Most people are still picking bad passwords and it’s probably because people are even more reliant on web services than ever.
LastPass, a password management software vendor, found that many people still re-use passwords across accounts in a study looking at the psychology of password behavior. That’s bad because if a hacker breaches credentials on one account they can break into any other account with a common password. And that’s just one of the many risks that come with poor password choices for online accounts.
LastPass found that while 92% of 3,750 people surveyed know that using the same password is a risk, 65% re-use passwords across accounts. It also found that 45% of respondents didn’t change their passwords in the last year — even after they were affected by the data breach. And attitudes towards passwords vary by application; while 68% of respondents would create stronger passwords for financial accounts, only 32% said they would create strong passwords for work-related accounts.
Most users are creating passwords that leverage personal information that has ties to possible public data, like a birthday or home address, the company said, and noted that only 8% of respondents said a strong password “should not have ties to personal information.”
With so many accounts to remember, it’s perhaps no surprise that too many people pick one password and use it for every online account.
For example, most people don’t know about password spraying, where attackers use dictionary words against online accounts and eventually crack a few of them. Cybercriminals use password spraying as do state-sponsored hackers because it works and it’s cheap.
The company advises people should use “nonsensical phrases peppered with numbers and symbols as opposed to individual words to make your passwords longer, stronger, and easier to remember while also making them more difficult for hackers to crack.”
This advice lines up with the UK’s National Cyber Security Centre’s (NCSC) recommendation that people choose three random words to create a password.
The agency also reckons people who don’t want to use password manager software can safely write a password down on paper because it’s offline. Microsoft is trying to make the world passwordless by giving users the option to remove passwords as a login tool using standards like FIDO2 and hardware tied to Windows Hello biometric authentication. Two-factor authentication can also help boost protection so that attackers need more than just a password to access a service. But even with steps forward like that there are still an awful lot of services out there, simply secured by passwords — which means choosing wisely is still very important.