Do People Use Different Passwords for Different Accounts?
AbstractDo you ever use a password to log in to a computer, email account, or website? Do you use the same password for each one? Even if your password is very long or hard to guess, using the same password for many accounts can still be risky. If someone manages to find out your password (for example, via a phishing attack, or if you write your passwords down and someone finds the piece of paper), they could easily access many of your accounts. However, memorizing lots of different passwords can be difficult and confusing. In this computer science project, you will conduct a survey to see how many different passwords people use.
Conduct a survey to determine how many different passwords people use to access personal electronic devices and online information, such as computer logins, email, social networking, and work accounts.
If you have a computer or email account, chances are that you use a password to log in to them. A password is a series of characters made up of letters, numbers, and/or symbols from your computer's keyboard that acts like a virtual "key" to access a private account or data. If someone guesses or finds out your password, it's as if they stole a key that lets them into your house. All sorts of bad things can happen as a result. People who try to steal other people's passwords with malicious intent are called hackers or cyber thieves. Some hackers claim that they are just out to have fun or to prove a political point (for example, by changing pictures or text on the website of a politician with whom they disagree); but others commit serious crimes like electronically stealing money from bank accounts or opening new accounts in a person's name using his or her information.
One of the best precautions you can take is to use passwords that are hard to guess. Many passwords are extremely common, such as "password", "123456", or "qwerty", and these are the first passwords hackers will try when they want to access someone's account. Security experts typically recommend using a combination of letters (uppercase and lowercase), numbers, and symbols, as well as completely avoiding spelling out words that can be found in the dictionary, or using names (especially of family members or pets). Though not guaranteed, following these guidelines makes your password much harder for a human to guess, and means automated computer programs that are used by hackers will take much longer to guess it. There are even online tools that will estimate how long a password will take to guess (see the Bibliography section for references on common passwords and password security tips).
Most people have more than one account that they log in to for different online activities, like email, social networking, and various electronic devices (computers, cell phones, tablets etc.). Security experts agree that if you have more than one account, you need more than one password. Even if you have a very strong password, it could be dangerous to use the same one for all of those different logins. For example, some people write their passwords down, which is a bad idea, because the paper could be stolen. You could also lose your password due to a phishing attack. A phishing attack is when a malicious fake website is set up to look like an exact duplicate of a legitimate website; for example a bank or email service. When you enter your login information, you then give criminals access to your username and password, which they can use to log in to the real website. For example, say that you fall victim to a phishing attack on your email account. Hackers now have your email username and password. Let's say you also have an account on a shopping website like Amazon.com, where you use your email address as a login, and use the same password. And maybe you also have credit card information stored in your Amazon.com profile. This means that hackers could log in to your Amazon account and use your money to make purchases!
These are some of the reasons why security experts recommend using different passwords for different accounts. However, it can be difficult to try and remember a dozen different passwords. In this cybersecurity science project, you will conduct a survey to find out how many different passwords people actually use for different accounts. The exact design of the survey will be up to you (for example, you might put different questions on the survey depending on whether you intend to give it to adults or classmates). You will then analyze your data to see how many passwords people typically use, and whether people tend to use the same password for online access in certain categories, like email, social networking, work/school accounts, online gaming, etc.
Terms and Concepts
- Hacker or cyber thief
- Phishing attack
- Normal distribution
Materials and Equipment
- Group of at least 20 people to fill out your survey. The more people, the better.
- Optional: Printer to print paper copies of your survey; not required if you are doing your survey with an online tool or via email.
Working with Human Test Subjects
There are special considerations when designing an experiment involving human subjects. Fairs affiliated with Regeneron International Science and Engineering Fair (ISEF) often require an Informed Consent Form (permission sheet) for every participant who is questioned. Consult the rules and regulations of the science fair that you are entering, prior to performing experiments or surveys. Please refer to the Science Buddies documents Projects Involving Human Subjects and Scientific Review Committee for additional important requirements. If you are working with minors, you must get advance permission from the children's parents or guardians (and teachers if you are performing the test while they are in school) to make sure that it is all right for the children to participate in the science fair project. Here are suggested guidelines for obtaining permission for working with minors:
- Write a clear description of your science fair project, what you are studying, and what you hope to learn. Include how the child will be tested. Include a paragraph where you get a parent's or guardian's and/or teacher's signature.
