HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

1 in 3 Americans Have Tried to Guess Someone’s Password and 3/4 Succeeded

A recent study conducted on more than 1,000 Americans has revealed one in three Americans have attempted to guess someone else’s password. Worryingly, in 73% of cases, that attempt to guess the password was successful.

Unsurprisingly, survey participants were most interested in guessing the password of a romantic partner, which accounted for 43.7% of attempts to guess a password. 40.2% of respondents said they attempted to guess the password of a parent. Worryingly, 21.7% of respondents said they had attempted to guess the password of a work colleague and 19.9% had attempted to guess the password of their boss.

The study, conducted by Beyond Identity on 1,015 individuals in the United States, provides insights into the password practices of Americans and confirms what security experts are all to aware of: People are bad at choosing passwords. Many people are aware how to create a strong password that is difficult to guess, but they still opt for a memorable password that they are unlikely to forget and it is common for passwords to consist of personal information that is known to others. 1 in 10 respondents to the survey thought their password could be guessed from looking at their social media profiles.

When asked about successful attempts to guess passwords, 39.2% of respondents said they guessed the password using information they knew about the person. 18.4% said they used information they found in social media profiles, 15.6% checked personal files or records, and 12.8% said they asked friends or loved ones for information. In 9.2% of cases, respondents were able to correctly guess the answer to a security question.

The survey indicates many people have a false sense of confidence about the strength of their passwords and how easy they are to guess, especially considering 23.1% of respondents said their personal email account had been compromised and 17.9% said they had experienced compromised or hacked online banking accounts.

In many cases, it is not necessary to guess a password as many people are willing to share their passwords with others. Across all account types, one in three people admitted to sharing their password with another person. The sharing of a password for a video streaming site was most common, but 26.9% of people said they shared the password for a personal email account and 25.7% of respondents said they shared a password for an online banking account.

When asked about the creation of a generic password, the average password length was 15 characters and 37% of people said they use random letters, with 30.7% replacing letters with random characters. Bad password practices were highly evident from the survey. More than a quarter (27.4%) of respondents used the name of a pet for their password, a fifth used either their birth year or a child’s name for a password, and alarmingly, 18.7% of people used their own name for their password. It was also common for sequential letters/numbers to be used (17.3%), birthdates (15.2%), and the name of a spouse (14.7%). .

There are tools available that can help people generate strong passwords, but 37.6% of people said they never use password generators for their accounts, especially baby boomers, half of which said they never use a password generator. When a password generator was used, it was most commonly used for sensitive accounts such as online banking (32.4%) or work-related accounts (28.7%). Gen Xers were the most likely age group to use a password generator.

The use of a password manager solution is the easiest way to generate secure passwords for all accounts, with the solutions solving the problem of passwords being difficult to remember. Only one master password for the account needs to be remembered. These solutions are low cost and can greatly improve security, with some providers – Bitwarden and LastPass for example – even offering free versions of their solutions. However, according to one survey, almost half of Americans said they would never use a password manager and only 22.5% of Americans currently do. The main reason for not using a password manager is a lack of trust in the password management company, even though many operate under the zero-knowledge model and do not have access to users’ password vaults.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.