Password fatigue

From Wikipedia, the free encyclopedia

Password fatigue describes the syndrome where people are required to remember an excessive number of passwords as part of their daily living.

The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords. According to British online-security consultant NTA Monitor the typical intensive computer user has 21 accounts that require a password.

Aside from contributing to stress password fatigue may encourage people to adopt habits that reduce the security of their protected information. For example, an account holder might use the same password for several different accounts, deliberately choose easy to remember passwords that are vulnerable to cracking, or rely on written records of their passwords.

Other factors causing password fatigue are

unexpected demands that a user create a new password
unexpected demands that a user create a new password that uses particular pattern of letters, digits, and special characters
demand that the user type the new password twice.
blind typing, both when responding to a password prompt and when setting a new password.

System administrators think that a system is more secure if it doesn't echo the password as the user types it, but they don't consider that the user may make an undetected typing error when typing blind—and will probably repeat that error when retyping the password. A common result of this precaution is that the user will twice type a password that is different from the one he/she thought was typed, and will therefore not know the password when prompted for it. What is remembered by the user is not what is stored on the server, and the server is programmed to lock the user out. This user will then be permanently be locked out of the site, even after paying a user fee.

For this reason the majority of password protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account. Sometimes this is automated via the site, although some services (especially paid-for or 'high value' services) may require additional checks via customer service operators. According to a PBS report, a survey of customer service representatives revealed that about 20% of the CS calls from users are about problems with passwords^{[citation needed]}.

Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts. This is a feature provided by the service providers themselves, the end user does not need to install any software on their system. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and theft or misuse of such a password presents a criminal or attacker with many targets.

Many OS's provide a mechanism to store and retrieve passwords by using the users login password to unlock an encrypted password database. Mac OS X has a Keychain feature that provides this functionality, and similar functionality is present in the GNOME and KDE open source desktops. Microsoft Windows does not have an explicit function for this, however web browser developers have added similar functionality to all of the major Windows browsers, and password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password.

These tools pose the problem that if the user's system is corrupted, stolen or compromised, apart from problems of the data being misused, they can also lose access to sites where they rely on the password store to remember their login data. For this reason it is often advised to keep a separate record of sites, usernames and passwords that is physically independent of the system.