Password psychology: why are people so lax with passwords?11 May 2022
In 2004, Microsoft founder Bill Gates predicted that traditional passwords would soon be extinct. In some capacity Gates was correct; passwords have evolved into passphrases and incorporate anything from fingerprint scans to 2FA (2-Factor Authentication) to captcha-based logins. However, the password is still well and truly alive. What is becoming extinct however, is the seriousness of password security.
Did you know, according to a Google study, that over 60% of people reuse the same password across multiple accounts? Even more worrying is the 90% of employees that know reusing passwords is dangerous but two thirds of them still do it anyway (LastPass).
Password security is taken too casually by the general populace, leading to massive cybersecurity vulnerabilities for both individuals and organisations. Companies can increase spending on firewalls, authentication systems and security infrastructure all they want, but if the user is not in control, then even the most sophisticated security system becomes useless.
When explaining the importance of strong password security, it is beneficial to imagine a digital password as a physical lock and key to your home. Would you use a lock and key that is so common that any old chancer could crack into it by chance? Or would you ensure that your home is as safe as possible behind a unique lock and key?
Interestingly, attitudes towards passwords and the psychology of passwords vary and depend on the generation you belong to. This means that when we want to improve password security culture in our employees, we must consider different development and training methods rather than a one size fits all approach.
In today’s The Insider, we will be analysing the psychology of passwords and why users still do not take password security as seriously as they should.
Why do people reuse passwords?
On average, an internet user will have created over 100 online accounts. This means they will also be managing 100 passwords. It is not unthinkable that a lot of users will find some difficulty in making and remembering so many passwords, especially if they are trying to create truly random and unique passwords. So, what usually happens in this case? People just reuse passwords across accounts.
42% of people say that having a password that is easy to remember is more important than one that is very secure (LastPass).
Reusing passwords is obviously less taxing on the individual’s memory and retention, but it creates a massive vulnerability. If a hacker gets access to one single account/password and you are prone to reusing it, then they can easily gain access to your other accounts.
In fact, a recent survey found that a third of the world’s population use the same password for services such as Netflix as they do for work and banking accounts. How crazy is that?!
As a result, it remains best practice to create unique and different passwords for all the online accounts you have set up.
According to a study by Old Dominion University, people “know what constitutes a good/bad password and know which common password management practices are inappropriate … however, users engage in these behaviours because they do not see any immediate negative consequences to themselves.”
This means that to eradicate poor password security, we must find ways to convey the importance of a security breach and how the consequences of said breach will affect both the individual and their organisation.
Why do people write down their passwords?
There is also a worrying trend of users writing down their passwords. Whilst knowledge of good password management is often clear and concise, this does not always translate to actual good management by employees. This is because users are overly optimistic about online security with the prevalent attitude being: “Internet security is important, and security breaches can be catastrophic, but it won’t happen to me.”
This explains why, according to a Millman survey of IT professionals, 40% reported writing down their important business passwords.
Most users are not concerned about security because they believe the immediate and negative consequences of a security breach will affect others rather than themselves. For example, in the case of compromised emails, users do not feel the need to or remember a difficult-to-guess password because the web host will be the direct victim of hacker’s attacks, not the user themselves.
Curiously, there is also data suggesting that people write down their passwords because they want control. According to the National Cybersecurity Alliance, 52% of users surveyed want to be in total control and know all their passwords. Whether they are aware of password managers is beside the point, as physically writing down passwords makes these users feel in control.
In reality they have created a massive vulnerability point which they are not aware of because it is not a digital one.
Convenience vs Security
Good vs bad password security comes down to a user’s stance on convenience vs security. A user will consider password convenience (how easy it is to remember and use a password) but not share the same level of focus on security (the strength of said password).
If your protocols and tools do not help users with convenience, they will not help to reinforce your security. This is where security professionals and managers must build a strong and engaging security program that not only alleviates the pressure on your employees but highlights the importance of strong passwords over easy-to-remember passwords.
In a LastPass survey, cognitive dissonance kept rearing its head. Respondents knew what they should do with passwords but because the actions do not protect themselves, they do not care. According to the LastPass survey, 60% did not follow good password management because they feared they would forget the harder and longer passwords.
This clearly shows there is a hole in user knowledge of password management. We need to educate users on tools such as password managers, multi-factor authentication (MFA) and other safe and effective ways to remember and refresh passwords. Whilst users do not like giving up control, 52% told LastPass they want to be in control of password management, some allowances must be made for the greater goal of improved information security.
Personal Security vs Work Security
Another interesting aspect of password security behaviours is the disconnect between a user’s practice with personal accounts and business accounts. The Security Ledger asked users which accounts they create stronger passwords for: 69% said financial accounts and 47% said personal emails, 31% said medical records. Only 29% said their strongest passwords are tied to work accounts.
It is abundantly clear that users are more worried about protecting their own money and information. Now, this is not a surprise, but how can we replicate the same good behaviours used with personal information for work data?
Again, this comes down to making password management at work as convenient and easy for the user as possible.
Type A vs Type B personalities
Building on some of the ideas explored above, SentinelOne explains that there are two types of personalities when it comes to password security.
Type A personalities want to be in control; they will reuse passwords because they do not want to forget and because they are proactive, they may rotate between two or three passwords.
Type B personalities believe their accounts are not worth a hacker’s time and convince themselves that their bad password habits will have no consequences.
Both Type A and Type B users are subscribing to bad password security practices and require the same development. However, they need to be trained differently.
Type A personalities need to be shown the power of password managers and how they remain in control, whilst type B personalities need to be educated on the history of security breaches and how damaging one can be.
Password Psychology is never concluded
Data Managers and Security Officers can sometimes force users into lax password security with draconian protocols that are too frequent and overarching. The detailed studies mentioned above clearly show that allowing users to retain a sense of control will help in building stronger and more secure password security and push them away from poor behaviours such as writing down passwords or reusing weak ones.
Making sure your employees are informed about good password practices, but not bombarded, is the best way to keep your data secure. Let them feel like they are taking control and detail the importance/consequences of a data breach.
Quick Tip: How often should you change your passwords?
If you have created a strong password that no one will ever crack, can you stick with it forever? No! No matter how strong you think your password is, it is recommended that you change your passwords at least every 6 months.
According to a survey by Specops Software, 38% of people never update their passwords!
There are many reasons why you should regularly refresh your passwords but the most important is to lock our snooping hackers. These are hackers who gain access to your account silently and prey only on details they need when they need it. They may not make overt moves that reveal your account has been hacked, rather opting for subtle breaches.
By changing your passwords regularly, you can have peace of mind that any nefarious individuals operating in silence are booted off or locked out.
Quick Tip: What password managers can I use?
- LastPass: 100% free password generator available for desktop and mobile. Generates passwords up to 50 characters long and imports new passwords directly into one of the best managers on the market.
- Dashlane: Desktop and mobile compatible with password generation up to 40 characters long. Password management feature not as smooth and simple as LastPass but still incredibly good.
- NordPass: Create passwords up to 60 characters long with the base version of the NordPass password manager coming in totally free.
- KeePass: Free and open-source, KeePass is a little harder to set up than the aforementioned options, but it is quick and can follow specific password generation rules across all websites.
Building cybersecurity awareness, especially in relation to new and emerging threats, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.