Poor password practices put 60% of UK citizens at risk

More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown

More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown.

Despite the fact that the risks of re-using passwords are well documented, 62% of UK consumers re-use passwords, according to a poll of more than 2,000 people commissioned by mobile identity firm TeleSign.

This means if a hacker is able to access user credentials on one site, the same credentials will allow unhindered access to all the other sites where the same password has been used.

“We have seen the impact of the domino effect first hand,” said Steve Jillings, chief executive at TeleSign.

“Following the recent hack of an online retailer’s customer database, our security team saw a massive increase in fraudulent activity with email providers.”

This spike in activity was the direct result of hackers taking advantage of the passwords they had stolen from one service to access another.

The temptation to use one password across multiple sites is made all the greater by sites requiring passwords to be increasingly complex.

Most people struggle to remember a different password for every online service that they use, particularly if they are long and complex.


Lack of security awareness

According to the survey, more than half of users delay or simply ignore password resets because they struggle to remember new passwords.

More than half of the respondents said they had experienced an increase in password-reset notifications in the wake of various major data leaks this year.

The survey also revealed some confusion among users about accountability for password security, with 56% feeling the ultimate responsibility for online account protection fell to website providers.

There is also a lack of overall awareness of online security, with almost a quarter of 18- to 24-year-olds saying they felt safe because they had not been hacked in the past.

“Passwords are an artefact from a bygone era, and no longer sufficient on their own to keep data secure,” said Jillings.

“A significant proportion of these types of incidents can be prevented when providing stronger authentication methods, such as a combination of a mobile phone number, device profile and user behaviour.”

Jillings said users should ensure they have enabled any second-factor authentication functionality offered by the web services they use.

“Users can check third-party resources such as twofactorauth.org to find out if their social networking, banking, cloud computing or other online service offers the two-factor authentication,” he said.

The case for alternative authentication

Other common failings related to passwords is the use of weak passwords, the use of default passwords and the failure to set a password for internet-connected services and devices.

The issue of default passwords was highlighted recently by the discovery of a Russian website streaming video feeds from private webcams using default passwords or no passwords at all.

According to the 2014 Trustwave global security report, weak passwords led to an initial intrusion in 31% of the compromises analysed by the firm in the past year.

Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.  

In an attempt to address these problems, an alliance of technology firms is working on an authentication protocol designed to make passwords obsolete.

The Fast Identity Online (Fido) published the draft Online Security Transaction Protocol (OSTP) in February 2014 and hopes to publish the final technical specification by the end of the year.

The protocol enables interoperability between strong authentication devices, which means users of online services will be able to choose from a wide variety of password alternatives.

These include USB devices such as Google’s Security Key and biometric technologies such as fingerprint readers, vein scanners and voice recognition software. 

Read more on Privacy and data protection