While people have become aware of the pitfalls of password security, about two-thirds continue to use the same password, or a variation of that password, for their accounts. That's a troubling admission considering that the average person has at least 50 online accounts, according to a recent survey.
The study by password-security firm LastPass found that the problems are not only with people but the organizations for whom they work. Following the pandemic and shift to remote work, seven out of every 10 employees worked remotely and used online services more, but only 35% of companies made their workers update passwords more regularly or use multifactor authentication or other strong authentication methods.
The findings suggest that knowledge and education may not be enough to convince people — or their companies — to adopt better password habits, says Katie Petrillo, a senior manager with LastPass, which is owned by LogMeIn.
"We found that the presence of risk does not inherently motivate people to adopt better security," she says. "With the changing workplace and everyone spending more time online, both individuals and businesses need to prioritize their online security."
As software companies, device makers, and some users have become better about security, attackers have moved, over the past decade, to capturing credentials and using them to access remote and cloud services. In late 2019, for example, enterprise technology provider Citrix fell prey to a credential-based attack, allowing attackers to compromise the company's network. In 2020, more than 190 billion attempts to fraudulently use credentials were detected by Internet-infrastructure firm Akamai.
Yet passwords are convenient and users' choices tend to be a compromise between what they consider to be usable security, Vasu Jakkal, corporate vice president for security, compliance, and identity at Microsoft, wrote in a blog post last week, noting that 20% of people would rather accidentally "reply all" to an email than reset a password.
"They're a prime target for attacks, yet for years they've been the most important layer of security for everything in our digital lives — from email to bank accounts, shopping carts to video games," she wrote. "We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either."
The LastPass study confirmed that people and companies still have password problems. The company surveyed 3,750 professionals from seven countries — the United States, the United Kingdom, Australia, Singapore, Germany, India, and France — asking basic questions about how they, and the companies they worked for, used passwords.
While more than two-thirds of people, 68%, create stronger passwords for financial accounts and about half for email accounts, only a little more than a third would create strong passwords for work-related accounts, the survey found. Moreover, 45% of people did not change their password in the last year, even after a breach. Some 83% of those surveyed would not know if their information had been leaked to the Dark Web.
The move to remote work during the pandemic — and the impetus to keep working remotely — has had a major impact on businesses in the past 18 months. Seven out of every 10 people surveyed worked remotely, at least part time, during the pandemic and approximately the same number also spent more time online.
In addition, most people saw their online footprint grow during the coronavirus pandemic. More than 90% of the survey's respondents created at least one new account online this year, and half of people saw the number of accounts they used online grow by 50%.
"[C]ompanies and individuals need to treat all credentials as vulnerable," LastPass's Petrillo says. "You may think that your personal credentials like gym or birthday information aren't worth anything to hackers, but if these credentials are similar to your bank information, a breach could leave your financial information exposed as well."
There was some good news, however: More than three-quarters of respondents (76%) have used multifactor authentication for work or personal reasons, an increase of 10 points from the previous year.
Same Theme, Different Study
Other companies have found similar findings. In a survey published last week, authentication provider Cisco Duo Labs found that 72% of people regularly use two-factor authentication for security, limiting the damage from stolen credentials. Attackers regularly verify passwords within hours and then use them in attacks, according to research published by email security firm Agari in May.
Overall, the most common reasons that people reuse their password? They do not want to forget their password (68%), they want to retain control of their passwords (52%), and they think their accounts are not valuable enough to warrant more security (36%), according to the LastPass survey.