Password practices still poor despite increased threats

Although 91% of people polled in a survey know that using the same password for multiple accounts is a security risk, 59% admit that they continue to do so.

The survey, by LastPass (now acquired by LogMeIn), also revealed that 53% of respondents admitted they had not changed passwords in the past 12 months, despite a breach making the news.

This means that individuals’ behaviour in creating, changing and managing passwords in both their professional and personal lives is slow to match the rapid evolution of cyber security threats, the survey report said.

The global survey, which polled 2,000 individuals across the UK, the US, France, Germany and Australia, provides evidence that increased knowledge of security best practices does not necessarily translate into better password management, and highlights regional, generational and personality differences that can factor into password security.

The global snapshot reveals that while Germany leads the way with proactive security measures and France is the most concerned about password security risks, the US and Australia are more likely to take action in the face of a breach. But the UK is in security denial, with 73% of UK respondents considering their passwords sufficient protection for online information.

Also, 58% of UK respondents believe there is no way a hacker could guess one of their passwords from information shared on social media, and UK respondents are the most likely to reset their passwords at least once a month because they can’t remember them.

The survey also revealed that fear of forgetting a password is the top reason for reusing passwords, but not only do 59% of respondents use the same password for multiple accounts, but many also continue to use that password as long as possible, changing it only if required by IT to update or if impacted by a security incident.

Of particular concern to business is the fact that 79% of respondents report having between one and 20 online accounts for work and personal use. But when it comes to password creation, nearly half (47%) say there is no difference in passwords created for these accounts. Only 19% create more secure passwords for work and 38% never reuse the same password between work and personal, which means 62% do.

According to the survey report, bad password behaviour in Type A personalities stems from their need to be in control, whereas Type B personalities have a casual, laid-back attitude to password security. Respondents who identify as Type A personalities are more likely than Type B to stay on top of password security, with 77% of Type A claiming to put a lot of thought into password creation, compared with just 67% of Type B. Type A users also consider themselves informed about password best practices (76%) compared with 68% of Type B users.

Respondents aged 55 and over recognise the severity of the current threat landscape and are most concerned about having passwords breached, with 95% feeling that password security is a serious matter, 89% saying that password hacking is a serious global threat, 81% saying they are concerned about having passwords compromised, and 72% saying they are fearful when they hear news of password hacking.

But the report notes that individuals in this age group do not just worry, but act, with 52% knowing it is best practice to create a unique password for each online account.

The data showed several contradictions, with respondents saying one thing and doing another. For example, 72% say they feel informed about password best practices, but 64% of those say having a password that is easy to remember is most important.

“The cyber threats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action,” said Sandor Palfy, chief technology officer of identity and access management at LogMeIn.

“Individuals seem to understand password best practices, but often exhibit password behaviours that can expose their information to threat actors. Taking a few simple steps to improve how you manage passwords can lead to increased safety for online accounts, whether personal or professional.”

According to UK National Cyber Security Centre technical director Ian Levy, passwords are one of the top issues that need to be tackled by security innovation.

“We have got to get rid of passwords,” he told Computer Weekly. “They don’t work and they don’t do what people think they do. They don’t work for people, let alone security. We need better ways of authenticating.”