Whoops! Were You One of the 78% of People Who Forgot Their Passwords in the Last Three Months?
We all know that people use weak passwords. This has been the case pretty much ever since the traditional authentication system we all know and hate came to prominence, and for years, the security community has been desperately trying to fix the problem. You might think that simply forcing users to create stronger, more complex passwords is an obvious solution, but if you take a closer look, you'll see that there are multiple fundamental flaws with this plan. Some of them were touched upon by a recently published study conducted by HYPR.
HYPR is a company that focuses on authentication solutions that don't revolve around traditional usernames and passwords, and to emphasize why we desperately need this type of product, its researchers surveyed a total of 500 workers in the US and Canada for a period of two-and-a-half years. The findings showed for the umpteenth time that people and passwords just don't mix.
Forgetting passwords is more common than you think
At one point, the respondents were asked whether they'd been forced to reset one of their personal passwords over the last 90 days. A whopping 78% answered affirmatively. A more modest but still pretty significant 57% of the interviewed said that they'd forgotten a work-related password over the last three months.
It is a pretty shocking piece of statistics, and it doesn't get much better when you consider what the consequences of all these forgotten passwords are. For organizations, the process of resetting a user's password often involves helpdesk time, which can be quite expensive. As for the user, resetting a forgotten password is an inconvenience and a productivity killer at the best of times.
Everyone is trying to avoid it, and this is leading to other problems.
People avoid forgetting passwords by using and reusing weak ones
To cut down on the frustration and cost associated with forgotten passwords, organizations often refrain from imposing particularly strict requirements when it comes to what the password needs to contain. Some of them do have password expiration policies, but the figures in HYPR's survey show that even this strategy isn't especially effective.
49% of the people who are forced to update a password at work tend to use a lightly modified version of the previous one. Although adding a digit or two to an old password has been described as a very bad idea by many security professionals, people clearly continue to do it, and companies aren't doing a whole lot to stop it.
Password reuse is just as rampant as you'd expect. About 72% of the interviewed admit to reusing passwords in their personal lives. A little over 40% of the respondents said that their entire personal online existence is protected by fewer than seven passwords. About two-thirds of the interviewed use between 1 and 5 passwords at work.
As you might have guessed, the adoption of password management solutions is not great, either. 30% use a dedicated app for storing passwords at home, and just 26% do it in the office. About a third of the respondents write their login credentials on pieces of paper, and the rest rely on their memory to take care of all these passwords.
This is far from the first survey to illustrate how bad people's password management habits are, and you can be pretty sure that it's not the last. There are alternatives to the traditional authentication system, but adoption levels are very low, and although many companies claim to have the technology that will "kill" the password, nobody is likely to do it in the foreseeable future. In other words, we must digest the findings in these studies, and we must learn from the mistakes we make.