Over 18 million UK internet users are at risk of fraud because they use the same password for their online banking, shopping and social networking account, research has revealed.
This figure is extrapolated from a study of 1,600 internet users in the UK. It shows that poor password security is extremely prevalent.
This and other bad habits are likely to be found in the workplace as well, but according to reformed hacker Robert Schifreen, few UK businesses are tackling the problem effectively.
Most businesses invest in security hardware and software in an attempt to enforce stronger passwords, but that only addresses part of the problem, says Schifreen, whose acquittal by the House of Lords on charges of unauthorised access to a computer system led to the introduction of the Computer Misuse Act of 1990.
No matter much money businesses invest in security hardware and software, users will always tend to take shortcuts, he says.
Sixty eight per cent of survey respondents claim it is too difficult to remember multiple logins.
Security products will also not help if criminals use social engineering to trick people into divulging passwords, says Schifreen.
Businesses need to ensure employees also receive security awareness training that highlights the risks around passwords and how to mitigate those risks.
"Security awareness training is generally poor in UK businesses, with only a few doing it, such as financial services companies that take security seriously," says Schifreen.
Employees are less likely to be tricked into revealing passwords over the phone or by responding to phishing e-mails if they are made aware of the threat, he says.
Sarah Blaney, identity theft expert at The CPP Group, which commissioned the research, says the results clearly show the need for greater awareness about the importance of good password security.
Some 40% of respondents admit that at least one other person knows their passwords, and 39% think these people may have logged in using their details.
Another 10% said their web accounts had been accessed illegally, with 18% of them saying goods were bought in their name, 12% reporting theft of money and 5% being victims of identity theft.
The research also revealed that many internet users rely on passwords that are easy for criminals to guess.
Nearly 20% of respondents said they use pets' names, 12% use memorable dates, 10% use children's names and 9% use their mothers' maiden names.
CPP has issued some guidelines on how to create stronger passwords and on best practices to follow.
"We are encouraging internet users to follow the same best practices at home as they should at work to guard against identity theft, fraud and hacking," says Blaney.
How to create a secure password
- Use at least eight characters
- Use letters and numbers
- Do not use a common word
- Avoid using an easy-to-guess password
- Do not use family or pet names
- Do not use memorable dates
- Use a phrase that is meaningful to you
- Make it secure by removing vowels
- Add numbers for greater security.
Good password habits
- Do not write passwords down
- Do not disclose passwords to anyone
- Use different passwords for each login
- Always log off computers not in use.