Date: Sun, 9 Oct 2016 01:43:59 +0200 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: Creating an opensource public password survey More than a decade ago, an organisation made an internal security survey. One of many questions were "Is your password compliant with the organisation password policy?". Majority of users answered yes, to no surprise for most. I knew that the majority of users didn't know or current password policy, or at least didn't comply with it. I'm fed up with seeing password surveys, or surveys where passwords are one of several topics questioned, where questions and datasets are not made public. Little to no information about the demographics, or how the surveys were conducted. I find it hard to put much trust in them, and even harder to compare surveys and their results. As an example, I've asked hundreds of people the simple question "how many passwords do you have?". Their interpretation of that question alone is *fascinating*: - PINs are by many considered as "something else" than passwords - Passphrases are not passwords, so may not be included in their count - Case sensitivity & variations doesn't seem to be considered by most - Some see their base word as their password, and only count that - People may selectively answer & count work, school or home pwds only - "how many accounts" & "how many passwords" can give very different results - They only count accounts/passwords actively in use (last 3-6-12 months), not everything they have ever created & not deleted. In my experience lots of users do not want to admit non-compliance with corporate rules, as that can only lead to trouble and extra work for them. If asked directly, all people I can ever remember to have asked this question underestimates the amount of accounts & passwords they have. Given time (1-24 hours), they usually end up at least with double the amount of accounts/passwords as they initially responded with as a wild guesstimate. I would really like to create the "perfect" opensource password survey. A survey with lots of questions, example data, explanations for why every question is formulated as they are, how we intend to interpret the answers for each question, tips on how to conduct the survey etc. We could split it into several chunks, where each chunk can be used as a smaller survey while still making sense and allowing for comparison with other surveys using the same chunk or complete survey. I want to see a discussion on every single question asked, down to the order of questions, phrasing and grammar of every single question. I'm afraid most surveys are biased, opinionated and formulated by people who want the end result to promote a particular product, service, technology or something similar. If i'm wrong about that, then at least I'll claim that even though such surveys may be created by people with insights into statistics and all, they are still close to clueless about passwords imho. My intention is to run a little "workshop" on this as part of PasswordsCon in Bochum in December. I would really like to receive input from the community, such as: - links to surveys, including questions asked & data collected - Suggestions on questions to ask, and why - Suggestions on how to connect & analyze results from a survey - Suggestions on how to conduct surveys for best possible results and anything else that comes to mind. -- Best regards, Per Thorsheim CISA, CISM, CISSP, ISSAP Founder of PasswordsCon.org Phone: +47 90 99 92 59 (Use Signal!) Twitter: @thorsheim
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.