Even though password security is a top priority for organizations, only 55 percent of users would change their credentials after a breach. That’s the sobering state of affairs detailed in “The Psychology of Passwords: Neglect Is Helping Hackers Win,” a new report from password management firm LastPass.
And bad habits don’t stop there. The report also found that 59 percent of respondents use the same password across multiple accounts. Despite the rising costs of data breach recovery and ongoing, large-scale compromises, LastPass found that “password behaviors remain largely unchanged from two years ago.”
A Persistent Problem
Companies around the world and across all sectors are struggling to protect user passwords. As noted by Wired, Twitter recently disclosed that it had inadvertently stored unencrypted passwords in an internal system. While Twitter typically hashes user passwords using bcrypt, a bug in its hashing protocol led to the unprotected storage of credentials that were kept even after hashing was complete.
Although the company said it doesn’t believe the information was accessed or used by cybercriminals, it advised all users to change their passwords for good measure. As noted by the LastPass report, however, just over half of users are likely to comply.
Also problematic is the common practice of employees sharing passwords for internal resources using tools such as Trello. According to Krebs on Security, simple web searches revealed “unprotected personal Trello boards that listed employer passwords and other sensitive data.”
This lines up with LastPass data, which found that, while 5 million records are compromised every day, it still takes organizations an average of 66 days to contain a breach. Posting passwords on public collaboration forums makes containment that much more difficult.
The Password Security Paradox
As noted by TechRepublic, the new report “confirms the paradoxical views many people have about passwords and highlights alarming trends in personal online security.” For example, 90 percent of users said they believe their online accounts are at risk regardless of the strength of their passwords and 91 percent recognize that password reuse heightens this risk. Meanwhile, 39 percent reported that they would never change their password if they were not required to do so.
Users also underestimated their total number of online accounts. While 79 percent of those asked said they had between one and 20 online accounts, LastPass found that, on average, employees were responsible for 191 passwords. Still, 59 percent of respondents said they mostly or always use the same password for different accounts, 51 percent don’t believe that cybercriminals can figure out their password, and 21 percent said they don’t see a problem with repeating the same password across accounts.
There’s a gap between user belief and behavior. Ninety-two percent of respondents said password security was a “serious matter,” yet 61 percent said they refuse to change passwords for fear of forgetting their login information.
Sandor Palfy, chief technology officer (CTO) of identity and access management at LastPass parent company LogMeIn, put it simply: “The cyberthreats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action.”