Essential lessons still not learned? Examining the password practices of end-users and service providers

Document Type

Conference Proceeding




Faculty of Health, Engineering and Science


ECU Security Research Institute/ECU Security Research Institute




This article was originally published as: Furnell, S. , & Bar, N. (2013). Essential Lessons Still Not Learned? Examining the Password Practices of End-Users and Service Providers . In Human aspects of information security, privacy, and trust first International Conference, HAS 2013, held as part of HCI International 2013, Las Vegas, NV, USA, July 21-26, 2013. Proceedings (pp. 217-225). Berlin, Germany: Springer. Original article available here


Password authentication remains the dominant form of user authentication for online systems. As such, from a user perspective, it is an approach that they are very much expected to understand and use. However, a survey of 246 users revealed that about one third chose weak passwords, including personal information or dictionary words. To prevent such forms of bad security behavior, service providers should offer support, but the reality of the situation suggests that tangible weaknesses can exist amongst both parties, and thus despite their long-recognised importance, good password practices have yet to become an established part of our security culture. An experimental study was conducted in order to investigate the effect of providing password guidance upon end users' password choices. The findings revealed that the mere presentation of guidance (without any accompanying enforcement of good practice) had a significant effect upon the resulting password quality.