Passwords are always an interesting discussion. While we all are aware that passwords aren’t quite good enough, we’ve yet to turn to any alternatives that are as convenient. PCMag.com recently set out to get some answers when it comes to passwords, and so they surveyed 2,500 U.S. consumers to get a sense of their password habits. The results were as strange as one might expect.
The survey, conducted between June 30 and July 2, found that 35 percent of people never change their passwords on their own. That 35 percent figure strikes me as low. I don’t know of anyone who routinely cycles their passwords when not prompted. However, the survey did find that users will change their passwords when prompted to do so.
Daily password changes? Really?
The results got more interesting from there. About a quarter of respondents (27 percent) said that they change their passwords several times a year. That sounds reasonable. Unlikely, but reasonable. But 12 percent reported changing their passwords once a month, and another 4 percent claimed to change their passwords once a week. And another 4 percent claimed to change their passwords several times a week. Now, here’s where the results get genuinely bizarre: 11 percent claimed to change their passwords daily.
That’s quite the motivated security survey sample!
I’m not entirely buying this survey. My instincts tell me the vast majority of people change their passwords when forced to do so, and what we see here is a large percentage of respondents answering the survey the way they think they should be answering the survey — they are not answering honestly about their habits.
Over the years I’ve helped to create and conduct quite a few privacy and security surveys, and there’s one constant: people respond how they think they should react or how they think they are expected to respond. In the late 90s for instance, there were many privacy surveys conducted. These surveys tried to divine how much, or how little, personal information people would provide online. Respondents tended to answer in ways that indicated that privacy is important to them, but that concern never revealed itself in the real work, such as sales of personal VPN software or the amount of information people shared with online services.
This phenomenon is probably related to response bias, which describes the tendency for people to answer or act in ways they are expected to respond.
The big no-no — password reuse
Relatively recently, as PCMag.com covered, the NIST guidance on how often to change passwords reduced the recommended frequency from every 90 days to only after an account has been compromised.
I think the NIST guidance is mostly reasonable, but I also believe it’s a good idea to change passwords periodically. The reason for this is the vast majority of people tend to reuse the same password/username among many accounts. We all know this is a no-no, but people do it anyway. What happens is bad guys get ahold of a trove of passwords and usernames and then use them against as many online services as they can until they gain entry someplace. It could be a bank, a cloud service, a social media account or whatever. This is why it’s still NIST’s recommendation to change passwords after an account is compromised. However, many breaches go unnoticed, and having a password and username combination hanging out there for years is just asking for eventual trouble.
The chances are your email and password have been compromised. Many people are surprised to learn this. If you’re curious, a safe place to check is haveibeenpwned.com.
If you don’t believe me about how common password reuse is, consider Jai Vijayan’s column in Password Reuse Abounds, New Survey Shows, which details a LogMeIn survey of 2,000 respondents from various countries conducted by LastPass. The survey found that while 91 percent of the respondents professed to understand the risks of using the same passwords across multiple accounts, 59 percent said they did so anyway. “For 61 percent, it is the fear of forgetfulness that was the primary reason for password reuse. Fifty percent say they reuse passwords across multiple accounts because they want to know and be in control of their passwords all the time,” Vijayan wrote.
That’s just asking for trouble. And just like the previous survey where people reported almost being obsessed about changing their passwords, I think in this survey people again are showing response bias and answering how they think they should answer — not how they act in the real world. In the LastPass survey, I believe respondents are underreporting how often they reuse passwords.
I’d like to think people would get smarter when it comes to password security. Perhaps use a random password generator to create their passwords, a password vault to store their passwords, and even change their passwords from time to time. And most certainly not use the same passwords across accounts.
*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: https://blogs.dxc.technology/2018/08/08/are-we-honest-about-our-password-habits/