The contradictions of password psychology

A new survey on attitudes towards passwords indicates an apparent contradiction: most people want stricter password security policies, but don’t bother changing their own default passwords.

This is the somewhat surprising result of a survey of its users undertaken by Elcomsoft, a Russian password audit/recovery company. Asked whether users are satisfied with their company’s password policy, 61% replied that they are not. The preference would be for stricter controls: only 24% would like a more relaxed policy, while 76% would opt for a more strict approach. This in itself is not surprising since Elcomsoft’s users, by definition, have an interest in password security.

However, the same respondents display a relaxed attitude towards their own password security. Only 28% of these will always change the supplied default password, while more than a quarter will usually leave it unchanged.

The same users also show a high degree of trust in their colleagues’ security. Asked whether they would consider using a colleague’s laptop to access protected accounts (thereby entering their personal details on a computer that for all they know could be compromised), only 35% said they wouldn’t do it. A similar number replied that they trust their colleagues.

Elcomsoft believes that these results should raise a red flag to password administrators. Their users may show a high level of security awareness, but their behavior is different. "We have customers coming from forensic, intelligence, educational and corporate backgrounds", says Vladimir Katalov, ElcomSoft’s CEO. These results are, he admits, “surprising.” It may be one for the psychologists.