Before the holidays I ran a quick, three-question, survey of the securitymetrics.org mailing list membership about the number of passwords people use. Here are the results, drawn from 51 responses (not bad, considering the list membership is about 400 people). I’d promised the respondents that I’d share the results… so here they are.
Securitymetrics.org Quickie Survey: Online Credentials
1. How many online accounts do you manage, in total? How many “sensitive” accounts do you maintain?
By “account” I mean a public or private website, server or network that you log in to, for which you maintain a password or other credential. For example, a password or application entry in an OS X Keychain could be considered an account.
For purposes of this question, “sensitive accounts” means ones that you would consider problematic if they were compromised. Typically, these could be accounts that keep credit card information, manage your 401k details, or contain employment details.
Results (n=51):
| All accounts | Sensitive accounts | |
|---|---|---|
| Mean | 60.7 accounts | 20.6 accounts |
| Standard deviation | 55.0 | 29.7 |
| Min | 3 | 0 |
| First quartile | 23.5 | 6 |
| Median | 40 | 15 |
| Second quartile | 72.5 | 25 |
| Max | 207 | 207 |
| Mode | 40 | 20 |
Comments: I draw 3 conclusions from these figures.
- First, people have lots of accounts to keep track of — on average.
- That said, the quartiles and median show that respondents skew towards the “conservative case” — that is, they most don’t tend to maintain too many accounts. A few crazy outliers (like me) are pushing the average number up.
- Third, the ratio of sensitive-to-non-sensitive accounts stays fairly constant across quartiles, ranging from 26-38%. In other words: of all of the account passwords people maintain, it’s a fair bet that about a third of them will be “sensitive.”
I’d also note that the survey base is self-selected — in the sense that it’s the members of this list. Most of us are professional paranoids, right? Not sure if that means that the average user is worse off than the respondent base (more passwords to keep track of) or better off. Regardless, I’d say it does confirm what I already knew: we’re drowning in passwords. Further insights or armchair-psychology comments welcome.
2. What is your primary coping strategy for managing your online accounts?
- I keep all of my passwords the same: 10%
- I write everything down on paper: 12%
- I use a form-filler product, like Apple’s Keychain, and use random passwords 12%
- No particular strategy: 20%
- Other: 47%
Comments: I can’t draw too many conclusions from the responses to this question, because I asked it badly. Considering that my day job is as an analyst, you’d think I would’ve asked this question in a way that got better answers. :)
3. Do you like the idea of surveying securitymetrics.org members about security practices?
- Yes: This is a good idea: 92%
- No: I’ve got enough spam as it is: 8%
Comments: Everyone seems to like the idea of surveying the membership more often. Cool! I’ve asked mailing list members to suggest ideas for future surveys.
Note: I’ve proposed that we spend some time on the subject of community-building at this year’s Mini-Metricon at RSA. More on this later… Betsy Nichols is going to put up a blog entry about Mini-Metricon on the website later today.