Light Dark
May 8, 2018 By Douglas Bonderud 2 min read

Even though password security is a top priority for organizations, only 55 percent of users would change their credentials after a breach. That’s the sobering state of affairs detailed in “The Psychology of Passwords: Neglect Is Helping Hackers Win,” a new report from password management firm LastPass.

And bad habits don’t stop there. The report also found that 59 percent of respondents use the same password across multiple accounts. Despite the rising costs of data breach recovery and ongoing, large-scale compromises, LastPass found that “password behaviors remain largely unchanged from two years ago.”

A Persistent Problem

Companies around the world and across all sectors are struggling to protect user passwords. As noted by Wired, Twitter recently disclosed that it had inadvertently stored unencrypted passwords in an internal system. While Twitter typically hashes user passwords using bcrypt, a bug in its hashing protocol led to the unprotected storage of credentials that were kept even after hashing was complete.

Although the company said it doesn’t believe the information was accessed or used by cybercriminals, it advised all users to change their passwords for good measure. As noted by the LastPass report, however, just over half of users are likely to comply.

Also problematic is the common practice of employees sharing passwords for internal resources using tools such as Trello. According to Krebs on Security, simple web searches revealed “unprotected personal Trello boards that listed employer passwords and other sensitive data.”

This lines up with LastPass data, which found that, while 5 million records are compromised every day, it still takes organizations an average of 66 days to contain a breach. Posting passwords on public collaboration forums makes containment that much more difficult.

The Password Security Paradox

As noted by TechRepublic, the new report “confirms the paradoxical views many people have about passwords and highlights alarming trends in personal online security.” For example, 90 percent of users said they believe their online accounts are at risk regardless of the strength of their passwords and 91 percent recognize that password reuse heightens this risk. Meanwhile, 39 percent reported that they would never change their password if they were not required to do so.

Users also underestimated their total number of online accounts. While 79 percent of those asked said they had between one and 20 online accounts, LastPass found that, on average, employees were responsible for 191 passwords. Still, 59 percent of respondents said they mostly or always use the same password for different accounts, 51 percent don’t believe that cybercriminals can figure out their password, and 21 percent said they don’t see a problem with repeating the same password across accounts.

There’s a gap between user belief and behavior. Ninety-two percent of respondents said password security was a “serious matter,” yet 61 percent said they refuse to change passwords for fear of forgetting their login information.

Sandor Palfy, chief technology officer (CTO) of identity and access management at LastPass parent company LogMeIn, put it simply: “The cyberthreats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action.”

 |  |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature