You ever just find yourself internally screaming, "WHY?!" when users still create bad passwords even though you've provided them with best practices?
Hopefully, I may be able to add a bit more color...
After collecting data on our "Psychology of Passwords" report, we found a ton of interesting findings about the behavior of users picking and choosing passwords.
So, why exactly do people engage in bad password behavior even though 79% of those surveyed agree that compromised passwords are concerning?
Well, it might have to do with a couple elements. Take a look at these stats found in the report:
- 68% of those who reuse their passwords are afraid of forgetting it
- 52% of those who reuse their passwords want to be in control
- 36% of those surveyed don't consider their account to be valuable enough to hack
From the looks of it, it seems as though fear, control, and a bit of ignorance might play roles in this password creation game.
Why is it important to know this information? Well, understanding the psychology that is creating these dangerous password habits can ultimately help you tailor cybersecurity programs and technologies accordingly!
One way we recommend combatting these misbehaviors involves utilizing a password manager to manage and secure passwords. A solution like that can help alleviate the "fear" and "control" in trying to know each and every password for your users.
If you want to see more on these findings, feel free to check out the full report, here.
What did you think of the findings in the Psychology of Passwords report? Anything interest you? Surprise you?
Where/who ran the survey for the stats in this report? I would like to use some of these stats in a cybersecurity month message to my users. Pointing them to using a password manager like lastpass and others.
We surveyed 3,750 professionals across 7 countries! These were the countries surveyed:
- United States
- United Kingdom
Feel free to use any and all stats. :)
I think it's like a lot of precautions that people ignore - people figure, "It won't happen to ME!!"
Until it does.
But really, for most people, the expected loss from forgetting a password (chance of it happening times the inconvenience or damage from forgetting it) is less than the expected loss from a password compromise, simply because they see the "chance of it happening" as so extremely low for the compromise.
Why? Because people suck at remembering passwords that pass most conventional tests for "strength". Being human, they will strive to make the authentication process easier, by using weak, easy-to-remember passwords, or by doing dangerous things with their "strong" passwords (Post-It notes et al).
This is where I usually suggest password policies that actually allow for passwords that both strong (as in computationally difficult to guess) and easy to remember. So here's the obligatory https://xkcd.com/936/
The reality is that the password's day has come and gone. With MFA in place, password strength becomes far less critical.
Let's eliminate passwords by converting to 4FA (4-factor authentication). If you pass all 4 of the following scans 10 times in a row, you might be who you say your are. If you fail any of the tests just once, we will replace your computer with a legal pad. Good luck!
- Fingerprint scanner.
- Retinal scanner.
- Neural scanner.
- Chip scanner. (My veterinarian currently has a buy one get one free offer. Get a chip implanted in your dog or cat and he will implant one in you for free.)
Hey everyone, thought some of you on this thread may be interested in continuing the discussion on password habits.
On Wednesday, Oct. 27 at 11AM CDT we’ll be hosting a webinar on this very topic, Psychology of Passwords: Do Your Part to BeCyberSmart
In this webinar, we’ll explore:
The effects of our expanded digital lives – both personal and professional – in the wake of the pandemic
Our continued cognitive dissonance when it comes to password hygiene, and why it persists
The actual psychology and stats behind poor password habits
Steps to take now to combat bad password behavior and #becybersmart