably be using them well into the future, much to the annoyance of security administrators who don't feel comfortable making the trade off between security and ease of use than passwords require.