How often do you recycle passwords? That is, use the same password for multiple sites? Even though you’ve probably been told this is a security no-no, it’s just too much strain on most people’s memory to come up with unique passwords every time.
Theoretically, the password manager feature of Firefox can help. Come up with a random string of characters and let Firefox remember you for it. This works great… as long as you have Weave, or if you never need to log into the site from a different computer.
And the problem’s getting worse, because these days almost every new site you come across thinks it’s important enough to ask you to create a password. Meanwhile, phishing attempts are getting more sophisticated. These are some of the reasons Mozilla is starting to explore identity management in the browser.
It would help if we knew how much password recycling is actually going on. How many different passwords does the average user use? How many times do they recycle each password? Do they have a throwaway password that they use on lots of unimportant sites, while making unique secure password for their bank?
That’s where Test Pilot comes in.
The above pie chart, generated by Test Pilot, shows a breakdown of the passwords that I have saved in the Firefox password manager. I was running it on a throwaway profile, so it only has five sites with stored passwords. (If it was my real profile, it would have dozens.)
We should be rolling this study out sometime this week. Of course, the study will not be collecting the actual passwords themselves! Instead, it compares passwords on the client side, so they never leave your machine, and only the count of duplicate passwords gets sent across the network to the Test Pilot server.
I’ll post again when we have some findings to share from this study.
Not The User's Fault 
December 14, 2009 at 11:42 pm
Very good idea for a study. Personally I basically have three or four passwords that I use, with varying complexity. I use the “best” password when I can, and use my simpler passwords when the site can’t deal with ! and % and .
December 14, 2009 at 11:48 pm
Yeah, this is a great idea for a study. Also a good test case for whether people get nervous when you include security metrics in a Test Pilot study — some people may think this is insecure (even though comparing passwords on the client side doesn’t present any security risk).
Looking forward to see the results!
December 15, 2009 at 12:24 am
Ouch!
One thing for sure: I reuse my PWs to often. For logins without SSL, I use at least 16 Chars (Base64+Punctuation), but with reliable SSL I get sloppy (8 Char, B64).
A good Identity-Handling has at least the possibility to show the stored information, delete selected data (e.g. only the PW, not the user for a site).
Another Point: Just what is an Identity: only Site-User-PW or also things like Multi-Host-Site or Open-Id? Do we (as developers) give the users a helping hand in handling this or nothing (like until now)?
Cheers, nice Xmas to all, Yamaban out
December 15, 2009 at 2:47 am
Cool. However, won’t you get a lot of false dups for sites with the same LDAP backend? Still, would be interesting to find out.
December 15, 2009 at 3:57 am
I used to use two or three passwords for various sites depending on their importance untilI found the PasswordMaker extension, which will generate unique passwords for each site.
December 15, 2009 at 8:11 am
Certainly nice to have data, but what such study won’t tell though is how much password recycling would be going on if browser made it straight forward and pain free to generate and store a new random password per site?
Even without weave-like services there’s plenty of use for that; most sites that make you register, you won’t go back from random computers or even regularly at all (ordered-something-two-years-ago online stores?). For that kind of passwords I guess having a ‘Generate random password and store in password manager’ button would make recycling less of an issue to worry about 🙂
On a quick scan to my password manager, I have 129 passwords remembered (0 password recycling) … I bet I hardly use a dozen of them regularly.
December 15, 2009 at 9:38 pm
I’m really curious about the results too, and I signed up to participate. Took a quick peek at my saved passwords though and since I’ve been using the same profile for at least 2 years I’ve got some really outdated information in there. There are sites I no longer visit, one-offs for online shopping, as well as tons of logins for sites that I manage. I wish there was a way to show age or “last time used” to make sure someone like me doesn’t throw off your data collection too much. In reality, my usage probably looks a lot more like your pie chart – 3 passwords in varying degrees of security.
December 15, 2009 at 9:40 pm
I just want to add that my profile is probably older than 2 years, now that I look again I would say it’s easily 4-6 years old.
December 15, 2009 at 9:43 pm
What about an extension to generate such a pie chart clent-side (with no net access I mean) for any Toolkit app with Password Manager (Firefox of course, but also Thunderbird, Seamonkey2, maybe others)?
December 16, 2009 at 6:57 pm
Hi Tony,
Feel free to take the code from the Test Pilot experiment and use it to write such an extension. It should be a prety easy job. The code is available at:
http://hg.mozilla.org/labs/testpilotweb/file/7bbb813dbc07/testcases/password-distribution/password-distribution.js
The data collection is in the onExperimentStartup function, and the drawing of the pie chart is _drawPieChart. Those are the only functions you’ll need; the rest is Test Pilot infrastructure cruft.
December 17, 2009 at 10:01 am
If I ever do, it will be my first. Not today, but who knows? Maybe someday I will – if no-one else does it first. 😉
December 22, 2009 at 6:04 pm
Will the data collected include the sites using each password?
ie. reporting that gmail and facebook have the same password, and that hotmail has a different one.
I couldn’t really tell from your post.
It would certainly be more of a security risk for users, and I don’t know if I’d be ok with it, but it would help with understanding what sorts of sites people use each of their passwords for.
December 25, 2009 at 7:54 pm
Hi Scott,
No, the data collected doesn’t include what the sites are. What’s collected is nothing but a list of numbers: For example, the data might be:
5, 4, 3, 3, 2
which would mean you have one password used on 5 sites, another password used on 4 sites, etc etc.
January 12, 2010 at 10:58 am
Great idee. I think almost everyone recycle passwords.