A LastPass report reveals 91% use the same passwords on multiple accounts, and 53% haven't changed passwords in 12 months, despite high-profile security breaches.
It may sound like an excuse for a greeting card, but "World Password Day" is Thursday, May 7. Even if the day just serves as a reminder, passwords—and protecting them—are hugely relevant to the tech industry.
A report from LastPass, the password manager owned by LogMeIn, reveals "cognitive dissonance" prevails because despite repeated warnings and breaches, which have a great financial and personal impact, most people are not practicing safe tech hygiene. Hacking and data breach stories have led local and national news stories, yet consumers' password behaviors remain the same.
According to the report, "Psychology of Passwords": "As more and more people work and socialize online, protecting your digital identity is more important than ever. Unfortunately, we've seen a spike in hacking attempts – including malware from unvetted software downloads and an increasing number of phishing attacks. Will this finally be the tipping point that causes people to show more concern for their online data?"
The impact is even more significant —due to COVID-19 sending most people to work from home (WFH) or shelter at home (SAH), giving everyone who's home a lot of online time.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic)
"Due to COVID-19, with more people online, cyber threats are at an all-time high," said John Bennett, SVP & GM of identity and access management at LogMeIn.
Security experts agree. Wieger van der Meulen, global IT-security manager/CISO at Leaseweb Global, said, "As the COVID-19 crisis continues, so too, does the spike in phishing scams and spam attacks on remote workers, as hackers use it to their advantage."
According to the report:
- 91% of people use the same word on multiple accounts (not recommended)
- 66% continue to use the same password, even if they're aware of the risks
- 53% haven't changed their passwords in a year
Is it laziness? A surprising 42% say an easy-to-remember password is more important than a secure password.
Do as they say, not as they do
There's a disconnect between what people say they do and what they actually do, some respondents surveyed said they have one to 20 online accounts, when the average person has 38. Here's a closer look:
False modesty: People underestimate how much of their lives are online. Each online account is a vulnerability point that can be breached. As more people socialize online and work online, more of those vulnerability points appear.
Don't let your guard down
People underestimate their information value, and 42% of respondents think their accounts aren't valuable enough to be worth a hacker's time. But hackers breach large computer sites to steal the entire database of customer information. Once they've breached a consumer site, they work to use that information to access online banking.
The study, which surveyed 3,250 people from the US, Australia, Singapore, Germany, Brazil, and the UK, noted while people are more aware of cybersecurity concerns than ever, their behavior continues to remain the same.
Recycle clothes, not passwords
Respondents' biggest password security error is that 66% mostly or always use the same password, or a variation thereof, up 8% from 2018. If you use the same password on all your accounts (or one close to it), means that if a hacker gets it, they can access it. If you use the same password at work as you do at home, your company's information is at risk.
The report states that "People seem to be numb to the threats that weak passwords pose," said Bennett.
Overstimulation? Too much multitasking? Why the reuse of passwords? 60% replied they're "afraid of forgetting my login information," and 52% said they want to be in control and "know all of my passwords."
Jay Ryerse, vice president, cybersecurity initiatives, ConnectWise, offers practical tips:
- The longer the password, the longer it takes for digital adversaries to crack it, deterring brute-force attacks.
- Avoid overused practices like adding an exclamation.
- Avoid phrases associated with family or pets.
- Don't use incremental numbers.
- Only give fake answers to security questions to recover your password, so hackers can't mine your information online (e.g., mother's maiden name; with quick online sleuthing, it's easy to identify so choose a made up name only you know).
Hackers use these patterns to guess a password, and their jobs are a lot easier if you follow the suggestion.
The need to be in control "is understandable, but misguided" the survey said. Trying to remember all your passwords isn't working, and 25% of people reset passwords once a month or more, because they've forgotten it.
If you can remember passwords, they're not strong enough, they're predictable; 22% said they could guess their partner's password.
Safe and secure
Use an additional and familiar layer of security: Multifactor Authentication (MFA); only 19% polled didn't know what MFA was, and 54% said they use it for their personal accounts, and 37% use it at work. With MFA, the user needs more than a username and password to log in; it requires a second piece of information, a one-time code, or a fingerprint, etc.
Respondents who use MFA choose to enabled it on
- Financial 62%
- Email 45%
- Medical records 34%
- Work-related accounts 22%
Bennett said, "Technology like biometrics make it easier to avoid text passwords all together and 65% said they trust fingerprint or facial recognition more than traditional passwords.
Every account needs protection, but the survey found people are more likely to protect their personal (email, financial) accounts, over work.
Land of the free
Respondents in the US admitted their password behavior is poor, but MFA is strong. Still, 60% fear forgetting login information so 33% write them down; 67% trust biometrics more than traditional text passwords; 42% use MFA for work accounts and 58% of personal accounts, the highest of any region polled, with the exception of Singapore.
The survey said this year should be "the tipping point" for a change in password behavior, and suggested:
Let a password manager remember and fill in your passwords (it does so in an encrypted vault).
Use MFA, start with the essentials—email, banking, credit cards, taxes, social media—always check if a site you sign up for has MFA and opt for it.
Monitor your data to make sure you know when your information has been compromised.
"Individuals seem to be numb to the threats that weak passwords pose and continue to exhibit behaviors that put their information at risk," Bennett said. "Taking just a few simple steps to improve how you manage passwords can lead to increased safety for your online accounts, whether personal or professional. Make World Password Day 2020 the tipping point for a change in your password behavior."
- The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic)
- The tech pro's guide to video conferencing (TechRepublic download)
- Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
- Coronavirus domain names are the latest hacker trick (TechRepublic Premium)
- As coronavirus spreads, here's what's been canceled or closed (CBS News)
- Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
- Coronavirus and COVID-19: All your questions answered (CNET)
- Coronavirus: More must-read coverage (TechRepublic on Flipboard)