- Print out as many copies as you need for each child you will be surveying.
- Pass out the permission sheet to the children or to the teachers of the children to give to the parents. You must have permission for all the children in order to be able to use them as test subjects.
- Design your survey for one target audience, such as all students or all adults. You need to make a list of devices and accounts that you want to ask people about, and create a form where they can mark which password they use for which account. Important: Do not actually ask people to give you their passwords. You could ask people to use letters or numbers (for example, "A", "B", "C" or "1", "2", "3" etc.) to represent their different passwords.
- For example, perhaps your parent has an email account where they use the password "secret" and an account at the bank where they use the password "Fido" (the name of your dog). They would refer to "secret" as "A" in your survey and "Fido" as "B" to give you data without giving away the passwords (both of these passwords, by the way, are far from secure and would be guessed very quickly by a hacker).
- Tables 1 and 2 show two example surveys and instructions, with a couple ideas to get you started. Table 1 is designed for adults, and Table 2 for kids. You can use Table 1 or 2 to start your survey, and add or delete rows as you see fit. Make sure your survey includes an introductory paragraph that explains what the survey is for and gives directions on how to fill it out.
Adult Password Use Survey: Please mark the right-hand column with a letter (A, B, C, etc.) representing the password you use for that account. Do not enter your actual password! If you do not have the account listed, leave the row blank. If you have the listed account, but do not have a password, write "none."
|Account or Device
|Other electronic device (specify: )
|Personal email 1
|Personal email 2
|Personal email 3
|Online credit card
|Online retirement account
|Kids' school/report card system
|Cell phone bill/account
|Utility bill 1 (e.g. gas, electric, water)
|Utility bill 2 (e.g. gas, electric, water)
|Utility bill 3 (e.g. gas, electric, water)
|Online shopping 1 (e.g. Amazon, eBay)
|Online shopping 2 (e.g. Amazon, eBay)
Kid Password Use Survey: Please mark the right-hand column with a letter (A, B, C, etc.) representing the password you use for that account. Do not enter your actual password! If you do not have the account listed, leave the row blank. If you have the listed account, but do not have a password, write "none."
|Account or Device
|Game console (e.g. Xbox, Playstation, Wii)
|Other social networking
|Other social networking
|Gaming 1 (e.g. Minecraft, World of Warcraft)
|Gaming 2 (e.g. Minecraft, World of Warcraft)
|Gaming 3 (e.g. Minecraft, World of Warcraft)
|Music 1 (e.g. Pandora, Spotify, Grooveshark)
|Music 2 (e.g. Pandora, Spotify, Grooveshark)
|Music 3 (e.g. Pandora, Spotify, Grooveshark)
- Decide how you are going to distribute your survey. You have several options:
- Print paper copies of your survey and have people fill them out.
- Email people your survey and ask them to return it to you in electronic form.
- Use an online survey tool like Survey Monkey or the "Forms" tool in Google Docs (there are many other options you can find by doing an online search for "survey tool").
- Distribute your survey. How you do this will depend on which method you chose in step 2. Make sure you explain what the survey is about to your participants. You should ask people to respond to you by a certain date.
- Collect your survey responses. You may need to remind some people if they forgot to fill out your survey.
- Now it is time to analyze your data. First, tally up the total number of passwords for each individual who responded to your survey. Table 3 shows an example of how to keep track of this.
|Total Number of Passwords
- Next, create a histogram of your data. A histogram is like a bar graph that shows how often something occurs. In this case, the x-axis of your histogram is "Total Number of Passwords (X)", and the y-axis of your histogram is "Number of People Who Had 'X' Passwords". It may help to first put your data in a new table like this:
|Total Number of Passwords (X)
|Number of People Who Had "X" Passwords
- Look at the shape of your histogram; does it fit a normal distribution or does it have a different shape? Can you draw any conclusions about password use from your histogram? Remember that your data might be skewed if some people do not have accounts at all for certain items in your survey. This will make it appear that they have fewer passwords, so be careful not to jump to any conclusions based on your histogram. You will do more data analysis in steps 8 and 9.
