May 8, 2018 By Douglas Bonderud 2 min read

Even though password security is a top priority for organizations, only 55 percent of users would change their credentials after a breach. That’s the sobering state of affairs detailed in “The Psychology of Passwords: Neglect Is Helping Hackers Win,” a new report from password management firm LastPass.

And bad habits don’t stop there. The report also found that 59 percent of respondents use the same password across multiple accounts. Despite the rising costs of data breach recovery and ongoing, large-scale compromises, LastPass found that “password behaviors remain largely unchanged from two years ago.”

A Persistent Problem

Companies around the world and across all sectors are struggling to protect user passwords. As noted by Wired, Twitter recently disclosed that it had inadvertently stored unencrypted passwords in an internal system. While Twitter typically hashes user passwords using bcrypt, a bug in its hashing protocol led to the unprotected storage of credentials that were kept even after hashing was complete.

Although the company said it doesn’t believe the information was accessed or used by cybercriminals, it advised all users to change their passwords for good measure. As noted by the LastPass report, however, just over half of users are likely to comply.

Also problematic is the common practice of employees sharing passwords for internal resources using tools such as Trello. According to Krebs on Security, simple web searches revealed “unprotected personal Trello boards that listed employer passwords and other sensitive data.”

This lines up with LastPass data, which found that, while 5 million records are compromised every day, it still takes organizations an average of 66 days to contain a breach. Posting passwords on public collaboration forums makes containment that much more difficult.

The Password Security Paradox

As noted by TechRepublic, the new report “confirms the paradoxical views many people have about passwords and highlights alarming trends in personal online security.” For example, 90 percent of users said they believe their online accounts are at risk regardless of the strength of their passwords and 91 percent recognize that password reuse heightens this risk. Meanwhile, 39 percent reported that they would never change their password if they were not required to do so.

Users also underestimated their total number of online accounts. While 79 percent of those asked said they had between one and 20 online accounts, LastPass found that, on average, employees were responsible for 191 passwords. Still, 59 percent of respondents said they mostly or always use the same password for different accounts, 51 percent don’t believe that cybercriminals can figure out their password, and 21 percent said they don’t see a problem with repeating the same password across accounts.

There’s a gap between user belief and behavior. Ninety-two percent of respondents said password security was a “serious matter,” yet 61 percent said they refuse to change passwords for fear of forgetting their login information.

Sandor Palfy, chief technology officer (CTO) of identity and access management at LastPass parent company LogMeIn, put it simply: “The cyberthreats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action.”

More from

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today