Just like oil and water or peaches and concrete, passwords and users don’t mix too well. The problem is that users want ease of use with the products and services they access which, to them, means having to remember as few passwords as possible. And by “remember” I don’t just mean from the user’s memory; the old sticky note stuck to the underside of their keyboard is a horrifyingly common solution for them.
And it doesn’t seem to matter how much you warn them about weak passwords and the dangers of trying to use the same password for everything, you know that many of them will simply not pay attention or care and many will do everything you told them not to. But how many is “many”?
Siber Systems, makers of RoboForm, a fine password management tool I’ve used for years, recently did a survey of over 1,000 of their users (50% from the US and 50% from the UK, all of them non-IT workers) and discovered some interesting stats about their attitudes towards and use of passwords:
More than 60% of participants reported that they’d either forgotten a password or had a password compromised at some point during their professional career. People in the US (70%) were somewhat more likely than their counterparts in the UK (57%) to have forgotten a password or had it exposed to risks on the job.
Only a fraction of survey respondents report that they use the type of strong password management practices industry experts recommend: passwords that contain upper and lowercase letters as well as numbers and symbols, use of unique passwords for each registered website and changing passwords every 30-60 days. Only 37% of survey participants use passwords that contain both letters and numbers. And only 8% report using a password management system, which can automatically create strong passwords for every site and change them frequently.
Fully 65% of respondents say they use three or more devices daily, and almost three quarters – 73% – report that they allow their browser to remember passwords for them at least some of the time, and 76% occasionally neglect to log out of websites when they’re finished browsing. In addition, 42% of survey participants say they write passwords down to keep track of them. The survey also revealed that many respondents use the same password for multiple sites: 74% report that they log into six or more sites every day, and 30% visit more than 10 sites daily. But 59% of participants say they use five or fewer passwords, meaning they use the same password on multiple sites.
This is evidence, as if you really needed more, that in general users really aren’t serious about their passwords; they are, in fact, extremely sloppy in every aspect of password management. 71% admitted that they forget one or more passwords every month and for 33% of those people, they wound up losing access to something at work for up to five minutes while 57% lose access for up to 30 minutes and a remarkable 10% for 30 minutes or more. The lost productivity from forgetting passwords is biblical by any standard!
73% of these users allow their browsers to remember their passwords some or all of the time which is, in a business setting, a bad idea unless you add layers of protection around the users’ working environment.
Now, obviously, Siber Systems would recommend using their password management product, Roboform, and so, for that matter, would I but without training users to take password management seriously, or threatening them with Draconian consequences for messing up, you’ll be wasting your time.
Many companies are starting to test new technologies to avoid the need for passwords; for example, The Royal Bank of Scotland is using fingerprint recognition to control customer account access while Lloyds Banking Group is testing the use of wristbands that detect an individual’s heartbeat “signature” to authenticate users (this systems looks somewhat clumsy).
But even if some of these new technologies do pan out passwords are going to be in use for a long time to come and if you’re behind the curve in training your users and in giving them tools to improve password security you’re taking a huge risk which will only get greater given that hackers are becoming more numerous and bolder every day.
So, lost productivity, lousy security, and serious financial risk are the results of poor password management. Do you really need any more reasons to do something about your users and their passwords?