Abstract or Summary:
Few studies have focused on US federal government employees’ password habits. Zviran and Haga (1999) investigated password characteristics such as length, composition, and password selection methods of the Department of Defense employees from a particular installation in California in 1999. At that time, there were no requirements on password length, complexity, and password change frequency. While these findings were groundbreaking at the time, government security policies and practices have changed significantly. Today within the federal government, password policies that enforce security practices with respect to minimum password length (anywhere from 12 to 16 characters or higher), complexity (alpha-numeric, upper and lowercase and special symbols) and frequent change intervals are in place for all accounts. Since the federal government password policies predetermine these factors, we wanted to study users’ password management behaviors, perceptions, attitudes and experiences with the policies in order to develop effective password policies that take into account security and usability considerations. Thus we developed a survey to collect data on users’ password management behaviors with respect to their work accounts and not personal or social accounts.

The survey instrument was designed to explore the relationships between the length, complexity, and change interval of passwords and password management behaviors and security behaviors. For instance: are there possible associations amongst users’ attitudes towards password policy requirements of length and complexity and users’ password generation strategies or users’ propensity to store and “write down” passwords or how frequently users experience login problems? Previous research reveals little about users’ attitudes about the password policy requirements and password characteristics and behaviors.