Password fatigue
Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.[1]
Causes
The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords.
According to a survey conducted in February 2020 by password manager Nordpass, a typical user has 100 passwords.[2]
Some factors causing password fatigue are:
- unexpected demands that a user create a new password
- unexpected demands that a user create a new password that uses a particular pattern of letters, digits, and special characters
- demand that the user type the new password twice
- frequent and unexpected demands for the user to re-enter their password throughout the day as they surf to different parts of an intranet
- blind typing, both when responding to a password prompt and when setting a new password.
Responses
Some companies are well organized in this respect and have implemented alternative authentication methods,[3] or have adopted technologies so that a user's credentials are entered automatically. However, others may not focus on ease of use, or even worsen the situation, by constantly implementing new applications with their own authentication system.
- Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
- Integrated password management software - Many operating systems provide a mechanism to store and retrieve passwords by using the user's login password to unlock an encrypted password database. Microsoft Windows provides Credential Manager to store usernames and passwords used to log on to websites or other computers on a network; iOS, iPadOS, and macOS share a Keychain feature that provides this functionality; and similar functionality is present in the GNOME and KDE open source desktops. In addition, web browser developers have added similar functionality to all the major browsers. Although, if the user's system is corrupted, stolen or compromised, they can also lose access to sites where they rely on the password store or recovery features to remember their login data.
- Third-party (add-on) password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password. However, this presents problems similar to that of single sign-on in that losing the single password prevents access to all the other passwords while someone else gaining it will have access to them.
- Password recovery - The majority of password-protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account. However, this system has itself become a target of social engineering attacks by criminals. These criminals obtain enough information about the target to impersonate them and request a reset email, which is then redirected through other means to an account under the attacker's control, enabling the attacker to hijack the account.
- Passwordless authentication - One solution to eliminate password fatigue is to get rid of passwords entirely. Passwordless authentication services such as Okta, Transmit Security and Secret Double Octopus replace passwords with alternative verification methods such as biometric authentication or security tokens.[4] Unlike SSO or password management software, passwordless authentication does not require a user to create or remember a password at any point.[5]
See also
- BugMeNot
- Decision fatigue
- Identity management
- Password manager
- Password strength
- Security question
- Usability of web authentication systems
Notes
- ↑ "Password chaos" at TheFreeDictionary
- ↑ Williams, Shannon. "Average person has 100 passwords - study" (in en). https://securitybrief.co.nz/story/average-person-has-100-passwords-study.
- ↑ Such as digital certificates, OTP tokens, fingerprint authentication or password hints.
- ↑ Murphy, Hannah (3 September 2021). "The start-ups trying to kill the password". Financial Times. https://www.ft.com/content/92b5a390-f03a-450c-96b1-dd989b1bdada.
- ↑ "What is Password Fatigue and How You Can Overcome It". Transmit Security. 13 October 2021. https://www.transmitsecurity.com/blog/what-is-password-fatigue-and-how-you-can-overcome-it.
External links
- Noguchi, Yuki. Access Denied, Washington Post, 23 September 2006.
- Catone, Josh. Bad Form: 61% Use Same Password for Everything, 17 January 2008.
Original source: https://en.wikipedia.org/wiki/Password fatigue.
Read more |