Password Usage Study: A Conversation with Yan Grinshtein
Billions of us use passwords daily to access our digital world. Passwords were invented to help us maintain our security posture in a landscape ridden with threats. Yet, it is becoming evident in the security industry that passwords and shared secrets are ineffective — and risky. Despite the rising number of data breaches and account takeovers, we have yet to evolve from passwords.
Yan Grinshtein, Head of User Experience at HYPR, developed a study to better understand how people utilize passwords in their work and personal lives. At HYPR, we assert that understanding people’s relationship with passwords helps us innovate and fasten adoption of more secure authentication methods, absent of passwords and shared secrets.
Digital experiences are only secure if they are designed from the foundation up for the human experience. Check out our infographic for the study results and Part 1 of our interview with Yan below to learn more about how UX impacts security.
Q&A with Yan Grinshtein – Part 1
Lani: So tell me, Yan, how did the study begin?
Yan: Since I joined HYPR in 2016 I’ve conducted studies to understand how people use our product. I soon realized that I should ask users about their passwords because many revealed a dislike of using or having passwords.
In an early study I noticed that 8 to 9 out of 10 people who experienced our first iteration of passwordless authentication responded, “Wow! That’s mind-blowing.” Our solution removed the pain of having to remember passwords.
Over two and a half years, I started to see a trend. People have X number of passwords that they manage differently. A big reveal not only to me, but might also be to the security industry, is that when people take risks in their personal life, it impacts themselves and their immediate surroundings. But when they do something risky at work – that’s a whole new risk frontier that can impact an entire company!
Every medium- to large-size company has a password security policy. Security admins 1) enforce password changes every 90 days, 2) enforce complexity with passwords of 8 characters or more, 3) add more complexity by requiring upper and lowercase alphanumeric and special characters.
Lani: We know that these policies don’t add more security. Prior to working in security I’ve been guilty of adding a single character to my previous passwords.
Yan: Right! What we discovered was that these policies dramatically increase your spending on support tickets because users call the helpdesk every 90 days, if not less, to reset their forgotten password. And, people don’t really make a new password, they usually just add or change a single character.
Lani: As a UX expert, what are you looking to understand?
Yan: I am looking to understand human behavior. My goal is to understand why people do what they do. Why do they change only a single character in their password – why do they reuse it? It’s easy to say people don’t like them, or that passwords are difficult to remember. I want to dig deeper.
There are three parts to our relationship with passwords: time, fear, and comfort. Time is about perception. Five seconds to me can be an eternity, but five seconds to you can be a blink of an eye. Fear is connected to our fear of forgetting a password. Even when there are alternatives – people will return to passwords simply because they’re familiar. This leads to the last element, comfort. People avoid discomfort so they remain with the familiar.
There are three parts to our relationship with passwords: time, fear, and comfort.
Lani: It sounds like fear and familiarity are really what’s holding us from evolving away from passwords. Would you share why user experience is critical in the context of security?
Yan: User experience is the sole reason why nothing is secure today. Historically, most security inventions created roadblocks in our daily lives. In the 60’s, Fernando Corbató was the first to use passwords to secure access to a shared computer. Once the internet emerged, companies became deeply concerned with security. The web was considered dangerous. Passwords became complex over time. 2FA came along, and then MFA.
Once upon a time the door had only one lock and one key. Now suddenly I have four locks, four keys, a keypad, a secret word, and a camera scanning my retina to access that door. That’s how it really feels! To secure ourselves digitally we didn’t design something different. We added ways to do what we did in the 60’s, complicating rather than simplifying our lives.
To secure ourselves digitally we didn’t design something different. We added ways to do what we did in the 60’s, complicating rather than simplifying our lives.
Lani: What is the core element to a great user experience?
Yan: A great user experience is delivered when a product’s security and experience is invisible — it’s something the user does not see. They do not have to think about it. It’s just there.
Lani: What do today’s security vendors get wrong?
Yan: They make assumptions. A lot of security and authentication providers today — if you deconstruct their UX — it feels as if whoever designed and built the products did not do any research on how people will use their products. They assume that whoever picks up their product knows how to use it. That, or it comes with a massive manual.
Lani: Wait, are you referring to the admin or the end user?
Yan: Does that matter? Is the admin not human? Most companies separate admins from the end user experience — they don’t design for the admin experience to be just as simple and intuitive. That’s why admins struggle with most products on the market.
This is the core value of HYPR. Our founders never separate the admin from the end user experience. The goal of our company is to treat everyone as humans. No one should have to jump through hoops to deploy the software, manage it or use it.
A great user experience is delivered when a product’s security and experience is invisible — it’s something the user does not see. They do not have to think about it. It’s just there.
Stay tuned for Part 2 of the interview where we discuss the need for more evolved authentication to account for future generations of users.
This conversation has been edited and condensed for clarity.