LastPass, a password management software company, recently conducted a survey on password behavior. They surveyed 3,250 global respondents revealing poor password hygiene.
Nearly half (44%) of the respondents stated that they reuse passwords or similar passwords on multiple sites. While most (91%) stated they know they should not do this, it still happens. Some people feel trying to remember a billion passwords is impossible with the timeouts that take place for incorrect passwords. Some feel their accounts are not worth much to hackers (41% of respondents), so why bother.
However, if there is a breach where a hacker knows one password, that means he or she can then try it on other accounts and likely gain access. Maybe an Amazon account doesn’t seem like too big of a deal, but banking accounts are something entirely different!
Trying to remember them can be hard; 60% said they were afraid of forgetting their login information. And 54% said they memorize them, which doesn’t work out so well to try and remember what password goes with what account. Another 25% said they reset their passwords about once a month because they continue to forget what it was.
That means if people aren’t reusing their passwords, they are probably writing them down somewhere. Hopefully it’s not sticky notes on their monitors, or on their desk. That is another disaster waiting to happen if someone comes by and takes a quick picture, for later usage.
Another problem is that people tend to ignore or forget about breaches. Over half (52%) said they haven’t changed their passwords in the last 12 months, even after a known breach. This might be going back to the fact that many people don’t think their accounts matter that much to anyone other than themselves.
A third issue is that we as a species are very predictable; we are creature of habit and like our routines and don’t like change for the most part. About a quarter of respondents (22%) said they could guess their significant others’ passwords. Of course, when people use “password1234”, that makes it pretty easy to guess and really easy for a computer code to guess it for a hacker. People generally use things that are sentimental in their passwords, like their dog’s name, or their kids’ birthdate, or their anniversary. The anniversary one does double duty for the people who forget to buy their significant other’s a gift once a year.
The issue with the use of such passwords is that a lot of the information is public knowledge, and with the internet, so much information can be found.
Not everything is doom and gloom. People are using multi-factor authentication (MFA) for personal accounts (54%) and banking accounts (62%), and biometrics (65%). MFA is not being utilized that often on business accounts (37%). Also, 69% of respondents use stronger passwords on their banking accounts and 47% on their email accounts.
The information from this LastPass survey can help guide password best practices. Another good resource is NIST SP 800-63B Digital Identity Guidelines.
Last but not least, this is a friendly reminder to check out those default passwords. Those are easy finds and something that our penetration testers look for on a regular basis.