Knowledge of security risks hasn’t fixed the password problem
On world password day, data from Onfido serves as a reminder that most people don’t follow password recommendations, probably never will, and that means it’s time to find a new security standard.
World password day 2021 is upon us, serving as yet another reminder to use unique passwords, update those that may be compromised and practice good password hygiene. If new data from Onfido is accurate, however, most of us have no plans to do any of those things.
Onfido, an identity verification and authentication company, polled several thousand people from the U.S., U.K., France and Germany on a variety of password-related issues and drew what is probably an unsurprising conclusion: “Many consumers find password creation cumbersome, and widespread poor password hygiene could put consumers and the brands they engage with at risk.”
SEE: Security incident response policy (TechRepublic Premium)
Password manager NordPass found that the average internet user has around 100 passwords to remember, which was a 25% increase from before the COVID-19 pandemic. Of those 100 passwords, it’s likely many are being reused, many are easy to guess, and most people would rather do anything other than create a unique, secure password as part of their portfolio of credentials, Onfido found.
To make clear how much internet users hate coming up with secure passwords, Onfido said that people “would rather do mundane, uncomfortable and, in some cases, painful activities than create a unique password for every online account they have.” This includes filing their taxes, preferred by 17% of respondents, get a root canal or filling, which was preferable to 9%, or go stand in line at the DMV/RMV to update vehicle registration or a driver’s license, which was a preferable activity for 15%.
With that much hate for passwords, it’s easy to guess how other password hygiene habits measure up. Fifty percent report reusing passwords, with 17% saying they use the same one for all accounts, and 33% saying they have a handful that they rotate through. Further, one in five respondents said that they have a single core password that they adapt to fit different site requirements.
Twenty-nine percent of respondents did say that they prioritize creating hard-to-crack passwords. On the face of it, that’s a good thing, but digging into the roots of those passwords reveals that many of them are based on easily phished personal data. Twenty-two percent use birthdays, 19% use pet names or family names, 14% use hobbies, 12% use the time of the year, and 10% use their mother’s maiden name, a favorite sports team, street names or addresses and phone numbers. Hackers can easily discover this data by trolling through a target’s social media or other online information, Onfido said.
Where can the world go from here? Passwords clearly aren’t the answer to the future of cybersecurity, said Onfido director of biometrics Sarah Munro. “It no longer matters if we add characters or numbers to make the password harder to guess because fraudsters can now carry out highly advanced social engineering attacks, where even the lengthiest and ‘strongest’ passwords don’t stand a chance,” said Munro.
Fifty-eight percent of respondents predict the extinction of the password is nigh, believing that it will be gone within the next decade. A further two in five said they believe the password will be gone in five years or less. Luckily, the post-password solution may be one we’re already familiar with.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Fifty-eight percent of respondents said they would happily adopt biometric security like Touch ID or Face ID if it were offered by more services, which Munro said would be ideal. Biometrics, Munro said, are “the safest – and easiest – way to quickly authenticate your identity when signing in.”
Logging in using a fingerprint or face is already being used in many places, Munro added, and that software could easily be adapted to fit the needs of additional businesses. “Investing in biometrics can help these companies create a safe and swift way of authentication, carving a clear-cut path to a passwordless future and removing human error from the sign-in equation,” Munro said.