Just in time for World Password Day Thursday, password reuse remains rampant, with 53% of people admitting they use the same password for different accounts, which exemplifies poor password hygiene, according to a newly released report by identity company SecureAuth.
Among respondents using the same password, most are using it across three to seven accounts (62%), and 10% said they are using over 10 accounts with the same password, the SecureAuth report said.
“No matter how much cyber experts preach, bad password habits are always going to be a large problem for our personal and work lives,” the report noted.
One issue is that people are blurring the lines between work and personal passwords with 21% of workers acknowledging they use the same password at work as they use for their personal email; this was the case for 33% of Gen Zers and 26% of millennials, according to the report.
A reason? People find truly unique passwords are a headache to remember, the report said. Management is also guilty of this. Only 38% of those in leadership positions said their work passwords are unique, compared to 70% of non-management employees. And 34% in those management roles admit to having used one of the most common passwords such as:
The lines between home and work are rapidly disappearing thanks to digital transformation, and this is causing people to struggle with keeping their personal and work identities separate, said Bil Harmer, CISO at SecureAuth. “While people may use different usernames for their work and personal accounts, 44% of people have admitted to using their personal passwords at work,” Harmer said.
“For the average person, passwords are difficult to keep straight, so no matter how much security professionals, like myself, warn the public of the new and evolving threat landscape, the harsh reality is people will continue to do what’s easiest for them and their productivity,” he added.
Streaming service accounts have the most shared passwords or login credentials, followed by gaming accounts and mobile phone passwords, according to the report. “The type of account with the least shared credentials/passwords are work email accounts, but even still, 34% have shared their work email password.”
SEE: The end of passwords: Industry experts explore the possibilities and challenges (TechRepublic)
Another disturbing finding is that most consumers are sharing passwords in ways that are easily hacked, with 20% of respondents indicating they share them via text message followed by 19% on a phone call; 15% in a written note; and 10% in an email.
Although the future of identity lies in biometrics, the SecureAuth report said, more education is needed to increase appetite and willingness among consumers. Currently, fewer than one in three consumers said they are comfortable sharing various forms of their biometric data with either a company they purchase goods and services from, or the government.
However, despite high levels of discomfort when asked about biometrics, the data shows that 51% of average consumers are already using biometrics in multiple contexts: 31% are using fingerprint or facial ID to unlock their phone; 12% to unlock a computer; 12% for TSA identity verification; and 10% for banking.
Consumers are also willing to share their biometric data to save time. The survey found 13% will share to save 30 seconds or less; 12% to save minutes; and 10% to save between 10 and 30 minutes.
The continued reliance on passwords allows cybercriminals to use the exact same playbook they have for decades, SecureAuth noted. The casual attitude toward passwords is even more disturbing with the massive shift to remote work during the COVID-19 crisis, the company said.
“Criminals are playing the long game,” Harmer said. “It’s important to remember that even if passwords are encrypted, once they have stolen a database of credentials, they can use brute force against them and find out what they are.”
The victim will have no advanced warning, “which is why we need to move beyond passwords and instead rely on an elevated form of continuous authentication that incorporates risk-based analysis techniques,” he said. This can be everything from biometrics, geographic location analysis, and device recognition to IP reputation-based threat services and user behavior analytics, Harmer said.
SecureAuth recommends that people commemorate World Password Day by changing an old password to one that is long and strong or by turning on two-factor authentication for their important accounts.
The survey of 2,000 US consumers was conducted between March 16 and March 21, SecureAuth said.