Most people in Britain re-use the same password over and over because they can't be bothered to change it, can't remember new passwords or feel they're asked to change their password too often, according a new survey from TeleSign.
The findings have triggered calls within the security industry to scrap the reliance on this security method – and an admission that some security pros have just as bad password habits as the average consumer.
The survey, published on Thursday, questioned more than 2,000 UK consumers and found 62 percent re-use the same password across multiple online accounts.
Their main reasons are because they would forget a new password (22 percent), they know it is important but it gets overlooked (22 percent), they can't be bothered (20 percent) or they are asked to change their passwords too often (16 percent).
The survey warns that the main impact of this is the ‘domino effect' seen in major security breaches like US retailer Target – hackers steal the password for one service and can then use it to access numerous other accounts.
As well as password ‘laziness', TeleSign also found a lack of overall awareness of online security, with young people among the worst offenders: almost a quarter of 18 to 24 year olds believe they are safe because they haven't been hacked in the past.
The findings have renewed calls to find a better way of protecting people's data online.
TeleSign CEO Steve Jillings said: “Passwords are an artefact from a bygone era, a significant percent of incidents can be prevented when providing stronger authentication methods” – a view shared elsewhere in the industry.
Information security researcher and author David Lacey told SCMagazineUK.com: “The password is a really bad method but we're stuck with it because it's cheap and everybody does it.” And he added: “I know top security people who have terrible password habits.”
Lacey said: “The idea of a password that you remember, that you never write down, you keep changing, that only works if you've got one or two of them - and today we need hundreds. It's a failure in security for not providing alternative better methods of doing it.
“The only guidance you get is ‘choose something that is more than eight characters, has complicated characters and numbers in, or think of a long phrase' – which is complete nonsense advice. These are things which don't seem natural to people.”
He told SC: “It would be nice if we could acknowledge the flaws in what we do and come up with better standards and control requirements. People rely purely 100 percent on users to get this right. We do things the cheapest way.
“You need to have several layers of authentication and security, but they have to be convenient. Anything that's complicated people will not do. The whole process of user access and management is in need of a lot more thought and imagination and better solutions.”
Amar Singh, chair of the ISACA UK Security Advisory Group, and CEO and founder of the Cyber Management Alliance and Give A Day, agreed that passwords need replacing with simple and convenient security processes - and pointed to fingerprinting as the possible solution.
He told SCMagazineUK.com via email: “These types of findings will be the norm as long as we have the traditional approach to authentication – passwords. Introducing two-factor authentication (2FA) is not the panacea and is still, although much improved, perceived as an ‘interruption' in the user journey.
“Any changes in password security must be as transparent to the user as possible - take the Apple fingerprint scanner approach. The reason there is mass adoption of Apple's touch ID is because it does not interrupt the user experience; in fact, from a personal user perspective, it has made my user experience even easier and relatively more secure.”
Singh added: “For now, the only one recommendation I offer - apart from the 2FA approach - is for people to get a password manager for their computer, for their phone and use that to generate strong complex passwords for each product/website, and securely store these generated passwords and usernames.”
But Silvio Kutic, CEO of SMS-based security expert Infobip, favours the solution of SMS-based two-factor authentication for mobile phone users going online.
In an emailed statement, he explained: “Not only is it essential to protect users from data breaches that happen on company servers, it's also necessary to protect them from their own habits and behaviours.
“A simple username and password combination is no longer enough to guarantee an adequate level of security.
“SMS-based 2FA is the answer. Rather than relying on an authenticator app or additional piece of hardware like a key fob, SMS-based 2FA can immediately turn any mobile phone into an extra layer of security. Retailers, storage providers and social networks are all beginning to introduce 2FA.”