Consumers Unhappy, Frustrated With Password Security: Survey

Nearly half of all consumers distrust online sites that rely on passwords for security and will abort transactions when they forget their passwords, according to a Ponemon Institute survey.

A majority of consumers finds password-based security frustrating, with nearly half encountering failed transactions due to authentication failures, according to a survey published by the Ponemon Institute.

The survey, sponsored by authentication-technology startup Nok Nok Labs, found that consumers are unhappy with passwords, while at the same time skeptical about the security they provide. About three-quarters of U.S. consumers find passwords frustrating and nearly half of all consumers do not trust Websites that rely on passwords, according to the survey of nearly 2,000 people.

"What is not a surprise is that no one is happy," Jamie Cowper, director of business development for Nok Nok, told eWEEK. "They cannot do what they want to do online, because they are frequently getting locked out of sites."

Yet only one-third of consumers are likely to forego using a site because it only used passwords for security.

Passwords are the most common, yet most problematic, security measure that consumers encounter online. People frequently use weak or common passwords, opening up their accounts to brute-force guessing attacks. Yet consumers who use stronger passwords frequently worry about forgetting the critical secrets and so reuse passwords across multiple sites. An analysis of the leaked password databases from Sony Pictures and Yahoo Voices found that nearly 60 percent of the 302 people with accounts on both sites reused their password.

Most consumers have at least five passwords, while almost one-third have 10 passwords or more, according to a 2012 survey of password habits conducted by Janrain, a social-media infrastructure provider.

The Ponemon survey polled users in Germany, the United Kingdom and the United States. More than half of U.S. users would use a multi-purpose identity credential to securely log into Websites, higher than the 45 percent of U.K. respondents and much lower than the 62 percent of Germans who favored a single credential for multiple uses.

An identity credential is a token, smart card or smartphone app that typically verifies a user identity by something they have—the credential. By combining the credential with something that they know, such as a password, such multi-purpose credentials can provide stronger authentication than a password alone.

Users in different countries preferred different kinds of devices as a multi-purpose credential. The most U.S. consumers—about one-third—preferred mobile phones, while a similar number of U.K. consumers would opt for an ID card with an RFID chip. The most Germans, about 40 percent, would by far rather use a biometric-based device, the survey found.

"On one hand, you have people accepting of the idea of using stronger credentials," Cowper said. "But people in other countries were also very accepting of biometrics; it was much higher than we thought it would be."

Only one in 100 people in any nation would consider an implanted chip to be an acceptable method of verification.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...