Consumer password habits: Concerning, but not surprising

June 26, 2020

Whether it’s a sticky note, a phone app, or keeping a password saved on your computer, we don’t always take all the precautions that we should to keep our password a secret from others. But password habits are more than just how people hold onto their passwords. Password habits, and protection, are a two-way street. An example of good password habits from the organization side is highlighted by the Twitter bug (a bug that was found on World Password Day, nonetheless). In early May 2018, Twitter released a blog about a bug that stored passwords in plain-text, and soon after they had to send out notices to all 336 million users. Twitter’s blog included some ideas for users to follow after the incident: users should change their password, use a strong and unique password, implement two-factor authentication, and use a password manager. Twitter’s advice in 2018 is nothing new when it comes to keeping accounts safe from unauthorized individuals. Though this is what is preached, it is rarely what is practiced. I mean, how often do you do any of the above ideas (unless an application forces you to do so)? Probably not a whole lot. Consumers take these suggestions as they are, simply suggestions. Instead of implementing any of the suggestions, consumers are using the same password across multiple platforms, they don’t change them when it’s suggested, and people are still using easy-to-crack passwords. Reports from multiple sources show that people aren’t likely to change their passwords even when faced with a threat. In fact, only 1 in 5 Americans said they would change their password after finding out about a hack or bug.

Password habits

Digital Guardian surveyed 1,000 people on their password security habits. Nearly 90% of those surveyed felt like their current password management and use habits were secure, but over half of the same people admitted to using the same exact password across multiple websites. What’s worse is that 11% used the same password on every single account they had in their name. Password security habits are hard to break, and it doesn’t get better when it was found that 35% of people said they prioritize convenience over a secure, protected password. Lastly, people really only changed their passwords is because they forgot it; other than that, less than 20% of people will only change their password if they’re notified of a weakness or breach. To distill that into one sentence: people don’t take their passwords seriously and they will only change it under rare and specific reasons; however, these people still expect organizations to take care of their passwords and sensitive information. The deeper issue of password habits is that far too many users continue to rely on outdated practices that place their security at risk (e.g. writing down a password on a sticky note, or using easily guessed passwords). Keep in mind many people do not assume responsibility for having a weak, or crackable password. One of the most alarming aspects is that many people aren’t even aware of how risky their password habits are, or if they are, they accept the risks and simply take the easier, less secure route. Taking this easier route sacrifices security for the sake of convenience and is one of the most pervasive and risky behaviors in the digital security world.

Consumer beliefs

There is an obvious disconnect between what consumers expect from organizations and what consumers actually do regarding password security. In other words, consumers don’t trust modern institutions to protect their personal data, even though they rarely implement password security best practices in their own lives. A Pew Research Center study found that a majority of consumers simply expect that a cyberattack will happen in their future and that they don’t trust that enterprise organizations can actually protect their passwords or sensitive information from bad actors. In fact, 70% of consumers are worried about being the target of some sort of cybercrime, and in particular that an unauthorized individual will gain access to their sensitive information. The disconnect continues when thinking about the idea that consumers aren’t doing all that they can to protect themselves from cyberattacks. It seems that consumers continually expect that their weak password is an impenetrable wall that keeps out anyone with malicious intent. But that just isn’t the truth. Something must be done to bridge the gap between consumers and organizations in terms of password security habits.

Organizations: Make demands, not suggestions

To continue off of the Twitter example (on National Password Day) that led to passwords being stored in plain-text. One of the biggest pieces of criticism of their response was dished by Wired. Wired pointed out that Twitter made changing their passwords optional instead of mandatory. For Twitter to take this route it could make consumers think that they aren’t that apologetic about what happened and that they aren’t taking the steps necessary to protect sensitive information. It seems like every breach, bug, or ransomware attack leads to organizations offering suggestions to consumers to improve security. These suggestions are usually helpful, but they are rarely implemented by end users. Instead of making suggestions, organizations need to make sure that their consumers are doing everything they can by demanding what is necessary for the safety and privacy of both the consumer and the organization.

Best password practices to implement

  • Require strong passwords (with numbers/characters).
  • Implement two-factor or multi-factor authentication.
  • If breached, all passwords must be reset. Merely suggesting this as a plan of action lets many consumers to just ignore it.
  • Have passwords expire every 90 days so that people are continuously updating their passwords.
  • Practice what you preach. All password best practices should be used by internal and external employees.

Sure, not all passwords are "created equally", but if you use the same password for your bank account as you do for social media, you're going to run into some problems. In fact, check out our blog that highlights this alarming stat: 80% of hacking-related breaches leverage compromised credentials.