Online security: Gaining insight into poor password practices among South Africans
Are we making the best use of passwords to protect our online assets?
Online security is a growing concern as the use of computers and the internet are exposing computer users to an increased number of threats. Although the South African Cyber Security Policy Framework aims to foster a cyber-security culture, it does not provide for security education, training and awareness (SETA) – which are regarded as critical components of online security.
User authentication through passwords remains a key mechanism to protect online assets. Research has highlighted the need to address human behaviour in this regard, but without indicating what these SETA initiatives should focus on. Also, varying levels of digital literacy among computer users and different behaviour by users in the online environment make it difficult to apply a uniform set of interventions to improve security behaviour.
This study analysed the password behaviour of South African online consumers to (1) understand the prevalence of poor password practices among consumers overall and (2) to identify specific password deficiencies among different demographic groups in order to serve as focus areas for tailored intervention programmes.
Online security is a growing concern as the use of computers and the internet are exposing computer users to an increased number of threats.
While technology can provide a certain level of protection, human behaviour remains a potential weak link.
Studies have shown that specific training on password-related matters improved users’ password behaviour significantly.
… many computer users simply do not know how to select usable and secure passwords, or they are unaware of their vulnerability and the consequences associated with improper password use
Although many organisations show compliance in running security awareness programmes, this does not necessarily lead to behavioural change.
… to improve computer password security in this country, password SETA programmes should be based on individual needs and not merely on generic password practices for homogeneous groups.
While technology can provide a certain level of protection, human behaviour remains a potential weak link.
But first, what does the literature say about online security?
Password practices encompass the measures that computer users apply when they choose or create passwords (which involves aspects such as the origin of the password and the characters used in its composition), as well as manage these passwords (referring to the safekeeping of passwords).
An overview of the research on password practices shows the prevalence of both proper and improper password practices by users. While some computer users are proficient in their password practices, studies show that proper security measures and guidelines are often ‘unknown, neglected, or avoided’ by other computer users. As a result, many computer users simply do not know how to select usable and secure passwords, or they are unaware of their vulnerability and the possible consequences associated with improper password use and control.
In addition, human memory limitations place a strain on computer users’ memory and their ability to remember numerous passwords. Some researchers refer to this as ‘password overload’, which often results in weak password behaviour. This leads to a conflict between two opposing principles, convenience (memorability and usability) and security.
Some researchers propose interventions focused on the educational requirements of particular target audiences. However, they do not explain how to custom-design SETA interventions.
Studies have shown that specific training on password-related matters improved users’ password behaviour significantly.
Overview of current research on demographics and password practices
An extensive part of the research on online security is descriptive, philosophical or theoretical, lacking a structured use of empirical data which makes it quite immature.
Research on computer security often focuses on ‘particular user communities’ without necessarily reporting on the effects of demographics, despite the fact that basic demographic information is often obtained in these studies.
While some researchers noted small differences in individuals’ information security awareness and their age and gender, others found that gender has no significant influence on information security behaviour. However, they found that age seems to improve secure behaviour. Some researchers found female respondents to be more susceptible to, for example, phishing attacks. It was also found that age reduces the risk perception associated with a loss of data confidentiality and increases vulnerability to threats such as spyware. Also, males seem to have a tendency to engage in more risky online behaviour.
Some researchers established that users with higher education levels are significantly more likely to learn from negative experiences. These groups also have access to more credible sources of security-related information, potentially leading to more secure behaviour online.
… many computer users simply do not know how to select usable and secure passwords, or they are unaware of their vulnerability and the consequences associated with improper password use
The literature for demographics impacting passwords is scarce. Gender as a distinguishing factor did feature in some research, determining that females are more likely to use meaningful information in the composition of their passwords while males are more likely to use similar passwords for more than one purpose. A decrease in password sharing was noted as respondents grew older.
