Recently, Twitter asked its 330 million users to do something distasteful: Change their passwords. The social media company discovered a bug in the system that caused passwords to be stored in a readable text format. Although Twitter said there is no reason to believe any passwords were stolen or compromised, for safety’s sake, users should change their passwords.
And the world collectively groaned with frustration.
We intensely dislike changing passwords. A new global survey conducted by LogMeIn’s LastPass, “Psychology of Passwords: Neglect is Helping Hackers Win,” found that 15 percent of users would rather do a household chore and another 11 percent would prefer to sit in traffic than change passwords. And even though we know that having unique passwords for every site is vital for our personal security, the majority of us don’t make the effort and won’t even change their password after it was compromised in a breach.
Why do we dislike password management so much?
The ‘We Won’t Be a Victim’ Mentality
Users tend to be apathetic about password management for a couple of reasons, according to Rachael Stockton, director of Product Marketing for LastPass at LogMeIn.
“Most people simply feel that they’re not a target for hackers or they’re afraid of forgetting login information, so they resort to reusing the same weak password,” she said. “Security-related events don’t spur action, and knowledge of best practices doesn’t necessarily translate to putting those into use.”
Unfortunately, the apathy toward personal password management spills into the workplace. Not just in reusing passwords across personal and work accounts, but also this idea that they won’t be a victim. Many small and medium businesses aren’t convinced they would be targeted by hackers and don’t insist on the same security measures of larger corporations.
Weak Frontline Defense
Any football fan knows the importance of a strong offensive and defensive line. A strong offensive line gives your quarterback time to look at the defense and execute his attack. A strong defensive line is the first wall in preventing the offense from penetrating your territory. If the defensive line can’t stop the offense, they should be able to slow it down long enough to allow the other defensive players time to adjust and make a stop.
Security isn’t much different than football. Hackers are the quarterback your defense needs to stop. Passwords are the defensive line of security, but because 81 percent of confirmed breaches are due to weak, reused or stolen passwords, it’s clear that front line is failing.
“When someone is apathetic toward passwords, they resort to weak password behavior leaving themselves—and the company—open to risks,” said Stockton. “People create short, easy-to-remember passwords and then reuse those passwords across accounts. This is risky because if a hacker got access to one of your passwords through a third-party breach, anywhere you reused that same password would now be at risk.”
LastPass’s user data shows the average person keeps track of 191 passwords. No wonder we want to keep it simple! Using a password manager makes it a lot easier to create and to recall so many unique passwords, but once any password is breached, no matter how strong or unique it is, the onus is back on the user to come up with a new password. We’ve already seen how distasteful that is. And it seems as though every day brings a new alert about a breach involving password compromise. At what point do users get too frustrated about changing passwords and stop doing it? That’s a point no business wants to get to because it takes us right back to the security problems set up by poor password management. Is it time for businesses and websites to stop forcing frontline defense onto users and rethink the password?
“The number of more frequent, sophisticated attacks we’re seeing are another reason why one layer of security is not enough to protect one’s online environment,” said Stockton. “Multi-factor authentication, the requirement of a second piece of information before allowing access to an account, increases their security because it adds another barrier to entry, decreasing the likelihood that someone can break in.”
Many sites do offer a second authentication option, such as texting a code to your phone or requiring a biometric measure. The problem is getting users to initiate the second option if it isn’t mandatory. With enforcement of the EU’s General Data Protection Regulation (GDPR) days away, it may make sense for sites to require users to take the second step as a way to better protect personal data. It could be the push users need to take their security more seriously, as well as the step organizations use to show they take security of your information seriously.
We are all guilty of password laziness. At what point will that laziness hold us responsible for a data breach?