Back to all activities

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords, and password re-use is common. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Walkthrough

    Adapt this survey to get a sense of how passwords are used in the organization. Anonymous paper surveys, later destroyed, are a good way to gather this information. The earlier questions are more important in terms of getting a sense of password practices, so consider adapting or shortening the survey based on staff/leadership buy-in and risk considerations.

    How many passwords do you have to remember for accounts and devices used to do your work?

    If you tried to login to your computer account right now, how many attempts do you think it would take?

    Have you written down your current password?

    • No
    • Yes, on paper
    • Yes, electronically (stored in a document or spreadsheet in my computer, phone, etc.)
    • Yes, in a password manager
    • Other

    If you wrote down your current password, how is it protected (choose all that apply) ?

    • I do not protect it
    • I stored it in an encrypted file
    • I hid it
    • I stored it on a computer or device protected with another password
    • I locked up the paper
    • I always keep the password with me
    • I wrote down a reminder instead of the actual password
    • Other

    Have you ever forgotten your current password?

    • No
    • Yes

    If yes, how did you recover it?

    Have you ever forgotten old work passwords?

    • No
    • Yes

    If yes, how did you recover it?

    When you created your current password, which of the following did you do?

    • I reused an old password
    • I modified an old password
    • I have a list of passwords which I rotate through
    • I reused a password I was already using for a different account
    • I created an entirely new password
    • Other:

    Do you have a set of passwords you reuse in different places?

    • No
    • Yes

    Do you have a password that you use for different accounts with a slight modification for each account?

    • No
    • Yes

    Did you use any of the following strategies to create your current password (choose all that apply) ?

    • Password based on the first letter of each word in a phrase
    • Based on the name of someone or something
    • Based on a word or name with numbers / symbols added to beginning or end
    • Based on a word or name with numbers and symbols substituting for some of the letters ( e.g. '@' instead of 'a')
    • Based on a word or name with letters missing
    • Based on a word in a language other than English
    • Based on a phone number
    • Based on an address
    • Based on a birthday

    How long is your current password (total number of characters)?

    • I prefer not to answer.

    What symbols (characters other than letters and numbers) are in your password?

    • I prefer not to answer.

    How many lower-case letters are in your current password?

    • I prefer not to answer.

    How many upper-case letters are in your current password?

    • I prefer not to answer.

    In which positions in your password are the numbers?

    • First
    • Second
    • Second from last
    • Last
    • No Numbers
    • I prefer not to answer.

    How many symbols are in your current password?

    In which positions in your password are the symbols?

    • First
    • Second
    • Second from last
    • Last
    • No Numbers
    • I prefer not to answer.

Recommendation

    Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

    Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

    Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

    Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

    As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.