Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anne Adams , Martina Angela Sasse, Users are not the enemy, Communications of the ACM, v.42 n.12, p.40-46, Dec. 1999  [doi>10.1145/322796.322806]
	2	Ross J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley & Sons, Inc., New York, NY, 2001
	3	S. Brostoff and M. A. Sasse. Are passfaces more usable than passwords: A field trial investigation. People and Computers XIV - Usability or Else: Proceedings of HCI 2000, pages 405--424, 2000.
	4	A. S. Brown, E. Bracken, S. Zoccoli, and K. Douglas. Generating and remembering passwords. Applied Cognitive Psychology, 18(6):641--651, 2004.
	5	BugMeNot.com. Frequently asked questions. http://bugmenot.com/faq.php. Accessed 5 March 2006.
	6	J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-Moffat. Cognitive, associative and conventional passwords: Recall and guessing rates. Computers and Security, 16(7):641--657, 1997.
	7	R. Dhamija and A. Perrig. Dejà vu: A user study using images for authentication. In Proc. of the 9th USENIX Security Symposium, 2000.
	8	Paul Dourish , E. Grinter , Jessica Delgado de la Flor , Melissa Joseph, Security in the wild: user strategies for managing security as an everyday, practical problem, Personal and Ubiquitous Computing, v.8 n.6, p.391-401, November 2004  [doi>10.1007/s00779-004-0308-5]
	9	Eran Gabber , Phillip B. Gibbons , Yossi Matias , Alain J. Mayer, How to Make Personalized Web Browising Simple, Secure, and Anonymous, Proceedings of the First International Conference on Financial Cryptography, p.17-32, February 24-28, 1997
	10	Joseph Goldberg , Jennifer Hagman , Vibha Sazawal, Doodling our way to better authentication, CHI '02 extended abstracts on Human factors in computing systems, April 20-25, 2002, Minneapolis, Minnesota, USA  [doi>10.1145/506443.506639]
	11	Blake Ives , Kenneth R. Walsh , Helmut Schneider, The domino effect of password reuse, Communications of the ACM, v.47 n.4, p.75-78, April 2004  [doi>10.1145/975817.975820]
	12	I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In 13th USENIX Security Symposium, pages 1--14, 2004.
	13	A. H. Karp. Site-specific passwords. Technical report, Hewlett-Packard Laboratories. http://www.hpl.hp.com/personal/Alan_Karp/site_password/site_password_files/site_password.pdf.
	14	D. V. Klein. "Foiling the cracker" -- A survey of, and improvements to, password security. In Proc. of the second USENIX Workshop on Security, pages 5--14, Summer 1990.
	15	Robert Morris , Ken Thompson, Password security: a case history, Communications of the ACM, v.22 n.11, p.594-597, Nov. 1979  [doi>10.1145/359168.359172]
	16	H. Petrie. Password clues. http://www.centralnic.com/news/research. Accessed 2 May 2005.
	17	Jenny Preece , Yvonne Rogers , Helen Sharp, Interaction Design, John Wiley & Sons, Inc., New York, NY, 2002
	18	Princeton Office of Information Technology. Tips for creating strong, easy to remember passwords. Accessed 6 March 2006.
	19	S. Riley. Password security: What users know and what they actually do. http://psychology.wichita.edu/surl/usabilitynews/81/Passwords.htm, February 2006.
	20	B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. 14th Usenix Security Symposium, page 1732, 2005.
	21	M. A. Sasse , S. Brostoff , D. Weirich, Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security, BT Technology Journal, v.19 n.3, p.122-131, July 2001  [doi>10.1023/A:1011902718709]
	22	Bruce Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, 2004
	23	Dirk Weirich , Martina Angela Sasse, Persuasive password security, CHI '01 extended abstracts on Human factors in computing systems, March 31-April 05, 2001, Seattle, Washington  [doi>10.1145/634067.634152]
	24	Dirk Weirich , Martina Angela Sasse, Pretty good persuasion: a first step towards effective password security in the real world, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico  [doi>10.1145/508171.508195]
	25	Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, Authentication using graphical passwords: effects of tolerance and image choice, Proceedings of the 2005 symposium on Usable privacy and security, p.1-12, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073002]
	26	Jeff Yan , Alan , Ross , Alasdair, Password Memorability and Security: Empirical Results, IEEE Security and Privacy, v.2 n.5, p.25-31, September 2004  [doi>10.1109/MSP.2004.81]
	27	K.-P. Yee. How to manage passwords and prevent phishing. http://usablesecurity.com/2006/02/08/how-to-prevent-phishing/, February 2006. Accessed 5 March 2006.