Despite today’s increased threat landscape and heightened global awareness of hacking and data breaches, password behaviours remain largely unchanged according to a report published by LastPass. Data from the survey shows that 91% of people know that using the same password for multiple accounts is a security risk, yet 59% continue to use the same password. As a result, individuals’ behaviour in creating, changing and managing passwords in both their professional and personal lives is slow to match the rapid evolution of cyber security threats.
Psychology of passwords: neglect is helping hackers win provides evidence that increased knowledge of security best practices doesn’t necessarily translate into better password management, and highlights regional, generational and personality differences can factor into password security.
Password behaviours remain largely unchanged from the same study conducted two years ago — translating to some risky behaviours. 53% report not changing passwords in the past 12 months despite a breach in the news. And while 91% know that using the same password for multiple accounts is a security risk, 59% mostly or always use the same password.
Not only do most respondents (59%) use the same password for multiple accounts, but many continue to use that password as long as possible — until required by IT to update or if impacted by a security incident. The fear of forgetfulness was the number one reason for reuse (61%), followed by wanting to know and be in control of all of their passwords (50%).
The majority of respondents (79%) report having between one and 20 online accounts for work and personal use. When it comes to password creation, nearly half (47%) say there is no difference in passwords created for these accounts. Only 19% create more secure passwords for work and 38% never reuse the same password between work and personal, which means that 62% do.
Bad password behaviour in Type A personalities stems from their need to be in control, whereas Type B personalities have a casual, laid-back attitude toward password security. Respondents who identify as Type A personalities are more likely than Type B personalities to stay on top of password security: 77% put a lot of thought into password creation, compared to 67% of Type B. And Type A users consider themselves informed about password best practices (76%) over Type B users (68%).
The data showed several contradictions, with respondents saying one thing and in turn, doing another. 72% say they feel informed on password best practices, but 64% of those say having a password that’s easy to remember is most important. Similarly, 91% recognise that using the same or similar passwords for multiple logins is a security risk, yet 58% mostly or always use the same password or variation of the same password.
“The cyber threats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action,” said Sandor Palfy, Chief Technology Officer of Identity and Access Management at LogMeIn. “Individuals seem to understand password best practices, but often exhibit password behaviours that can expose their information to threat actors. Taking a few simple steps to improve how you manage passwords can lead to increased safety for online accounts whether personal or professional.”