It was often suggested in the past by many that lack of appreciation of true cyber-threats posed by hackers made people complacent about their password habits, but new research has revealed that even though people are now more aware of security best practices than in the past, their password management has remained largely unchanged.
The new Psychology of Passwords Report by security firm LastPass has revealed how untiring efforts made by governments, security firms, and privacy groups have resulted in heightened awareness of cyber-security risks among the general public. A survey carried out by the firm in the United States, Australia, France, Germany, and the United Kingdom revealed that 91 percent of people now know that using the same password for multiple accounts is a security risk.
Despite such awareness, 59 percent of those surveyed said they use the same passwords across multiple accounts and even though 79 percent of them owned between one and twenty accounts, a majority of them used the same passwords for prolonged periods until they were forced to change their passwords either by IT departments or after suffering cyber-incidents.
According to LastPass, while 61 percent of people do not change their passwords because of the fear of forgetting new passwords, 50 percent of them do not do so because of their desire of wanting to know and being in control of all of their passwords.
"Individuals seem to understand password best practices, but often exhibit password behaviors that can expose their information to threat actors. Taking a few simple steps to improve how you manage passwords can lead to increased safety for online accounts whether personal or professional," said Sandor Palfy, chief technology officer of Identity and Access Management at LogMeIn.
The survey also revealed that while 47 percent of people do not keep different passwords for their work and personal accounts, only 19 percent create more secure passwords for work and 62 percent of them reuse the same password between work and personal. This suggests that by correctly guessing an employee's password, hackers can hack into the employee's work accounts which, in turn, will impact the employer as well.
While 42 percent of people change passwords regularly on their own accord, a similar number store their passwords in their phones, Word or Excel documents, or in handwritten notes. 21 percent of people do not believe that using the same passwords causes an increased security risk, and not even a breach of their own account would make 45 percent of people change their passwords.
"If we look at computer security at large, we are very, very slow to move on and embrace change of this nature; look at beloved Windows XP as an example. As humans, passwords are also something we understand and get," says Ed Williams, director of EMEA for SpiderLabs at Trustwave.
"We still see large organizations not using MFA for their e-mail. If they aren't enforcing it, how can we expect people to follow suit? Industry needs to set the example by using MFA where possible and discussing its implications as a best practice through media and social media to force all users down the MFA route, then it will become mainstream," he believes.
While encouraging the use of multi-factor authentication via this route could deliver positive results, shouldn't businesses replace passwords with multi-factor authentication altogether considering that increased awareness of cyber-risks does not translate to better password behavior?
Adam Brown, manager of security solutions at Synopsys, told SC Magazine UK that passwords can still be effective if people are encouraged to use password managers as they give users the opportunity to use non-guessable passwords.
"It may seem like putting all your eggs in one basket but they have very strong security controls and in fact, a good password manager never actually stores your password, just a super-encrypted version of it that only you with the key (the password manager app and password) can access," he added.
Ryan Wilk, vice president at NuData Security, told SC Magazine UK that while password managers are beneficial for the security of a user's accounts, companies need to add a multi-layered security system that can secure a customer's account even if the password has been compromised.
"There are solutions on the market now that, even if the correct credentials are presented, can identify machines from humans, then separate good machines from bad, select known humans from unknown humans, and finally sort unknown humans demonstrating low-risk signals from unknown humans demonstrating high-risk signals.
"This process lets organizations fast-track the known and low-risk users for an optimal experience, saving the friction and traditional authentication methods for the highest risk users. Adding layers that don't rely on static information such as passwords, companies can protect their environment and their customers even if the credentials have been stolen," he added.
Sandor Palfy, CTO, Identity and Access Management at LogMeIn, said that multi-factor authentication is one of the easiest and most effective ways of protecting one's accounts as they add an extra layer of protection that will ensure an attacker won't be able to access an account, even if the attacker obtains the password.
"However, currently, multi-factor authentication isn't supported widely enough across web services and isn't adopted frequently enough by users, to offset the risks that weak passwords pose. While we're moving in the right direction, change is happening too slowly," he lamented.
"Until universal coverage with multi-factor authentication (or even behavioral or contextual authentication) is available, companies and consumers alike need to invest in strengthening the password-protected services in use. Having a long, strong, and unique password for each online account will have a huge impact on your online security."