One of the studies to be released during RSA was LogRhythm’s survey about consumer password hygiene. It isn’t good.
A mere 21 percent of respondents claimed to have a unique password for each online account. I admit that I’m surprised that the number is that high. In a couple of the sessions I sat in on at the conference, passwords were a popular topic, and speakers asked how many had unique passwords for each account and, while I’m not good with numbers, at no time did the raised hands come close to a fifth of the audience.
The reasons are clear why using a single password across accounts is a bad idea, and the LogRhythm’s infographic clearly spells them out: One password could open the door to plenty of other accounts (and what isn’t mentioned here, but magnifies the problem is the re-use of user names or emails with that single password), overlapping passwords between home and work accounts put personal and professional information at risk, and you open yourself up to phishing or other targeted attacks.
Yes, this survey focuses on consumer passwords, but as we all know, there are no real boundaries between work and home anymore—that goes for passwords, as well as devices. The survey found that 54 percent use the same passwords for personal and professional accounts. What the survey didn’t appear to discuss was the use of passwords for BYOD. Consider this nightmare: You lose your smartphone, and most of your passwords for your applications are the same. Even if you are logged off the application (and again, how many people regularly practice logging off when they are done using a favorite app?), if the criminal is able to figure out one password, there is a good chance of gaining access to just about everything on the phone. And from there, it could lead to getting access to your work files, and down the slippery slope we go.
Password management is a lot more complicated than we want it to be, but as I mentioned in a previous post, no one seems to be clamoring for a better authentication system right now, so we really need to do a better job thinking about overall password hygiene. The reason is clear. The bad guys know exactly how vulnerable our password management is, and they aren’t hesitating to take advantage of it. As Chris Petersen, senior vice president of products, CTO and co-founder at LogRhythm, said in a statement:
Cyber threats are growing in volume and sophistication, and company employees are often the weak link within company defenses. User accounts and passwords are being harvested on the black market in support of active and future attacks.
Yes, unique passwords are a real bother. I don’t like them any more than you do, especially since it seems like I’m creating a new online account once or twice a week. Options are available to help with password management (one of the other things the survey found was that the vast majority of us keep our password records in unsecure locations), but the security of those options is still up for debate. If someone has a workable idea on how to improve passwords and password management and keep it all secure, I’d love to hear it.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.