LastPass just released its annual Psychology of Passwords report, and it reveals that cybersecurity practices are on the decline despite the recent increasing risks.
Key Findings from the report:
Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene. As the generation who has lived most of their lives online, Gen Z (1997 – 2012) believes their password methods to be “very safe.” They are the most likely to create stronger passwords for social media and entertainment accounts, compared to other generations. However, Gen Z is also more likely to recognize that using the same or similar password for multiple logins is a risk, but they use a variation of a single password 69% of the time, alongside Millennials (1981 –1996) who do this 66% of the time. On the other hand, Gen Z is the generation most likely to use memorization to keep track of their passwords by 51%, with Boomers (1946 – 1964) the least likely to memorize their passwords at 38%.
Cybersecurity education doesn’t necessarily translate to action. With 65% of those surveyed claiming to have some type of cybersecurity education, the majority (79%) found their education to be effective, whether formal or informal. But of those who received cybersecurity education, only 31% stopped reusing passwords. And only 25% started using a password manager.
Confidence creates a false sense of password security. While 89% of respondents acknowledged that using the same password or variation is a risk, only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation. To add to that, compared to last year, people are now increasingly using variations of the same password, with 41% in 2022 vs. 36% in 2021.
Password experts from around the cybersecurity industry weighed in on the report and how password use trends could affect security heading into 2023.
Chloé Messdaghi, Chief Impact Officer, Cybrary
"This study is a good reality check. The cybersecurity industry needs to do a better job with messaging and targeting certain populations. It’s all about changing the mindset of people. As an industry, we’re really good at telling people what best practices to implement, but when it comes to getting the word out to different generations, how do we do that? For example, Gen Z believes they’re the most secure, but they’re not. So how do we change that thinking? The cybersecurity industry needs to be better at targeting the messaging for each generation. For example, with Gen Z, it seems like the easiest way to get the message across would be via an app like TikTok, and reducing the spread of security misinformation. Across all generations, this belief that single individuals aren't targets is false. Whether bad actors are after the individual alone, or trying to get into an app or game they have an account with, or access to the high-power corporate executive that may be in their immediate family, or their school district log-in, etc. All of it can be a target, and anyone can be that loose link in the chain. For Baby Boomers, how do we get them to use password managers? Many times, non-technical individuals will only use a password manager for a short amount of time. They’re difficult to use sometimes. They’re not created for Baby Boomers – they’re created for people who are generally more tech-savvy. So we need to create products that align with the different segments of generations. Diversity matters. Making sure your messaging and product creation takes into account the population you’re targeting makes all the difference. If we’re telling folks to use password managers or authenticator apps, they need to be simple to use. Or if we’re telling folks how much of a security risk they actually are, we need to make sure that message gets to them on a platform they trust. We – the cybersecurity industry – need to go to users with these insights and messages; they’re not going to come to us."
Brad Hong, Customer Success Manager, Horizon3.ai
"We’ve officially made it full circle – reminiscent of the simpler days, the age-old battle between convenience and security resurfaces as the #1 vulnerability to organizations has once again become passwords. Testament to the fact that no matter which attack vector professionals focus on, humans – more importantly, their negligence and mistakes – are still the biggest threat to organizations. We are at a unique crossroads between traditional and AI-driven attacks where an attacker can automate the use of a personal account compromise it to gather intel on the subject, which then drives a more bespoke, intelligent password spray into corporate accounts.
As a security professional, it’s no surprise that as the world becomes more dependent on the internet for day-to-day operations, and a plethora of vulnerabilities (exploitable or not) are discussed on the news, the more users will choose ease of login over security using the common logic of “they probably already have my information, so what?” or “why would they hack me? I’m nobody!”
Slowly, as the U.S. builds on a more federal approach to cyber security, so does their ability to create a sense of duty in organizations in enforcing a standard for basic hygiene. Until individual users take it upon their selves to protect their own assets as an exposure to their organization, however, attackers will continue to simply log in, not hack in, as it continues to be an incredibly effective attack path – 79% of all manufacturing attacks in 2022 originated from stolen credentials.
Noting that according to the Psychology of Passwords report, 89% of those surveyed recognized the risk reused passwords bring, but only 12% actually actioned on it. From an attacker’s perspective, this is already widely known and attack tools have specifically been crafted to account for human error or laziness in password generation. It’s the same reason why industry standards surrounding password complexity have loosened in favor of uniqueness and prevention of circulating between old passwords. To date, credentialed attacks remain the most popular means of entry into any digital infrastructure, and remain the easiest method of reconnaissance and privilege escalation for bad actors. With 95% of organizations in 2021 that were hit with credential stuffing attacks being subject to between 637 and 3.3 billion malicious login attempts, the ransomware attacks and zero-days discussed in the news come nowhere close to the impact poor passwords have on organizations, en masse. The irony is then not lost on the security professional who recognizes that circumvention of perimeter controls by attackers looking to drop a payload or ransom assets are often made possible by simply logging in as admin to critical infrastructure systems with the password “[DogName][Birthdate].”