Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly

The Real Reasons Why Users Stink At Passwords

Personality, denial, and authentication-overload are big factors, new study finds.

Most users know it's risky to reuse passwords, but 61% of them do so anyway, a new study found.

The new survey released this week from security vendor LastPass takes a new tack by breaking down the psychology of user behavior, which includes some combination of willful ignorance, denial, and risk-taking with how they handle passwords.

Try as they might, the security industry continues to struggle with password protection and how to change users' behavior that puts them at risk.

The challenges of password protection are very much in the air right now. Yahoo confirmed last week that 500 million email accounts (and passwords) had been compromised. And today the White House and the National Cyber Security Alliance launched the Lock Down Your Login initiative pushing multi-factor authentication as the best way for consumers to protect themselves online. The public-private partnership includes Google, PayPal, MasterCard, Intel, Wells Fargo, Visa, Mozilla, and others.

Working with Lab42, LastPass surveyed 2,000 adults from the US, Germany, France, New Zealand, Australia, and the UK about their password habits, their beliefs and their understanding of what secure online behavior looks like. And in a nutshell, they found that while users know what safe passwords are, they tend to ignore this knowledge in favor of something that's easy to remember.

 Among other key findings from the LastPass survey:

-- 91% know it's risky to reuse passwords, but 61% do it anyway

-- The top reason users change passwords is because they've forgotten it; only 29% do so for security reasons.

--Users are most protective of their online financial accounts (69%), followed by retail (43%), social media (31%), and entertainment (20%).

A user's personality may also determine why they get hacked, LastPass says, and they rationalize dangerous or counter-intuitive behavior.

"Almost half of survey respondents identifying as Type A personalities did not believe that they are at an increased risk by reusing passwords because of their own proactive efforts, which implies their behavior stems from their need to be in control," LastPass said in a statement. "In contrast, more than half of respondents who identify as a Type B personality believe they need to limit their online accounts and activities due to fear of a password breach. By convincing themselves that their accounts are of little value to hackers, they are able to maintain their casual, laid-back attitude towards password security."

The password security problem is large and persistent. The ID Theft Resource Center reported nearly 800 data breaches in the US in 2015, exposing more than 169 million records. Compromised passwords were the port of entry for many of these attacks, according to the Verizon 2016 Data Breach Investigations Report.

And while infosec professionals and security consultants relentlessly warn against password reuse and encourage strong, unique passwords, the LastPass data suggests a fair amount of overwhelm and even resignation on the part of users.  

"People really are overwhelmed and feeling helpless," where password security is concerned, says Mark Burnett, security consultant and author of Perfect Passwords. Passwords have reached the limit of their usefulness, but business and consumers still need the secrecy aspect, he adds. Smarter authentication may strengthen security but is also difficult to manage.

While Burnett thinks multi-factor authentication works well, he points to the cost of hardware tokens and how businesses handle their loss, theft and replacement as potential drawbacks.

"What we really need is flexible authentication that uses multiple methods, like a token when you're at computer and something else for your smartphone," Burnett adds. "We need something that looks at multiple factors like time of day you're logging in or recognizes suspicious activity."

He points to FIDO-based universal two-factor authentication (U2F) as one possible fix, supported by Google, Dropbox, and others. 

Related Content:


Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
9/29/2016 | 6:02:32 PM
Changing password often
There was another study a few weeks back supporting the idea that changing password often has no impact on security, it might have been even a negative impact.
User Rank: Ninja
9/29/2016 | 1:38:39 PM
Re: Passwords and user behavior
I understand this article seems to be more directed towards the consumer space but biometric controls are becoming more prevalent for consumer devices such as fingerprint.
User Rank: Ninja
9/29/2016 | 1:36:34 PM
Re: Passwords and user behavior
I think an additional parameter is cost. Biometric authentication under MFA can strengthen authentication substantially but is costly to implement. Still needs to be a consideration depending on the value of the data each individual is protecting and the varying levels of acess provided.
T Sweeney
T Sweeney,
User Rank: Moderator
9/29/2016 | 11:47:37 AM
Re: Passwords and user behavior
Thanks for weighing in, Juliette. I've kidded security vendors for years about their inability to create smarter users. Clearly, training and trying to solve this password problem from the human side is not going to work. I agree with you that some sort of predictive analytics should be added. Unfortunately, the human factor in the equation means anything we come up with will be imperfect/penetrable.
User Rank: Ninja
9/29/2016 | 11:02:53 AM
Passwords and user behavior
Interesting commentary.  Any way you look at it, this password issue is not getting resolved any time soon.  Awareness and training will help marginally, but in the end users will always favor convenience over security.  MFA will certainly help but is not 100% secure either.  So what will it take?  Hard to say but it feels that in this particular area, user behavior analytics may help detect a compromised account shortly after the breach. So in this specific issue detection is critical since prevention seems difficult to establish (i cannot believe i am writing these words after preaching for so long that detection was not enough and prevention necessary!).  When it comes to passwords, continuing to think we can chnage human behavior is ludicrous and we need to think outside of the box towards new solutions.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.