A week or so ago, research firm SplashData released its annual list of worst passwords. It’s pretty sad how, year after year, breach after breach, warning after warning, Internet users continue to use the same weak passwords.
Even though there are a few new ones this year, like baseball and football, most of them are the familiar number and letter patterns, as well as that old standby “password.” Have we learned nothing about the relationship between passwords and security?
Apparently not, according to two recent studies that focused on our attitudes toward passwords.
The first, from Software Advice, found that 44 percent of employees aren’t sure their passwords are secure. According to the study, “Password Use in the Workplace,” while on the surface it looks like a good thing that the majority of users do feel comfortable with the strengths of their work passwords, it is still a pretty low number considering how often passwords are stolen or just plain guessed in order to break into someone’s network or files.
The Software Advice survey also revealed an interesting paradox. Remembering that this study focused on workplace passwords, it found that only 31 percent of users admitted to using the same password across different platforms and sites. But as the researchers pointed out:
What is startling, however, is that the figure is so low. According to a November 2014 report by network security provider RSA and the Ponemon Institute, 69 percent of consumers admit to reusing the same password on more than one device or website.
Why the discrepancy? The study guesses it could be that workplaces don’t allow for the same password to be used more than once – and I know in my last office job that the different systems that required a password login were constantly requiring me to change my password at different intervals while not allowing me to reuse old passwords – or it could be that we use fewer passwords at work than for personal use (my vote is with the former idea; I’d like to know how many of those work passwords are used for non-work purposes, just to make life easier).
The second study came from SailPoint, and this one was truly disturbing. It showed that many of us would have no qualms about selling our passwords if the price is right. And apparently, that price is about $150.
It’s also interesting because it contradicts the numbers of the Software Advice study in that 56 percent admitted to some password reuse in the workplace. Based on the Ponemon number, I suspect this number is probably more realistic.
In a formal statement, Kevin Cunningham, president and founder of SailPoint, said:
Just think of the major breaches that occurred in 2014 requiring users to change their passwords on social media. If those were the same passwords being used to access mission-critical applications, it’s very easy for hacking organizations to take advantage and get into more valuable areas. The fact is that password reuse poses a significant risk to any organization.
I get that coming up with unique and strong passwords can be a real pain, but surely, by now, we’ve gotten better than Password1234.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba