Password fatigue
Encyclopedia
Password fatigue, also known as password chaos or identity chaos, is the feeling experienced by many people who are required to remember an excessive number of password
s as part of their daily routine, such as to logon
to a computer at work, undo a bicycle lock or conduct banking from an ATM
.
The increasing prominence of information technology
and the Internet
in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords. According to a 2002 survey of British online-security consultant NTA Monitor, the typical intensive computer user has 21 accounts that require a password
.
Aside from contributing to stress
, password fatigue may encourage people to adopt habits that reduce the security of their protected information. For example, an account holder might use the same password for several different accounts, deliberately choose easy to remember passwords that are vulnerable to cracking
, or rely on written records of their passwords.
Other factors causing password fatigue are
Some companies are well organized in this respect, have implemented alternative authentication methods or adopted technologies so that a user's credentials are entered automatically, but others may not focus on ease of use or even worsen the situation by constantly implementing new applications with their own authentication system.
Password fatigue will typically affect users, but can also affect technical departments who manage user accounts as they are constantly reinitializing passwords; this situation ends up lowering morale
in both cases. In some cases users end up typing their passwords in cleartext in text files so as to not have to remember them, or even writing them down on paper notes.
Single sign-on
software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent
software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
Many operating systems provide a mechanism to store and retrieve passwords by using the users login password to unlock an encrypted password database. Mac OS X
has a Keychain feature that provides this functionality, and similar functionality is present in the GNOME
and KDE
open source desktops. Microsoft Windows
does not have an explicit function for this, favoring centralized authentication based on the proprietary Microsoft Active Directory
technology.
In addition, web browser
developers have added similar functionality to all of the major browsers, and password management software such as KeePass
and Password Safe
can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password.
Additionally the majority of password protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account.
These tools pose the problem that if the user's system is corrupted, stolen or compromised, apart from problems of the data being misused, they can also lose access to sites where they rely on the password store or recovery features to remember their login data. For this reason it is often advised to keep a separate record of sites, usernames and passwords that is physically independent of the system.
Many sites in an attempt to block bad passwords also block good password practices such as MD5
and SHA1 hashes through requiring both lower and uppercase letters or by limiting password length. Some sites also block non-ASCII or non-alphanumeric characters.
:Category:Password managers
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s as part of their daily routine, such as to logon
Logon
Logon may refer to:*The Logone River in Chad, Africa*in computing, the process of login...
to a computer at work, undo a bicycle lock or conduct banking from an ATM
Automated teller machine
An automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...
.
The increasing prominence of information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
and the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords. According to a 2002 survey of British online-security consultant NTA Monitor, the typical intensive computer user has 21 accounts that require a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
.
Aside from contributing to stress
Stress (medicine)
Stress is a term in psychology and biology, borrowed from physics and engineering and first used in the biological context in the 1930s, which has in more recent decades become commonly used in popular parlance...
, password fatigue may encourage people to adopt habits that reduce the security of their protected information. For example, an account holder might use the same password for several different accounts, deliberately choose easy to remember passwords that are vulnerable to cracking
Cracking
Cracking may refer to:* Cracking, the formation of a fracture or partial fracture in a solid material* Fluid catalytic cracking, a catalytic process widely used in oil refineries for cracking large hydrocarbon molecules into smaller molecules...
, or rely on written records of their passwords.
Other factors causing password fatigue are
- unexpected demands that a user create a new password
- unexpected demands that a user create a new password that uses particular pattern of letters, digits, and special characters
- demand that the user type the new password twice
- frequent and unexpected demands for the user to re-enter their password throughout the day as they surf to different parts of an intranet
- blind typing, both when responding to a password prompt and when setting a new password.
Some companies are well organized in this respect, have implemented alternative authentication methods or adopted technologies so that a user's credentials are entered automatically, but others may not focus on ease of use or even worsen the situation by constantly implementing new applications with their own authentication system.
Password fatigue will typically affect users, but can also affect technical departments who manage user accounts as they are constantly reinitializing passwords; this situation ends up lowering morale
Morale
Morale, also known as esprit de corps when discussing the morale of a group, is an intangible term used to describe the capacity of people to maintain belief in an institution or a goal, or even in oneself and others...
in both cases. In some cases users end up typing their passwords in cleartext in text files so as to not have to remember them, or even writing them down on paper notes.
Single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent
Software agent
In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
Many operating systems provide a mechanism to store and retrieve passwords by using the users login password to unlock an encrypted password database. Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
has a Keychain feature that provides this functionality, and similar functionality is present in the GNOME
GNOME
GNOME is a desktop environment and graphical user interface that runs on top of a computer operating system. It is composed entirely of free and open source software...
and KDE
KDE
KDE is an international free software community producing an integrated set of cross-platform applications designed to run on Linux, FreeBSD, Microsoft Windows, Solaris and Mac OS X systems...
open source desktops. Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
does not have an explicit function for this, favoring centralized authentication based on the proprietary Microsoft Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
technology.
In addition, web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
developers have added similar functionality to all of the major browsers, and password management software such as KeePass
KeePass
KeePass Password Safe is an open-source password management utility for Microsoft Windows, with unofficial ports for Linux, Mac OS X, and a variety of other systems.-Cryptography:...
and Password Safe
Password Safe
Password Safe is a free and open source software program for storing passwords in Microsoft Windows. A beta version is also available for Ubuntu and Debian operating systems. A Java-based version is also available on SourceForge.- Design :...
can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password.
Additionally the majority of password protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account.
These tools pose the problem that if the user's system is corrupted, stolen or compromised, apart from problems of the data being misused, they can also lose access to sites where they rely on the password store or recovery features to remember their login data. For this reason it is often advised to keep a separate record of sites, usernames and passwords that is physically independent of the system.
Many sites in an attempt to block bad passwords also block good password practices such as MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
and SHA1 hashes through requiring both lower and uppercase letters or by limiting password length. Some sites also block non-ASCII or non-alphanumeric characters.
See also
- Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- PasswordPasswordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
- Password strengthPassword strengthPassword strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
- Password ManagerPassword managerA password manager is software that helps a user organize passwords and PIN codes. The software typically has a local database or a file that holds the encrypted password data for secure logon onto computers, networks, web sites and application data files. Many password managers also work as a form...
- Security questionSecurity questionA security question is used as an authenticator by banks, cable companies and wireless providers as an extra security layer. They are a form of shared secret....
- Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
:Category:Password managers
- BugMeNotBugMeNotBugMeNot is an internet service that provides usernames and passwords to let Internet users bypass mandatory free registration on websites. Started in August 2003 by an anonymous person, later revealed to be Guy King, it aims to allow Internet users to access websites that have registration walls ...
External links
- Access Denied By Yuki Noguchi, Washington Post September 23, 2006.
- Bad Form: 61% Use Same Password for Everything by Josh Catone, January 17, 2008.
- TheFreeDictionary article on the subject
- identitychaos.com - MIIS & ILM blog