Poor Password Practices Persist Among Online Users: Study

smartphone username, password login credentials
Despite the need for strong passwords, many users fail to follow best practices due to overwhelming account diversity and a lack of cybersecurity awareness.

Three out of four online users in the United States and Europe are putting themselves at risk of being hacked due to poor password practices, according to a study released Tuesday by a password management solutions provider.

The study by Keeper Security, based on a survey of 8,000 people in the United States, United Kingdom, France, and Germany, found that 75% of the respondents admitted they don’t adhere to password best practices, while nearly two-thirds (64%) acknowledged they’re using weak passwords or repeat variations of passwords to protect their online accounts.

“In order to analyze people’s personal cybersecurity hygiene, we asked which animal they would identify with in regard to their cybersecurity behaviors,” Darren Guccione, CEO and co-founder of Chicago-based Keeper, explained in a statement.

“With over one in four people describing themselves either as an ostrich burying their head in the sand, careless as a bull in a china shop, or a possum paralyzed with fear, the industry clearly still has much work to do to get more people comfortable with cybersecurity and better protected as a result,” he added.

At first glance, the Keeper report noted, these results may come as a shock, especially to those in the cybersecurity industry who have been touting these simple best practices for years.

However, the report continued, when considering more than one in three people (35%) globally admit to feeling overwhelmed when it comes to taking action to improve their cybersecurity, and one in 10 admit to neglecting password management altogether, the results are much less of a surprise.

Diverse Accounts, Ignorance Yield Poor Password Hygiene

According to information security professionals, various reasons contribute to the low rate of compliance with principles of good password hygiene. “In general, password behaviors are terrible,” maintained John Gilmore, head of research at DeleteMe, a privacy service in Boston that helps users remove their personal information from data broker websites.

“Report after report has shown that less than half of the general public follows every rule for password safety properly,” he told TechNewsWorld.

“The simple answer to why they don’t is the diversity of accounts that have to be maintained in the modern world,” he said. “Twenty years ago, most people had three of four online accounts. Now they have to manage social media, work, conferencing, learning, and others. Ever since the pandemic hit, the number of accounts people have has exploded.”

Ignorance is also a reason for sloppy hygiene. “There is a lack of cybersecurity awareness, with many individuals unaware of the importance of strong passwords and the risks of weak ones,” Marcus Scharra, Co-CEO and co-founder of Senhasegura, a provider of privileged access solutions in Sao Paulo, Brazil, told TechNewsWorld.

“Despite all of the information out there on the importance of strong passwords and enabling MFA [multifactor authentication], the average user doesn’t understand why,” added Guy Bauman, CMO and co-Founder of IronVest, an account and identity security company, in New York City.

“They aren’t necessarily aware of the fraud industry, how it works, and how their compromised account logins are being sold for peanuts on the dark web,” he added.

Password Overload

Inconvenience is another factor influencing password management behavior, noted James E. Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit organization devoted to minimizing risk and mitigating the impact of identity compromise and crime, in San Diego, Calif.

“People have, in many cases, nearly 100 different passwords they’re trying to keep track of,” he told TechNewsWorld. “There’s just no way an individual can remember all of them.”

Robert Hughes, chief information security officer at RSA, a cybersecurity company in Bedford, Mass., pointed out that the framing of the compliance question to the respondents could have made the situation seem bleaker than the actual reality.

“People have dozens of passwords, so whether they can say they use unique passwords on all accounts might have impacted how some people answered that question,” he told TechNewsWorld.

“But generally,” he continued, “it’s difficult for users to keep track of their passwords when they’re expected to have a different password for every application they use. “

“Without using a password manager,” he added. “I’d say that I can’t believe that anyone really has unique, strong passwords everywhere.”

Using a password manager is an ideal way for users to protect themselves, maintained Keeper CTO and co-founder Craig Lurey.

“Along with creating and storing strong and unique passwords for all digital accounts, a password manager can offer protection against phishing attacks and malicious links because it will not fill credentials if the URL doesn’t match what’s in the user’s vault,” he said in a statement.

“A password manager can also be paired with dark web monitoring so users can stay abreast of all account information and act immediately if credentials are compromised,” he added.

Password Practices Need Work

Keeper also found that more than a third of the respondents (36%) believed all their passwords were well-managed. But of those who thought their passwords were well-managed, only one in three followed best practice advice to use strong and unique passwords for all their accounts.

This gap suggests those surveyed are still unaware of what good password practices are or are overconfident when it comes to their cybersecurity, the report deduced. Most likely, it’s a mix of both, it added.

Scharra suggested two factors contributing to the disconnect between perceived and actual secure password management. “Users may lack visibility into password security practices,” he said. “They may not have access to tools or feedback on the risks of password reuse. This leads them to assume their current practices are sufficient.”

“Some users may also overestimate their password management abilities, believing that reusing passwords or making slight variations is secure enough,” he added.

There’s no shortage of advice when it comes to cybersecurity, but our survey shows the onslaught of information available has become overwhelming for more than a third of people around the globe, the report noted.

“While respondents tell us they believe strong passwords are the single best way to achieve personal cybersecurity, the majority fail to implement industry-recommended password protection practices in their daily lives,” it continued.

“And despite our findings,” Keeper added, “that three in four people do not adhere to password best practices, most believe cybersecurity is easy to understand.”

“Now is the time to bridge that gap,” it declared.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels