75% of Users Admit Taking Risks with Passwords
According to the Verizon Data Breach Investigations Report, 80% of successful data breaches are due to the use of compromised passwords, and while password best practices are widely understood, people are still taking considerable risks and continue to use weak passwords to secure their accounts and fail to follow password best practices.
Common poor password practices include setting passwords that are easy to remember, including dictionary words, memorable dates, and personal information that is easily obtained from social media sites. Passwords are often reused on multiple platforms, which means if a password is guessed or otherwise obtained, all accounts that are protected with that password are at risk. Password reuse on multiple sites is exploited in credential stuffing attacks, where the username and password obtained in a data breach on one platform are used to try to access accounts on unrelated platforms. Passwords are often reused for business and personal accounts, and even when unique passwords are set for each account, they are often just variations of the same password.
A recent survey of 8,000 individuals in the United States, United Kingdom, France, and Germany by Keeper Security showed just how common it is for people to take shortcuts with password security and by doing so put their personal and work accounts at risk. Almost three-fourths of respondents to the survey admitted to not following industry-recommended password practices, with only 25% of respondents saying they set strong, unique passwords for all of their accounts. 34% of respondents said they use variations of the same password for multiple accounts, and 30% said they set simple passwords for their accounts that are easy to remember, even though they are also easy to guess.
Even individuals who claimed to have a good understanding of password best practices and thought their passwords were well managed still failed to practice good password hygiene. 44% of individuals who thought their passwords were well managed used variations of the same password for different accounts. Overall, 64% of respondents admitted to using weak passwords or variations of the same password for their accounts. More than one-third of respondents said they feel overwhelmed about taking action to improve cybersecurity and 10% of respondents admitted to neglecting password management entirely.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
With 80% of data breaches stemming from compromised credentials, and one in five respondents admitting that at least one of their passwords was known to have been compromised in a data breach and was available on the dark web, it is clear that poor password practices are not just a hypothetical risk. They are commonly exploited by threat actors to gain access to accounts and sensitive data.
While more than half (51%) of respondents said they thought cybersecurity was easy to understand, around half of those individuals still practiced poor password practices, suggesting a significant number of individuals either overestimate their knowledge of cybersecurity or are willfully taking risks with passwords. 41% of respondents said they find cybersecurity difficult to understand, but 32% admitted to still taking steps to protect themselves – more than the 25% of people who claim to have a good understanding of cybersecurity and take steps to protect themselves. The survey suggests that individuals who feel overwhelmed by cybersecurity tend to practice poor password hygiene and that the more an individual knows about cybersecurity, the more likely they are to feel overwhelmed.
Training tends to try to hammer home the message that it is vital to create a strong, unique password for each account, yet fails to provide individuals with the tools they need to adopt good password practices in a manageable way. Since most people have huge numbers of accounts to secure, they need to remember dozens or hundreds of unique passwords, and that simply isn’t possible without taking shortcuts. The simple solution is to provide a password manager that can be used to generate strong and unique passwords, store them securely, and auto-fill them when they are needed, or implement a single-sign-on solution that only requires users to set one strong and unique password.
Since it is difficult to eliminate poor password practices entirely, multifactor authentication should also be implemented to ensure that if a password is guessed or otherwise obtained, by itself it will not grant access. The HHS’ Office for Civil Rights recently stressed the importance of multifactor authentication in its June Cybersecurity Newsletter for improving password security.
