Sick of Password Statistics


Posted by Ed on May 6, 2005 in Analysis | Comments Off

I’m sick of seeing statistics about how likely users are at giving out their passwords. This is the kind of survey where interviewers at the mall or a crowded train station interview a “statistically large sample” of people and ask them to give up their password for a fancy pen, or a chocolate, or some other trivial good. Of course, some people say they will, and news outlets write articles like “92% of users will swap password for –insert item here–.”

Everybody knows (or ought to know) that these surveys are bogus. A little empathy with the interviewee should tell us why. For example, if I’m getting off a crowded bus and someone comes up to me and says, “will you tell me your password for a free bit of cheese,” I’m almost 100% likely to give them a password in exchange for the cheese (depending of course on the type of cheese in question.) Note that I say, “a password” in that statement and not “my password.” After all, how will the interviewer know if it’s a real password or not? Is there follow-up to see which passwords are real and which are bogus? Of course not. So, basically, I could tell the interviewer anything in exchange for the cheese with absolutely no ramifications or chance that they won’t follow through on the exchange due to my little “white lie”. Of the small percentage that are unwilling to even tell a “little white lie”, do the interviewers discrimate between the users’ “yahoo groups” password and their network password; what about a password they used 6 years ago that they haven’t used since? Once again, no. I think users are smarter than people realize with respect to passwords, and more likely to keep their important data safe. That doesn’t mean that they won’t take advantage of someone’s offer to give them something “for free” if they can get away with it, though. If people were really trading their banking passwords for inexpensive goodies, would we really see phishers going to all the trouble they do to get that same data? I quite doubt it.

This is just yet another example of a poor methodology used for the sole purpose of generating hype and FUD. Of course, this particular survey was sponsored by Verisign… has anyone stopped to question if they maybe have a commercial interest in purveying password hysteria?

Comments are closed.