A lot of the effort involved in establishing a secure computing environment focuses on technological solutions, from providing warnings about phishing attacks to blocking the propagation of botnets. But, as previous research has shown, security involves a significant human component. Nowhere is that more true than the item at the heart of basic security: the humble password. Here, our best practices—something that's not in the dictionary or written down, differs for every account, etc.—ignores basic research, which shows that humans have a limited capacity to associate random text with, well, just about anything. A new survey of institutional IT users provides a glimpse into just how bad the password situation is, with less than five percent of users managing to use best practices.

What is perhaps most striking about the new study, which is being published in the Proceedings of the Human Factors and Ergonomics Society, is its background section, which details just how long we've been aware of the password problem. It cites a study of Unix passwords from 1979, which showed that about 30 percent of the passwords were four characters or less, and about 15 percent being words that appear in the dictionary. Fast forward to 2006, when a separate survey of 34,000 MySpace passwords revealed that the most common were "password1", "abc123", "myspace1", and "password".

But it's not simply that we have empirical evidence suggesting that passwords are easy to crack; neuroscience has indicated that the human brain simply doesn't perform well at free-associating text that, on its own, has little inherent meaning. As one of the papers cited puts it, "the multiple-password management crisis [can be viewed as] a search and retrieval problem involving human beings' long-term memory." And, although our long-term memory for images and words that we've assigned meanings to is quite good, we don't do as well with passwords, which (ideally, at least) should look like a near-random string of characters. It's another challenge entirely to remember which password to associate with a specific account.

So, there's an obvious tension between what we know what we should do, and what actually can be done when it comes to passwords. The authors of the new study conducted several focus groups with network administrators to identify likely sources of problems for users. They used this information to craft a survey of password habits, which they administered to 836 employees of an organization that handled sensitive private data and provided all employees with computer security training. Obviously, a more diverse survey population would have been nice, but the single employer at least allowed a degree of consistency in terms of the security training.

The authors condensed the results into a measure of how many deviations from ideal password practices a given user committed, such as using a short password, not mixing characters and symbols, writing the password down or reusing it, etc. All told, only 4.4 percent avoided any deviations from the rules, and the majority violated three or more. "In reality," the authors note, "the results are probably worse, because respondents do not like to admit that they deviate from the rules."

Experience made a difference, as expert and advanced computer users tended to outperform the novices. But there were limits; actual network administrators, for example, didn't behave in a manner that was significantly different from an average user. One possibly disturbing development was noted: about seven percent of the respondents had become cynical about computer security, having decided that no amount of adherence to best practices would protect them from hackers. Fortunately, this group seemed to be just as good (or just as bad) about using best practices as the rest of the population.

In a lot of ways, the results shouldn't surprise anyone, given what we know about the operation of human memory: if you give users a task that's nearly impossible, they won't do it. The fact that the organization involved handles sensitive data and trains its users on how to protect it doesn't change that reality. What the study may accomplish is to help drive home the need to stop expecting the impossible. The authors suggest a variety of alternative authentication systems, from biometrics and hardware-based certification to systems that rely on aspects of memory that humans handle more easily, such as image-based systems. Until IT administrators get over old habits, however, the availability of alternatives will have a limited impact.