Page Header

A Study of Password Management Behaviors of Young People

Chatphat Titiakarawongse, Sirapat Boonkrong


Password-based authentication is still the most widely used authentication method today. Unfortunately, passwords are the main culprit leading to cyberattacks. This study examines the behaviors of young people towards password generation and usage. The young people will ultimately become the future for society. An online survey with a sample of 265 respondents aged 10–24 was conducted between April and August 2021. The research utilized descriptive statistical analyses and compared the responses from young people with older people. The results suggest that although the survey participants seemed to have basic knowledge of creating complex passwords, they still possessed some aspects, which could lead to being a cyberattack target. This preliminary study provides information and increases awareness for policymakers and educators in such a way that it could be used to create an educational program on the importance of managing passwords securely. In addition, the study provides insights into the password management of young people between the ages of 10 and 24.


[1] S. Boonkrong, “Methods and threats of authentication,” in Practical Cryptography Methods and Tools. Berkeley, California: Apress, 2021, pp. 45–70.

[2] NordPass, “Top 200 most common passwords of the year 2020,” 2021. [Online]. Available: https://

[3] D. Malone and K. Maher, “Investigating the distribution of password choices,” in The 21st International Conference on World Wide Web, 2012, pp. 301–310.

[4] Computer Emergency Response Team (CERT), “IN98.03: Password cracking activity,” Software Engineering Institute, Carnegie Mellon University, USA, 1998.

[5] Imperva, “Consumer password worst practices,” The Imperva Application Defence Center (ADC), USA, 2014.

[6] C. Shu, “Passwords for 32M twitter accounts may have been hacked and leaked,” 2021. [Online]. Available: twitter-hack/

[7] R. Shay, S. Komanduri, A. Suriti, P. Huh, M. L. Mazurek, S. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor, “Designing Password policies for strength and usability,” ACM Transactions on Information and System Security, vol. 18, no. 4, pp. 1–34, 2016.

[8] S. Komanduri, R. Shay, P. G. Kelly, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman, “Of passwords and people: Measuring the effect of password-composition policies,” in The SIGCHI Conference on Human Factors in Computing Systems, 2011, pp. 2595–2604. [9] H. Ray, F. Wolf, R. Kuber, and A. J. Aviv, “Why older adults (don't) use password managers,” in The USENIX Security Symposium, 2021, pp. 73–90.

[10] H. Y. Huang and M. Bashir, “Surfing safely: Examining older adults’ online privacy protection behaviors,” in The Association for Information Science and Technology, vol. 15, pp. 188–197, 2018.

[11] World Health Organisation (WHO), Young People’s Health - A Challenge for Society. Geneva, Switzerland: World Health Organisation, 1986.

[12] H. Habib, P. Emani-Naeini, S. Devlin, M. Oates, C. Swoopes, L. Bauer, N. Christin, and L. F. Cranor, “User behaviors and attitudes under password expiration policies,” in The Fourteenth USENIX Conference on Usable Privacy and Security, 2018, pp. 13–30.

[13] T. Hussain, K. Atta, N. Z. Bawany, and T. Qamar, “Password and user behavior,” Journal of Computers, vol. 13, no. 6, pp. 692–704, 2017.

[14] D. T. Fredericks, L. A. Futcher, and K. L. Thomson, “Comparing student password knowledge and behaviour: A case study,” in The Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016), 2016, pp. 167–178.

[15] K. Bryant and J. Campbell, “User behaviours associated with password security and management,” Australasian Journal of Information Systems, vol. 14, no. 1, pp. 80–100, 2006.

[16] C. E. Shannon, “A mathematical theory of communication,” The Bell System Technical Journal, vol. 27, no. 3, pp. 379–423, 1948.

[17] W. Ma, J. Campbell, D. Tran, and D. Kleeman, “Password entropy and password quality,” in The Fourth International Conference on Network and System Security, 2010, doi: 10.1109/ NSS.2010.18.

[18] D. Florêncio and C. Herley, “Where do security policies come from?,” in The Sixth Symposium on Usable Privacy and Security, 2010, pp. 1–14.

[19] S. Pearman, J. Thomas, P. Emani-Naeini, H. Habib, L. Bauer, N. Christin, L. F. Cranor, S. Egelman, and A. Forget, “Let's go in for a closer look: Observing passwords in their natural habitat,” in The 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 295–310.

[20] B. Grawemeyer and H. Johnson, “Using and managing multiple passwords: A week to a view,” Interacting with Computers, vol. 23, no. 3, pp. 256–267, 2011.

[21] E. Stobert and R. Biddle, “The password life cycle: User behaviour in managing passwords,” in The Tenth USENIX Conference on Usable Privacy and Security, 2014, pp. 243–255.

[22] A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The tangled web of password reuse,” in 2014 Network and Distributed System Security (NDSS) Symposium, 2014, pp. 23–26.

[23] University of Illinois, “Why you should use different passwords,” 2021. [Online]. Available: use-different-passwords

[24] S. Bellovin, “Unconventional wisdom,” IEEE Security & Privacy, vol. 4, no. 1, p. 88, 2006.

[25] P. A. Grassi, J. L. Penton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, J. P. Richer, N. B. Lefkovitz, J. M. Danker, Y. Y. Choong, K. K. Greene, and M. F. Theofanos, “NIST special publication 800-63B: Digital authentication guideline,” National Institute of Standards and Technology (NIST), USA, 2017.

[26] K. Helkala and T. H. Bakås, “Extended results of norwegian password security survey,” Information Management & Computer Security, vol. 22, no. 4, pp. 346–357, 2014.

[27] M. Theofanos, Y. Y. Choong, and O. Murphy, “Passwords keep me safe’ – Understanding what children think about passwords,” in The Thirtieth USENIX Security Symposium, 2021, pp. 19–35.

[28] B. Ur, F. Noma, J. Bees, S. M. Segreti, R. Shay, L. Bauer, N. Christin, and L. F. Cranor, “I added ‘!’ at the end to make it secure: Observing password creation in the lab,” in The Eleventh USENIX Conference on Usable Privacy and Security, 2015, pp. 123–140.

[29] Y. Y. Choong, M. F. Theofanos, and H. K. Liu, “NISTIR 7991: United States federal employees’ password management behaviors - A department of commerce,” National Institute of Standards and Technology (NIST), USA, 2014.

[30] L. Ion, R. Reeder, and S. Consolvo, “No one can hack my mind: Comparing expert and non-expert security practices,” in The Eleventh USENIX Conference on Usable Privacy and Security, 2015, pp. 327–346.

[31] A. Barron, Inference for Categorical Data, Introduction to Statistics. USA: Yale University, 1997.

Full Text: PDF

DOI: 10.14416/j.asep.2023.01.001


  • There are currently no refbacks.