The need to change users’ behaviour in terms of passwords
The goal of security education, training and awareness (SETA) interventions is to change and improve user behaviour. Although many organisations show compliance in running security awareness programmes, this does not necessarily lead to behavioural change. Merely complying, and not dealing with the actual deficiencies, can result in people being more averse to change than before.
The primary objective of this study was to determine the SETA needs of individuals in South Africa by analysing the following:
- The prevalence of poor password practices – to define common SETA focus areas
- The variance between different demographic groups – to define focus areas for tailored SETA initiatives.
The study used a quantitative research approach. An online survey was used to gather demographic data, perceptions about online security and applied password practices. A sample of 737 valid responses was analysed. The steps in the research process were the following:
- A literature study was performed to determine best practices for passwords and to compile a list of potential deficiencies.
- A survey was designed and pilot tested to ensure accuracy and avoid forced answers from respondents.
- The survey was distributed online using a commercial survey site.
- The overall password performance was analysed to determine the incidence of improper practices among the entire data set.
- Password behaviour displayed was analysed for different demographic groups.
- The variation, for different demographics, was analysed to identify focus areas for tailored SETA programmes based on demographics.
Although many organisations show compliance in running security awareness programmes, this does not necessarily lead to behavioural change.
The intent of the research was not to use the results to design differentiated SETA programmes for generalised demographic groups, but rather to acknowledge the potential difference and to incorporate that into a learning process design.
What did the study find in terms of overall password behaviour?
An analysis of the data revealed that respondents vary significantly in their password practice proficiency levels. Importantly, there was a significant discrepancy between users’ perceptions of their password practices, and the real practices displayed. A total of 39 respondents (5.3%) perceived that they have absolute knowledge of proper password practices. However, only one respondent (0.1%) was able to demonstrate flawless ability to apply proper password practices, while only 21 respondents (2.8%) displayed a perfect ‘security first’ aptitude when selecting and managing passwords.
The most prevalent poor practices were the simultaneous use of the same passwords (90.1%) and password reuse (77.3%).This was not unexpected because previous studies have highlighted that users have fewer passwords than the number of websites they visit, indicating password reuse.
One study found that more than 80.0% of their respondents reused or slightly altered passwords for multiple purposes. The reuse and simultaneous use of passwords is thus a crucial focus area for SETA, especially where the same passwords are used to protect valuable assets (like online banking) as well as less valuable (and often less well-protected) internet sites of a general nature.
Analysis of weak password behaviour per demographic group
The analysis for the customisation of SETA programmes followed a dual approach. Firstly, it was determined which of the weak password practices were more prevalent across the entire population to ensure that these aspects were highlighted across the board for all demographics. Secondly, the prevalence of weak password behaviour within different demographic groups was analysed. This is a summary of the findings:
- Age group: Weak behaviour decreased for the majority of practices as respondents grew older. A possible reason for this could be that older respondents do not visit as many password-protected internet sites as younger age groups, meaning that they do not have as many passwords to manage, resulting in less password reuse and simultaneous use. A decrease was noted in the extent of password sharing as respondents grew older. While the majority of poor practices decreased with respondents’ age, the practices of using personally meaningful words and numbers, not changing passwords regularly and using unsafe storing practices increased the older the respondents were. This could indicate that although they visit fewer password-protected sites, those older than 50 years are possibly unaware of the dangers associated with the use of personally meaningful information when creating passwords. This is supported by the increased lack of risk awareness as respondents grew older, which is not unexpected because older participants are not digital natives who have benefitted from a lifelong digital experience.
- Gender: Although both genders displayed improper password practices, the areas of deficiency for male and female respondents differed. There was no notable difference in simultaneous use and unsafe storage practices across gender. A slight variance in the prevalence of improper practices of regarding ease more important than security when creating passwords, risk not regarded as an important consideration when creating passwords, not using a proper combination of characters to create passwords and password reuse were found. Although female respondents tended to reuse their passwords less than the male respondents, they were guiltier of using personally meaningful information, shared passwords more often and did not change their passwords as often as the male respondents. When analysing the number of sites visited requiring authentication, per gender, it was found that almost a similar percentage of each gender accessed 10 to 14 sites and 15 to 19 sites. However, significantly more male respondents accessed 20 or more sites – which could explain why the males tended to reuse their passwords more.
