14

Looking for research on the count and complexity of passwords that an average user is actively using.

Note: Also, just to be clear, by research, this is not a request for you to respond with an answer entirely based on opinions, rather than facts, references, or specific expertise. Likely the best answer would be based on analysis that is founded in statistically significant analysis on the topic.

blunders
  • 5,052
  • 4
  • 28
  • 45
  • 5
    There's a big difference between _knowing_ and _using_. Some people use a different, strong random password for every account they have. Unless such a person has an _elephant memory_, they would store (and generate) these passwords with a password manager. So, in this case, the person would know just the password to unlock the password manager (and perhaps also another authentication factor), but use a different password for every account. Of course, the question remains: How many people use a password manager with unique, random passwords? – Steven Volckaert May 15 '14 at 05:39
  • 2
    42. what else?? – PlasmaHH May 15 '14 at 09:06
  • 1
    I know far fewer passwords than I use. These days I use keepass and some plugins. Most of the time I don't ever see the passwords it generates for me. –  May 15 '14 at 13:34
  • The more interesting question is: how many different passwords does an individual have to know. From a crypto point of view it makes sense to have as many passwords as possible. But I think, it is not necessary to have for each and every nonsense-forum I participate a separate password. So I have a very limited number of passwords: For security reasons one per important site and for the rest of the internet only one. – Thomas Junk May 15 '14 at 15:03
  • @ThomasJunk: Pretty sure questions like that have been asked and responses have included ones similar to yours; meaning I'm not going to ask a question that has already been asked before, and me commenting on a different question to the current question is off-topic in my opinion. – blunders May 15 '14 at 15:40

2 Answers2

18

This is a bit old (2006), but may be helpful towards your goal. http://usabilitynews.org/password-security-what-users-know-and-what-they-actually-do/

It is based on a study of 328 undergraduate and graduate level college students from Wichita State University volunteered to participate in the survey, and these students were also regular users of the Internet with one or more password protected accounts.

Overall, 74.9% of respondents (236) reported that they have a set of predetermined passwords that they use frequently, of those 98.3% (232) reported an average of 3.1 (SD = 2.028) passwords. More than half (59.7%, 188) reported that they do not vary the complexity of their password depending on the nature of the site they are using

The study also goes on to talk about their password creation details, complexity, etc...

Jordan Hanna
  • 378
  • 2
  • 5
4

I happen to collect these type of statistics when I find them mentioned in a study or paper. Here are some recent figures:

 - 54%  1 to 5 
 - 28%  6 to 10 
 - 7%   11 to 15
 - 5%   16 to 20
 - 6%   20+

Source: CSID Consumer Survey: Password Habits, Sept 2012

Total average minimum number of private passwords = 17
Total average minimum number of work passwords = 8.5

Source: NorSIS Password Survey 2012 (specific to Norweigans)

- 11%   From 1 to 3
- 29%   From 4 to 10
- 50%   More than 10
- 10%   I don't use passwords at all

Source: Elcomsoft Password Security Survey 2009 (specific to IT professionals)

There are additional studies in my password stats index, but none newer than what I have listed here. I don't believe I have any data on the number of passwords people use with their corresponding complexity.

blunders
  • 5,052
  • 4
  • 28
  • 45
PwdRsch
  • 8,341
  • 1
  • 28
  • 35