In the United States, the average email address is associated with no fewer than 130 different accounts on the internet. How many accounts do you use on a daily basis? Chances are there are accounts out there you haven’t seen or thought about in decades. Many people report having more password protected accounts than they can recall, and while you might not be using all of the accounts currently they may be giving hackers access to those accounts you do use regularly because of one common habit: password reuse.
Millennials, though they are digital natives and have grown up being told the proper password safety procedures, are shockingly the most likely group to reuse passwords. Instead of leading by example as the technologically advanced digital natives they are, Millennials are making things less secure for everyone. More than three quarters of younger Millennials report reusing passwords, compared to 58 per cent of older Millennials, 61 per cent of Gen X-ers, 56 per cent of Baby Boomers, and 62 per cent of the Silent Generation. Overall 61 per cent of people admit to using the same password across multiple websites, but somehow 89 per cent of people feel that their password habits are secure. Unfortunately this does not seem to be the case.
What does it actually take to have a secure password? It’s a lot more complicated than you might think, and this may be a leading factor in why people are reusing passwords to begin with. Secure passwords use the following precautions:
Never use the same password for different websites
Use a complex password or passphrase with letters, numbers, and symbols
Update passwords regularly, especially if you are notified of a breach
Use multifactor identification for sensitive accounts
Use a secure password manager if you have trouble remembering your passwords
Why should you care about your password habits? Well, as it turns out it may be a boring problem but the effects can cascade until your life is completely out of control, says Digital Guardian’s Dennis Fisher: “Attackers know that people use the same password over and over, so if they’re able to get a user’s credentials for one site or service, their next move is to see if the password works on email, Facebook, Twitter, a banking site, or other high-value targets. That can start a chain reaction that leads to the victim’s entire online life being compromised. These are all things that security researchers and professionals have known for a long time. Password reuse is a well-understood problem, but it’s still a problem, albeit a boring one. And the thing about boring problems is that they’re boring. People don’t get super excited to work on those.”There are several different ways that this boring problem leads people to unknowingly put their digital lives in jeopardy. When people have difficulty remembering their passwords because of so many different accounts, in addition to reusing passwords they may write them down on paper, store them in plain text on their computer or mobile device, or even store them in a cloud-based dropbox that also requires an additional password. The only secure way to manage your passwords is to use a secure password manager. If you’re not, you could be putting yourself and even your company into serious jeopardy.
Even though the problem has been identified and awareness has been raised, at the end of the day many people just have too much on their plates to effectively manage multiple passwords across multiple accounts that need to be changed frequently. Let’s be honest here – most people aren’t going to remember lkj345$ per cent and weorub$$3 and oewo09!!hf4, let alone strings of random characters for each of the 130 accounts they have. Most people will do away with things that add what they consider to be unnecessary complication to their lives, so passwords are often the first concession they will make in the pursuit of a less complicated lifestyle. It’s hard to convince people to complicate their lives with crazy passwords and decompress with a little afternoon yoga instead.
Another problem most people face is that they just don’t change their passwords enough.
11 per cent of people never change their passwords
31 per cent of people change their passwords once or twice a year
17 per cent of people change their passwords three to four times a year
22 per cent of people change their passwords five or more times a year
18.5 per cent of people only change their passwords when they are notified of an issue
While it is encouraging that 70 per cent of people report changing their passwords at least once a year, it’s also important to remember that that figure is self-reported and 29 per cent of people report having more password protected accounts than they can remember. It is more likely that people are regularly changing the passwords to the accounts they remember and use frequently rather than every single account they have ever opened, which can still leave them vulnerable if they have even reused just one password.
Stopping hackers can be challenging for a multitude of reasons, but since user error is the single biggest factor in hacking threats making security user-friendly for even the least trained person using it can bridge a huge security gap. Unfortunately it is easier to get an information security person to work on a new type of encryption or on detecting the latest phishing campaigns than it is to get them to come up with a way to get non-technical users to understand the need for and to use better password hygiene.
In spite of decades of advances in computer and information security, the biggest problem is still with the fundamentals – the end user. If you don’t have end users who are using good password hygiene practices, the base of your security pyramid will crumble. Fortunately it doesn’t have to be this way – advances in security technology have come up with a multitude of solutions. Learn more about password habits by generation as well as threats associated with improper password handling from this infographic from Digital Guardian. Could your organisation use a refresher course on password hygiene? Information security starts at the bottom.