About 53% of users haven’t changed their social network passwords in more than one year—with a fifth having never changed their passwords at all, according to research from Thycotic.
More than a quarter of respondents said they change their passwords at work only when the system tells them to.
The survey, conducted by the company at RSA Conference in San Francisco in February, said that this state of affairs not only shows the vulnerability of users’ accounts and the lack of standards set for social networks to implement automation and using password managers, but a way for hackers to easily infiltrate a user’s work email. “As we know, social networks give away a lot of private information. For people to not consider changing their passwords on a regular basis on their Facebook, Twitter and LinkedIn accounts, they are easily allowing hackers to access information that will grant them access to other facets of their lives, like their work computers and email,” said Joseph Carson, chief security scientist at Thycotic. “Not only is this a huge vulnerability, but this is also a flaw within large social networks that don’t remind or make it clear and transparen[t] to the user about the age or strength of the password or best practices.”
The survey results also found a disconnect in the security industry between security professionals and their own actual security habits. Nearly 30% of security professionals have or still use birthdays, addresses, pet names or children names for their work passwords, Thycotic said. But about half (45%) of respondents said they believe privileged accounts accounted for at least half of the cyberattacks.
The percentages show the vulnerability of users’ accounts in the workplace and the lack of standards set by security professionals as they continue to create solutions to upgrade other organizations’ security, the firm said.
“The fact that the people who are in the trenches of the day-to-day security for businesses are using weak passwords for their credentials is shocking and unacceptable,” said James Legg, president and CEO at Thycotic. “These survey results just go to show [. . .] how vulnerable a lot of people have made themselves and the companies they work for through being irresponsible with passwords. Without the proper solutions in place, companies are really at risk here.”
These results are particularly interesting in light of the fact that in 2016 alone, more than 3 billion user credentials/passwords were stolen—making it 95 credentials and passwords stolen every second, according to Thycotic and Cybersecurity Ventures’ separate Password Report. By 2020, there will be more than 300 passwords to protect and every employee with be responsible for about 90 passwords.