- Number of internet sites accessed: This study showed that the more passwords users have, the more they tend to reuse and simultaneously use their passwords. This confirms observations from the literature about human memory limitations, resulting in users suffering from ‘password overload’ when they have more passwords to remember. The results of this South African study corresponds with international studies finding a correlation between the number of passwords that users have and password reuse – or the simultaneous use of a password for more than one purpose.
- Education: While using meaningful words was found to be the highest for graduates, using meaningful numbers increased with levels of education. Although the weak practice of regarding convenience as more important than security increased with education, the lack of risk awareness (i.e. not considering the risk associated with a password’s use) when creating passwords seems to decrease as levels of education increase. Password sharing was the highest among respondents with no formal after-school qualifications. Interesting was the increase in unsafe storage practices with increased education levels.
- Internet experience: Years of internet experience shows significant variance within the categories. Sharing of passwords, for example, peaks for the middle category (10 to 14 years of internet experience) and is significantly lower for both fewer and more years of internet experience. It is possible that this trend could again be related to an increase in the number of sites accessed. Related poor practices of non-complex composition and meaningful numbers decreased with experience. Surprisingly, both unsafe storage and simultaneous use increased with years of internet experience.
… to improve computer password security in this country, password SETA programmes should be based on individual needs and not merely on generic password practices for homogeneous groups.
Variations within different demographic groups
The variation within each demographic group was used to determine if a particular demographic group displayed a higher, or lower, prevalence for the particular measure. The results showed areas of higher and lower focus within all the demographic groups, meaning that all demographic groups are in need of SETA. Furthermore, it shows that the various demographic groups require tailored SETA programmes with different focus areas. These results confirm that a one-size-fits-all approach toward SETA programmes is not ideal, neither for specific demographic groups.
Although it could be argued that ‘covering all bases’ would be appropriate for all SETA interventions,, care should be taken not to hide the specific knowledge required by an individual user within a sea of non-relevant information. However, there is also opportunity within this variance: the construct of social influence is well appreciated in the behavioural change and technology literature. Therefore, allowing a natural transfer of good practices within diverse groups, although challenging, could have significant impact.
Designing different password programmes for different groups
This study showed that there is a substantial incidence of poor password practices among South African computer users. At the same time, research has shown that security-related information, guidance and feedback can positively influence secure behaviour. Appropriate interventions can therefore contribute to online security, even more so because these risks are changing all the time. The challenge, given different poor practices, is defining appropriate interventions.
It is essential that those users who need to hear the message should be ‘attracted’ to the education message. This can only be achieved by using the most appropriate method of communication, which could be tailored for those using a particular common undesirable practice. Although the design of the message falls outside the scope of this research, it is important that appropriate messages form part of SETA initiatives.
The study concluded that to improve computer password security in this country, password SETA programmes should be based on individual needs and not merely on certain generic password practices for homogeneous groups with similar behavioural challenges. These findings will allow for the design of targeted SETA initiatives to help create the security culture alluded to in the South African Cyber Security Policy Framework. Hence, these results should be useful to practitioners defining appropriate SETA programmes.
This research confirms that there are significant differences between the password practices for online users. Hence, a one-size-fits-all SETA initiative will not suffice. In essence, this research provides the set of practices that should be assessed to design individualised SETA for those individuals or, if required, groups who display a particular poor password behaviour.
- Find the original journal article here: Butler, R. & Butler, M. (2018). Some password users are more equal than others: Towards customisation of online security initiatives. South African Journal of Information Management, 20(1), a920.
https://doi.org/10.4102/sajim.v20i1.920
- Prof Rika Butler lectures at the School of Accountancy, Stellenbosch University.
- Martin Butler is head of the MBA programme at the University of Stellenbosch Business School.