Despite being part and parcel of computing for decades, everyone–including IT workers– continues to fall short on proper password hygiene, according to a Yubico/Ponemon Institute study released Monday. The report finds that 57% of IT workers who have experienced a phishing attack have not changed their password behaviors, according to a survey of over 1,750 of such professionals in the US, UK, Germany and France.

Of the respondents who said they did change their password behavior, 47% reported using stronger passwords, 43% reported changing passwords more frequently, and 41% added two/multi-factor authentication when possible, though only 17% reported using unique passwords for every account.

SEE: Password Policy (Tech Pro Research)

Oddly, privacy concerns of end users are prompted less by the threat of cyber criminals attempting to steal user credentials for fun and profit, as 59% of respondents indicated they “have growing concerns about government surveillance.” Respondents indicated that they are most concerned (62%) about protecting their Social Security number, which, as it is a government-issued form of identification, would be information that a government already has about you.

Some 35% of respondents said they know someone who has become a victim of data breaches, while 33% report becoming victims of data breaches themselves. Only 8% report becoming victims of identity theft.

Only 18% of organizations require the use of a password manager, according to respondents. In organizations in which password managers are not required, 53% rely on human memory, while 26% rely on either spreadsheets, or sticky notes of manually written passwords.

Worries about corporate misuse of information are relatively low, as 40% of respondents report concerns over privacy due to the increased use of connected devices such as smart car or smart assistant speakers like Google Home or Amazon Echo, while 21% report using social media more often.

Passwords, fundamentally, are a weak link in security. Researchers continue to invent creative ways of theoretically stealing passwords, with a report last July finding it possible to recover passwords by using an infrared camera on a keyboard. Meanwhile, phishing attacks continue to increase, with Microsoft being the most impersonated brand in Q4 2018. For more, check out TechRepublic’s cheat sheet to phishing and spearphishing.

The big takeaways for tech leaders:

  • More people cite privacy concerns from smart device use over social media use. — Yubico/Ponemon Institute, 2019
  • 53% of respondents rely on their own memory to remember passwords. — Yubico/Ponemon Institute, 2019