ThreatList: People Know Reusing Passwords Is Dumb, But Still Do It

Even seeing data breaches in the news, more than half of consumers are still reusing passwords.

More than half of people haven’t changed their password in the last year – even after they’ve heard about a data breach in the news.

That’s according to a recent survey, “Psychology of Passwords: The Online Behavior That’s Putting You At Risk,” that examined the online security and password behaviors of 3,250 global respondents – and found that people still employ an alarming number of very common and very risky habits, even though they know better.

Researchers said that password reuse was the biggest security faux pas being committed by respondents. In fact, password reuse has actually gotten worse over the years: When asked how frequently they use the same password or a variation, 66 percent answered “always” or “mostly” – which is up 8 percent from the same survey in 2018.

Worse, 91 percent of respondents said they know using the same (or a variation of the same) password is a risk. They still do so anyways.

“Our survey shows that most people believe they are knowledgeable about the risks of poor password security; however, they are not using that knowledge to protect themselves from cyber threats,” said researchers with LastPass by LogMeIn, in a recent report.

In the wake of the COVID-19 health crisis, in which people find themselves working from home and spending time online more than ever due to global orders to stay at home, protecting personal data when using the internet is more crucial than ever, researchers said. However, people still seem to underestimate how much of that data is stored online and don’t take the necessary precautions to keep it safe from cybercriminals. These bad actors, coincidentally, have ramped up their threat behavior to take advantage of people’s new dependence on conducting business and personal activities online.

password reuse problem

With breaches being disclosed daily – affecting large, popular brands like Macy’s and Marriott – why would consumers continue to reuse passwords? One reason is that people underestimate how valuable their information is, researchers explain. In fact, 42 percent of respondents said they think their accounts aren’t valuable enough to be worth a hacker’s time. When asked further about why they reuse passwords, 60 percent of users said they are afraid of forgetting their login information, while 52 percent said they want to “be in control” and know all of their passwords.

“People seem to be numb to the threats that weak passwords pose,” said researchers. “Technology like biometrics is making it easier for them to avoid text passwords all together and many people are simply comfortable using the ‘forgot password’ link whenever they get locked out of their accounts.”

password reuse

When it does come to security, the majority of respondents are prioritizing their financial accounts over their email, medical records and work-related accounts. For instance, 69 percent of respondents said they would create stronger passwords for their financial accounts, and 62 percent said that they have multi-factor authentication (MFA) enabled for their financial accounts. On the flip side, only 29 percent said they would create a stronger password for work-related accounts, and 22 percent said they have MFA enabled for work-related accounts.

phishing password reuse

The big “password problem” has plagued the security industry for years. Poor password hygiene, including reusing passwords or picking easy-to-guess passwords, is greatly exacerbating many of the major issues that plague the cybersecurity landscape, security experts like Troy Hunt have said in the past. Making matters worse, passwords are appearing left and right online as part of major data breaches – yet victims aren’t changing their passwords at all across various platforms. The Collection #1 data dump, which included 773 million credentials, and subsequent Collection #2-5 dumps, show exactly how many passwords are available on the Dark Web and underground forums.

“Respondents are protecting their work accounts at a lower rate than their personal,” said researchers. “We can see that security behaviors are flawed for personal data, and these bad habits extend into your business.”

Elizabeth Montalbano contributed to this article.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles

Augmenting AWS Security Controls

Augmenting AWS Security Controls

Appropriate use of native security controls in AWS and other CSPs is fundamental to managing cloud risk and avoiding costly breaches.

Discussion

  • Arjen Lentz on

    People not changing their pwds if it's not required is not a problem per-se, it depends on how secure the password is (and is allowed to be) on the particular system, and also whether those credentials are re-used elsewhere. The NIST guidelines clearly explain that requiring people to changing their passwords say every three months does in fact decrease security, because there'll be more bad passwords and re-use of common patterns. MFA is good, however what's missing from this survey is whether people use password managers. When a pwd manager is used, this can reduce re-use, and make it easy for people to use good complex passwords (since the human does not need to remember it).
  • Anonymous on

    Mansplainer up here.

Leave A Reply to Anonymous Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.