Password fatigue, also known as password chaos or identity chaos, is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an ATM.
The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords. According to a 2002 survey of British online-security consultant NTA Monitor, the typical intensive computer user has 21 accounts that require a password[1].
Aside from contributing to stress, password fatigue may encourage people to adopt habits that reduce the security of their protected information. For example, an account holder might use the same password for several different accounts, deliberately choose easy to remember passwords that are vulnerable to cracking, or rely on written records of their passwords.
Other factors causing password fatigue are
Some companies are well organized in this respect, have implemented alternative authentication methods[2] or adopted technologies so that a user's credentials are entered automatically, but others may not focus on ease of use or even worsen the situation by constantly implementing new applications with their own authentication system.
Password fatigue will typically affect users, but can also affect technical departments who manage user accounts as they are constantly reinitializing passwords; this situation ends up lowering morale in both cases. In some cases users end up typing their passwords in cleartext in text files so as to not have to remember them, or even writing them down on paper notes.
Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
Many operating systems provide a mechanism to store and retrieve passwords by using the users login password to unlock an encrypted password database. Mac OS X has a Keychain feature that provides this functionality, and similar functionality is present in the GNOME and KDE open source desktops. Microsoft Windows does not have an explicit function for this, favoring centralized authentication based on the proprietary Microsoft Active Directory technology.
In addition, web browser developers have added similar functionality to all of the major browsers, and password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password.
Additionally the majority of password protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account.
These tools pose the problem that if the user's system is corrupted, stolen or compromised, apart from problems of the data being misused, they can also lose access to sites where they rely on the password store or recovery features to remember their login data. For this reason it is often advised to keep a separate record of sites, usernames and passwords that is physically independent of the system.
Many sites in an attempt to block bad passwords also block good password practices such as MD5 and SHA1 hashes through requiring both lower and uppercase letters or by limiting password length. Some sites also block non-ASCII or non-alphanumeric characters.