Weak passwords are one of the main vulnerabilities that hackers can exploit to infiltrate personal and enterprise IT systems. However, despite the many victims of password breaches, some users still fail to follow password best practices, for both work and personal accounts.
GetApp surveyed over 1,000 people aged 18 and above in the UK (full survey methodology can be found at the end of the article) to understand how they use, manage, and remember their passwords.
Younger people exhibit riskier password usage behaviour
Our survey respondents included participants in the age groups 18 to 25, 26 to 34, 35 to 49, 50 to 64, and 65 and above. Each of these groups exhibits different behavioural patterns in regards to password usage and security.
Per our survey results, 60% of respondents in the 18 to 25 age group and 65% in the 26 to 34 age group use the same password for multiple accounts. On the other hand, 54% of respondents in the 35 to 49 age group, 41% in the 50 to 64 age group, and 51% in the 65 and above age group reuse their account passwords. This suggests that younger people are more likely to reuse their passwords. The trend is worrisome because users from these age groups typically have multiple online accounts (social media, gaming, online retail, etc.), and a password breach on one account can lead to the simultaneous hacking of their other accounts.
In addition, 28% of respondents in the 18 to 25 age group wait until they’re forced to change their passwords compared to only 10% in the 65 and above age group, a difference of almost three times. Also, 41% in the latter group voluntarily change their passwords on a regular basis compared to only 28% in the former.
Even when changing passwords, 49% of respondents in the 18 to 25 age group change only a few characters in their existing passwords. On the other hand, nearly 56% of those above 50 years old create an entirely new password each time.
People in the 18 to 25 and 26 to 34 age groups are the most familiar with password managers and authentication methods and use them more frequently compared to the other age groups. Nearly one in three (31%) respondents under 35 years of age say they use a password manager app to remember multiple passwords.
Poor password practices lead to data security risks
Many people assume that they won’t be victims of password breaches and therefore continue using default or easy-to-guess passwords. Below are a few examples of password breaches and the subsequent consequences for some leading companies.
An employee reusing a password caused Dropbox’s data breach
In 2012, hackers broke into cloud storage service provider Dropbox’s database. The attackers stole the email and password data of over 68 million Dropbox users and published it on the dark web. Dropbox had to reset the compromised credentials and inform customers and regulatory bodies about the incident. Fortunately, the company had encrypted all stored user account passwords, which prevented the hackers from using them to steal more data. Later investigation revealed that an employee’s reused password, hacked from another website, was the cause of the breach.
The use of a default password led to Equifax’s data breach
In 2017, cybercriminals hacked into credit reporting agency Equifax’s systems and exposed the personal details of 147 million people. A class-action lawsuit revealed that the company was storing sensitive client information in a portal with the username “admin.” Moreover, the password to the portal was also “admin,” making it easy for hackers to guess the username-password combination. Equifax was fined $700 million for the breach by the Federal Trade Commission, and it also lost customer trust and reputation.
The above examples highlight that poor password management practices are a vulnerability and can cause damage when least expected. It’s important for both individuals and businesses to follow password management best practices to keep data safe.
7 password best practices every user should follow
Password best practices help keep your data safe and protect it from hacking attempts. In this section, we discuss seven best practices for managing your passwords.
- Don’t share passwords: Never share your passwords with colleagues, friends, or family members. You never know who might misuse your accounts.
- Don’t reuse passwords: Don’t use the same password for multiple accounts (e.g. social media, financial services, work accounts). From Dropbox’s example, we’ve learned how cybercriminals can use the credentials of one of your accounts to gain access to all other accounts. Therefore, use a unique password for every account.
- Don’t use dictionary words as passwords: Words directly picked from a dictionary (e.g., sesquipedalian), however long they might be, are easy targets for hackers. Password cracking tools come with dictionary lists that try thousands of common words for passwords and use brute force attacks (the act of using trial and error to guess passwords) to gain access to accounts.
- Use passphrases as passwords: A passphrase is a sequence of random words, numbers, or symbols of at least 15 characters. Passphrases are said to offer better security than short, complex, and hard-to-remember words. For instance, a long password containing multiple simple words (e.g., The brown fox ate the white duck) is said to be more secure than a complex password (e.g., [email protected]).
- Avoid storing passwords: Don’t store your passwords on paper or online files. Unfortunately, a third of our survey respondents (31%) partake in this practice.
- Use a password manager: A password manager is a software tool that lets you create, store, manage, and share passwords securely. 21% of our survey respondents say they use password manager apps to remember their credentials.
- Report password breaches: Immediately report any suspected password breach to the relevant IT team so that they can assess the damage and take remedial steps. For personal accounts, reset your passwords immediately and notify the concerned authorities. For example, if the password to your internet banking account is breached, inform your bank as soon as possible.
55% of survey respondents use two-factor authentication to protect their passwords
Two-factor authentication helps improve account security by making it mandatory for users to present an extra piece of evidence, besides their passwords, to access their accounts. The second piece of evidence could be a biometric trait (such as a fingerprint or face scan,) an OTP (one time password) sent to a phone number, or a security question.
According to the GetApp survey, nearly 55% of respondents use two-factor authentication for their business and personal accounts when it is available. Younger respondents are more likely to use this type of technology compared to older adults. 59% of respondents aged 18-25 years of age use two-factor authentication for their personal accounts against 50% of age 35 – 49.
The younger generation’s familiarity with the latest tech could be a driving factor in this case. These days, many apps verify users via at least two methods. Therefore, the younger generation has grown up using two-factor authentication. Older adults, on the other hand, are more used to the traditional username and password authentication technique.
Several methods can be used as a second point of verification in two-factor authentication. According to our survey data, security questions (82%) and codes sent to email accounts (81%) and mobile devices (80%) are the most commonly used for logging in to software applications, websites, or devices.
Follow password best practices to protect accounts
Follow password security best practices and use two-factor authentication, whenever available, to strengthen the security of personal and business accounts.
For personal accounts, use strong, unique passwords and never share them with others. If you have a hard time remembering multiple passwords, here are some free password manager tools to store and retrieve your passwords securely.
For business accounts, implement a strong password policy, such as the use of two-factor authentication for all apps, and encourage employees to follow the best practices. Make sure staff members change their account passwords every six months. Also, invest in a password manager tool to help your employees create stronger passwords and access them securely.
Data for the GetApp Biometric Technology and Password Management UK Survey 2021 was collected in January 2021. The sample comes from an online survey of 1,011 respondents who live in the UK. The respondents were of the age groups 18 to 25 years, 26 to 34 years, 35 to 49 years, 50 to 64 years, and 65 and above years.