It seems that every day is a new holiday, with friends on social media sites celebrating everything from their siblings to their puppies. Today is officially Password Day, but are passwords something the security industry and consumers really want to celebrate?
A recent study, Psychology of Passwords: Neglect Is Helping Hackers Win, from LastPass by LogMeIn found that despite the proliferation of high-profile breaches, behaviors related to creating, changing and managing passwords have not really evolved.
In fact, the report found that in some cases, the breach announcements had little impact on password behavior. “Only 22% of respondents reported changing passwords when they heard about general industry security issues – down from 25% in 2016.”
Of the 2,000 respondents across five countries, 91% know that using the same passwords for multiple accounts is a security risk, but more than half (59%) reuse the same password regardless.
While respondents seem to be aware of the serious threats that can result from stolen credentials, 51% feel certain that there is no way a hacker could guess one of their passwords from the personal information they expose on social media. An additional 38% believe they have nothing of value to an attacker, yet 79% say that having their passwords compromised is something they are concerned about.
The vast majority of respondents, 61%, choose not to change their passwords because they are afraid of forgetting their login information. Katie Tierney, senior director of global sales engineering at WhiteHat Security said, “You shouldn’t be able to remember 99.9% of your passwords. If you can remember them, then the bad guys can brute-force them.”
Despite the large number of users who don’t change their passwords for fear of forgetting, 38% of respondents reset their passwords every few months because they couldn’t remember them.
“We are all guilty of using passwords that are easy to remember, and when forced to use numbers, we add 123 or some such equally simple variation to it,” said Tierney. But in the event of a brute-force attack, where the attackers systematically check all possible combinations of words and numbers to guess the password, “the shorter and simpler your password is, the easier it is to guess.”
Type A personalities do offer reason to celebrate some password success, though. Those who characteristically like to be in control pride themselves on putting a lot of thought into their passwords, with 76% of respondents self-identifying as Type A reporting that they are informed on password best practices.
Many consumers will likely let today's holiday pass with little hint of recognition because keeping track of unique passwords for each site is overwhelming. Their password exhaustion is likely why they are ready to move beyond the password. According to a study conducted by Visa, consumers welcome new biometrics technologies like fingerprint recognition, eye scans and facial recognition.