Australians are more fastidious than those in other countries about separating work and personal passwords – and more careful than many in protecting sensitive data like healthcare accounts – but use of secure passwords remains uncommon, according to new figures, and high rates of password reuse suggest that we still aren’t learning to protect sensitive information right.
Collated in time for the global commemoration of World Password Day on May 3, the figures – collected by research firm Lab42 and collated in LogMeIn’s newly-released Psychology of Passwords report – painted a dismal picture of users’ security practices overall.
Only 55 percent said they would update the password for an account even if it had been hacked. Indeed, password habits were largely unchanged from two years ago, with 53 percent of the 2000 global respondents reporting that they had not changed their passwords in the past 12 months.
Remembering to remember
And while 72 percent said they feel informed on password best practices, 64 percent said the most important thing about passwords is having one that’s easy to remember. Fully 38 percent reset their passwords every few months because they can’t remember them.
Australians were better on this count, with just 54 percent saying they prefer secure passwords over those that are easy to remember. Yet Germans were well ahead of the pack, with 74 percent preferring secure passwords.
The report links password practices to personalities, which may also explain the cultural variations. It also acknowledges the ongoing difficulties in changing behaviour, noting that “the rise of cyber attacks has not resulted in meaningful password behaviour shifts… the burden sits with organisations to make password creation and management an automated and simplified experience.”
Poor password practices can have a direct impact on the likelihood of a successful data breach: fully 12 percent of the incidents investigated in Verizon’s Data Breach Investigations Report (DBIR) 2018, for example, involved privilege misuse while 22 percent involved the use of stolen credentials – the most common practice in confirmed breaches. Fully 20 percent of reported incidents involved privilege misuse.
Just as the DBIR found widespread inertia around awareness of ransomware, backup practices and DDoS recovery practices, the widespread failure to improve password practices highlights the continuing exposure that companies face from human-created problems.
A timely reminder
Security practitioners took the occasion of World Password Day to issue what have become quite predictable reminders about the need to instil better password practices in users.
“You wouldn’t live in a house without a door and expect your TV to still be there when you get home,” noted Vault Systems founder and CEO Rupert Taylor-Price, who hopes the event will give people “a reason to step back and re-assess how secure their data truly is and to analyse where they can apply further security measures. Passwords are the first line of defence against intruders that try and access sensitive information.”
Two-factor authentication (2FA) also provides an important second layer of control, but judging by the LastPass results most users are still struggling to get their heads around the same basic password security concepts that CSOs and industry figures have been shouting about for years.
Even though 91 percent of respondents said they know using the same passwords for multiple accounts is a security risk, some 59 percent said they mostly or always use the same password. And while Australians were better on that count – 36 percent of Australians have reused passwords – they were still victims of human uncertainty, with 60 percent admitting that they do it because they’re worried that they will forget their passwords in the future.
To their credit, Australians were more careful about protecting work systems: while just 19 percent of global respondents said they create more-secure passwords for work systems than home systems, 59 percent of Australians said they create secure passwords for both personal and work accounts.
This was higher than the 52 percent of respondents in France – who were also less concerned (30 percent) about protecting healthcare accounts with strong passwords than Australians (50 percent).
Nick FitzGerald, a senior research fellow at ESET, warned about the dangers of password reuse, noting that World Password Day “is a timely reminder that one of the most effective steps people can take, online, to protect themselves and the companies they work for Is also one of the simplest.”
“While there is increasing awareness of the importance of creating strong passwords, people still feel overwhelmed by the number of devices they have to manage and passwords they have to remember.”
FitzGerald advises users to close accounts that aren’t regularly used; treat accounts differently based on the type of data they contain; to use a passphrase instead of a password; and to use a password manager.