Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <fbc152d9-b3bd-e123-beec-73894216d87c@thorsheim.net>
Date: Sun, 9 Oct 2016 01:43:59 +0200
From: Per Thorsheim <per@...rsheim.net>
To: passwords@...ts.openwall.com
Subject: Creating an opensource public password survey

More than a decade ago, an organisation made an internal security
survey. One of many questions were "Is your password compliant with the
organisation password policy?".

Majority of users answered yes, to no surprise for most.

I knew that the majority of users didn't know or current password
policy, or at least didn't comply with it.

I'm fed up with seeing password surveys, or surveys where passwords are
one of several topics questioned, where questions and datasets are not
made public. Little to no information about the demographics, or how the
surveys were conducted. I find it hard to put much trust in them, and
even harder to compare surveys and their results.

As an example, I've asked hundreds of people the simple question "how
many passwords do you have?". Their interpretation of that question
alone is *fascinating*:

- PINs are by many considered as "something else" than passwords
- Passphrases are not passwords, so may not be included in their count
- Case sensitivity & variations doesn't seem to be considered by most
- Some see their base word as their password, and only count that
- People may selectively answer & count work, school or home pwds only
- "how many accounts" & "how many passwords" can give very different results
- They only count accounts/passwords actively in use (last 3-6-12
months), not everything they have ever created & not deleted.

In my experience lots of users do not want to admit non-compliance with
corporate rules, as that can only lead to trouble and extra work for them.

If asked directly, all people I can ever remember to have asked this
question underestimates the amount of accounts & passwords they have.
Given time (1-24 hours), they usually end up at least with double the
amount of accounts/passwords as they initially responded with as a wild
guesstimate.

I would really like to create the "perfect" opensource password survey.
A survey with lots of questions, example data, explanations for why
every question is formulated as they are, how we intend to interpret the
answers for each question, tips on how to conduct the survey etc.

We could split it into several chunks, where each chunk can be used as a
smaller survey while still making sense and allowing for comparison with
other surveys using the same chunk or complete survey.

I want to see a discussion on every single question asked, down to the
order of questions, phrasing and grammar of every single question. I'm
afraid most surveys are biased, opinionated and formulated by people who
want the end result to promote a particular product, service, technology
or something similar. If i'm wrong about that, then at least I'll claim
that even though such surveys may be created by people with insights
into statistics and all, they are still close to clueless about
passwords imho.

My intention is to run a little "workshop" on this as part of
PasswordsCon in Bochum in December.

I would really like to receive input from the community, such as:
- links to surveys, including questions asked & data collected
- Suggestions on questions to ask, and why
- Suggestions on how to connect & analyze results from a survey
- Suggestions on how to conduct surveys for best possible results

and anything else that comes to mind.

-- 
Best regards,
Per Thorsheim
CISA, CISM, CISSP, ISSAP
Founder of PasswordsCon.org
Phone: +47 90 99 92 59 (Use Signal!)
Twitter: @thorsheim

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.