Supporting Statement

OMB Control No. – 0693-0043 – NIST Generic Clearance for Usability Data Collections

Usability of Passwords Information Collection

FOUR STANDARD SURVEY QUESTIONS

1. Explain who will be surveyed and why the group is appropriate to survey.

In previous research efforts, the Information Technology Laboratory (ITL) of the National Institute of Standards and Technology (NIST) password usability research has focused on federal employees and a survey of their use of passwords at work. In this effort, a questionnaire will be used to assess how people make decisions about passwords outside their work environment and how this behavior compares to password decisions they make at work.

Every day people make use of passwords to conduct activities on information technology systems and web sites. Individuals have dozens of personal accounts outside of work. For example, people bank, manage health appointments, socialize, take courses, track their children’s progress at school, back up their data, read the news, make purchases, etc. All of these online activities typically require passwords created by the users. However, password policies often put a huge burden on individuals. Often passwords are “easy to remember” rather than “safe and secure” resulting in passwords that are weak from a security perspective.

Understanding the behavior of the public for the creation of online passwords is key to the formulation of secure systems that are less vulnerable to breeches in security. It is important to understand what people think when they create passwords, how many passwords people have, and their strategies for managing passwords. It will also be essential to understand people’s perceptions of passwords and security policies in software and web sites they encounter in their personal lives.

This information collection is being conducted by a NIST grantee, University of Baltimore and UsabilityWorks. The questionnaire will be completed by 300 participants recruited from UsabilityWorks’ database of prior usability study participants. This group is appropriate as respondents because they are members of the public and have participated in prior studies of a similar nature.

2. Explain how the survey was developed including consultation with interested parties, pre-testing, and responses to suggestions for improvement.

This questionnaire was developed by researchers with the University of Baltimore, the party to a NIST Cooperative Agreement. The questionnaire was developed drawing information from a previous study on the usability of passwords by Federal employees and has been reviewed and approved by survey experts at the Bureau of Labor and Statistics. This standard questionnaire was used with approximately 4700 Department of Commerce employees. We have incorporated the feedback and suggestions from the previous studies into this questionnaire.

3. Explain how the survey will be conducted, how customers will be sampled if fewer than all customers will be surveyed, expected response rate, and actions your agency plans to take to improve the response rate.

An email will be sent to the approximately 2000 individuals in the UsabilityWorks database inviting them to participate in this study. The invitee will respond to the email to indicate their willingness to participate in the study and then the link to the questionnaire will be forwarded. The questionnaire will be completed online via a website by the first 300 respondents to the invitation email. We will continue to forward the survey link to participants until we have received 300 completed surveys.

4. Describe how the results of the survey will be analyzed and used to generalize the results to the entire customer population.

The responses will be coded to maintain results as anonymous, then they will be tallied and comprehensively analyzed. In the federal employee surveys we found statistical significance between employees’ attitudes towards password policies and behaviors. A relationship between password length and complexity and time to generate passwords was also identified. This analysis will look for similar trends and correlations and we intend to publish the results of this study in a research journal article. No generalizations will be made beyond the 300 participants and their demographics.