We performed two surveys to understand how members of a university managed their passwords. At password creation, the university offered people four pre-generated random passwords, with the option of creating their own subject to stringent requirements. All passwords expired after 120days. We found that most respondents chose to create their own password and utilized coping strategies that undermined the security of the requirements, as well as reporting that the expiration times were too short. We also attempt to connect these behaviors to respondents' other password habits and demographics. We conclude that pre-generated random passwords, stringent password requirements, and rapid password expiration dates are unusable security requirements for most people and lead users to subvert password requirements and reuse passwords.

• 出版日期2015-9-10