End User Behaviors in Utilization of Passwords: An Action Research Approach

The security chain is only as strong as the weakest link. No matter how organizations utilize the most cutting edge technologies to protect their resources, people are always the weakest link. End users often create “weak” passwords that are short, are made up of characters or words from a dictionary, are seldom changed, and are frequently written down. A “strong” password is long, more variable in types of characters, and not derived from meaningful personal details such as a name. Research indicates that the stronger the password, the more difficult it is to remember.  Also, human memory has limitations. Most people cannot memorize long and sophisticated passwords. This study investigates end users’ behaviors in the utilization of passwords through an action research method.

Five password memorization methods were developed based on memory literature to help end users create strong and memorizable passwords. The action research circle was used as the road map for the study. The interventions were in the form of password security and security awareness training. Users of two systems at one client organization were the participants in this study. The researcher designed, implemented, and evaluated training as the method to improve users’ behavior in the utilization of passwords and their security awareness. Relevant theories and frameworks related to password security, memory, and organization, were used to guide the study. 

The propositions developed in this study summarized and supported repeated themes that emerged from the data gathered from the IT administrators and the end users at the client organization. The findings indicate that the training improves users’ memorization of strong passwords and their security awareness. The study also found that the training helped bridge the gap between IT administrators and end users. Unexpectedly, the study found the relationships among password memorization, typeability and frequency of use.  Organizations can use the results from this study to guide and formulate information systems/security policy regarding the utilization of passwords.

Danuvasin Charoen