You could account for this skewed information mentioned in step 7 by normalizing your data; that is, dividing each person's total number of passwords by their total number of accounts. For example (to keep things simple), say your survey only has four items, which are all social networking: Facebook, Google+, Twitter, and LinkedIn. Your first survey respondent has all four accounts, but only uses two passwords total. That person's normalized score would be 2 ÷ 4 = 0.5. Your second survey respondent also has two passwords, but does not have Twitter or LinkedIn accounts at all. That person's score would be 2 ÷ 2 = 1.0. So, the second person's "score" is actually better, even though both people have the same number of passwords total. The first person is at a higher risk by using the same passwords for multiple accounts. If you make a new histogram with these normalized scores, it may have a different shape than your histogram that just used total number of passwords.
- Now it is time to analyze whether people are more likely to use the same password for certain groups of accounts than others. Create a new data table that breaks your different accounts/devices into categories. There will be multiple ways to do this depending on how you designed your survey (Tables 5 and 6 show two different examples). Keep track of how many people use the same password for everything in each category, and how many people use different passwords for everything in each category. You might want to include some items in multiple categories; for example, "work computer" could fit into both "work" and "device" categories. Depending on the results of your survey, you may also need to add a column for "No Passwords."
|# of People with Same Password for Each
|# of People with Different Passwords for Each
|# of People with Same Password for Each
|# of People with Different Passwords for Each
- Create a graph to illustrate your results from step 8. This will make it easier to visualize your data. Figure 1 shows a blank example graph based on Table 5.
An example bar graph showing password usage patterns. The bar graph includes number of people on the y-axis and categories (email, devices and social networking) on the x-axis. A legend in the top-right indicates that same passwords are colored in red and different passwords are colored in blue. No data points are displayed on the graph.
Figure 1. An example bar graph that can be used to visualize whether more people tend to use the same password or tend to use different passwords for various categories. This graph is based on the categories in Table 5, but you should make sure your graph corresponds to the categories you chose.
- Analyze your results using the graph you made in step 9. Are there certain categories where people are more likely to use the same password for everything? Do you think this poses a security risk? Remember that there are multiple overall aspects of password security, including using a complex password that is hard to guess. Just using different passwords for every site and account you log in to does not necessarily make you safer if all of those passwords are short and simple. Sometimes a password alone is not enough to break in to an account; for example, many online banking systems require a 10-digit (or more) account number (instead of something obvious like an email address) as a login name, and a four-digit Personal Identification Number (PIN) in addition to a password. However, as a general rule of thumb, it is still a good idea not to use the same password over and over again for different accounts. Your survey is just looking at this one aspect of password security, but can you draw any general conclusions from your results? See the "Make it My Own" tab for some ideas about more-comprehensive password security surveys.
Ask an Expert
- Security experts also suggest changing your passwords frequently. Design and conduct a new survey to determine how often people change their passwords. Do they change them more frequently for some accounts than for others?
- Modify your survey to include demographic information, such as age or profession. Are different age groups or people with different jobs more likely to have more or fewer passwords? For example, you might expect "tech-savvy" people who work in the information technology industry to have more passwords, and senior citizens to have fewer passwords; is that true?
- Design a survey to measure password quality as defined by security experts (again, without having your survey respondents reveal their actual passwords). For example, many experts recommend using combinations of numbers, symbols, and uppercase and lowercase letters; using longer passwords; and completely avoiding names and dictionary words.
If you like this project, you might enjoy exploring these related careers:
- Science Fair Project Guide
- Other Ideas Like This
- Human Behavior Project Ideas
- Cybersecurity Project Ideas
- My Favorites