How often do you recycle passwords? That is, use the same password for multiple sites? Even though you’ve probably been told this is a security no-no, it’s just too much strain on most people’s memory to come up with unique passwords every time.

Theoretically, the password manager feature of Firefox can help. Come up with a random string of characters and let Firefox remember you for it. This works great… as long as you have Weave, or if you never need to log into the site from a different computer.

And the problem’s getting worse, because these days almost every new site you come across thinks it’s important enough to ask you to create a password. Meanwhile, phishing attempts are getting more sophisticated. These are some of the reasons Mozilla is starting to explore identity management in the browser.

It would help if we knew how much password recycling is actually going on. How many different passwords does the average user use? How many times do they recycle each password? Do they have a throwaway password that they use on lots of unimportant sites, while making unique secure password for their bank?

That’s where Test Pilot comes in.

Pie chart of duplicate password use

The above pie chart, generated by Test Pilot, shows a breakdown of the passwords that I have saved in the Firefox password manager. I was running it on a throwaway profile, so it only has five sites with stored passwords. (If it was my real profile, it would have dozens.)

We should be rolling this study out sometime this week. Of course, the study will not be collecting the actual passwords themselves! Instead, it compares passwords on the client side, so they never leave your machine, and only the count of duplicate passwords gets sent across the network to the Test Pilot server.

I’ll post again when we have some findings to share from this study.

Advertisements