Creative password schemes
While we always like to study best practices, sometimes it's the failures which are most illuminating—in this case an unusual password design. The plan was hatched by a client's client before we came in on the rush project, so I can only report on the results and infer motivations.
For this survey, and only for this survey, employees were sent an e-mail instructing them to log in using:
The employee's LAN log-in
Last 6 digits of their Social Security Number (SSN)
We thought this was a bit odd, but since we found out what the setup was the day before Thanksgiving and the survey was going live right after the long weekend, we didn't have our normal time to discuss pros and cons with the client.
The survey launched, and immediately respondents started reporting password problems—far more than the usual slipped finger rate. As part of the diagnostic process we started logging everything users submitted while attempting to access the survey. They entered their LAN password along with their LAN username. They entered the last 4 digits of their SSN. They entered all 9 digits of their SSN, both with and without dashes. They entered their full names instead of the network log-in. A number of them tried multiple combinations before either succeeding or giving up. Needless to say, that particular log was permanently deleted rather than archived with the rest of the project, and we were very glad that the log-ins had been collected using an encrypted page. (Adding to the general concern of handling such sensitive data, these were network logins for bank employees!)
The respondents were not dull or careless, so why were there hundreds of failed logins among only a few thousand employees? The key problem was combining two familiar but unconnected values. Respondents knew their LAN log-in well—though a few seemed to have multiple accounts. They were also certainly familiar with their SSN. The problem was that a username+password is a single unit in our memory, and they were not familiar with the combination of those particular values.
I expect this scheme was planned with respondent ease in mind, but unfortunately they missed the mark. Someone probably believed that telling respondents to enter two known values would be easier for employees than a password issued just for the survey. However, when a respondent receives a random one-time use password in their e-mail invitation, its very unfamiliarity can prompt greater care in typing or copying and pasting the value, resulting in greater success. Using random values also makes it much easier to issue replacement passwords to individuals or groups who are forgotten in the first round.
As with many things in surveys, a good password scheme is a trade-off:
- Data reliability
- Respondent ease and comfort
While the simple solutions sometimes strike us as unsophisticated, they're often the best way to achieve both these goals.
Thanks again for the excellent training sessions. You were able to keep it interesting and worth every penny. You have such a thorough understanding of the software. ~~sigh~~ to be that wise!
Susan L. Despot
California University of Pennsylvania