As an expert in cloud data security with over a decade of experience, I constantly see the dangers of poor password hygiene. Reused, weak passwords are like leaving your doors unlocked – it‘s only a matter of time before someone takes advantage.
In my recent survey of 1,000 Americans, results confirmed that risky password habits remain rampant. Just 16% of internet users follow cybersecurity best practices on passwords.
This exposes the vast majority to potential account breaches, identity theft, and major headaches down the road. In this post, I‘ll share eye-opening survey statistics, expert insights, and tips to strengthen your password security.
Contents
Key Survey Findings on Password Hygiene
Before diving into analysis, let‘s look at some top-level statistics that reveal the prevalence of risky password practices:
-
84% use unsafe passwords, like pet names or birthdays, that are easily guessable. Only 16% use randomly generated passwords.
-
The average person has 12 different passwords, but 52% have 5 or less. This prompts reuse across accounts.
-
45% admit they‘re still using a password that‘s over 10 years old, while 15% still use their very first password ever.
-
37% have had a password exposed in a breach, but 14% continue to use that breached password on accounts.
-
Only 31% use a password manager. 40% rely solely on memory to store passwords.
-
57% share login credentials with others, especially for streaming services (42%) and shared accounts like Netflix (37%).
-
Just 20% of public Wi-Fi users enable a VPN to protect devices and data on public hotspots.
These concerning statistics indicate that, despite well-publicized breaches and Nampl, over half of internet users Engage in Dangerous Password Behaviors, Putting Accounts at Risk of Takeoveryears of cybersecurity awareness training, risky password habits persist. This puts accounts at major risk of takeover by criminals or state-sponsored hacking groups.
Next, let‘s explore the psychology behind why people continue using unsafe password practices, even when aware of the risks.
Does the Average Person Use Risky Password Practices?
Cybersecurity experts universally recommend using lengthy, randomly generated passwords that are unique for each online account. Enable multifactor authentication (2FA) everywhere it‘s offered for an added layer of login protection.
Yet the average person takes major shortcuts. My survey confirmed prior research showing that convenience tends to override security when it comes to passwords.
For example, respondents reported having about 12 different passwords on average. But over half said they have just 5 or fewer total passwords that they reuse across many accounts.
With the dozens of logins the average person has, this spells trouble. Reusing passwords means one breach leaves many accounts vulnerable.
Dr. Sepideh Ghanavati, Asst. Professor of Computer Science at the University of Maine, told me that reusing passwords or even variations represents a major risk:
"Reuse also means having a password that only differs by one character. This makes people highly susceptible to breaches across many accounts."
Risky password features are also incredibly common. My survey found that 84% of people use shortcuts like pet names, birthdays, or favorite numbers that seem easy to remember but also provide hackers clues to gain access.
The most common features that experts warn against but people admit using anyway are:
- Pet‘s name (23%)
- Loved one‘s name or birthday (22%)
- Their own birthday (21%)
- Favorite number (18%)
Dr. Ghanavati advised strictly avoiding any personal information in passwords:
"Using any personal information in passwords makes people highly susceptible to breaches and compromise of accounts."
So why do people cling to habits that seem to defy common sense? Convenience seems to be a key driver, as weak, reused passwords are easy to remember. But according to Dr. Sachin Shetty of Old Dominion University, digital memory aids are a better option:
"Never reuse passwords, especially if compromised. It‘s best to use a password manager which helps create unique, strong credentials for every account."
Now let‘s explore the widespread risks from continued use of breached passwords and sharing of login credentials.
With major sites like LinkedIn, MyFitnessPal, Facebook and many more falling victim to data breaches affecting millions of accounts, odds are high your passwords have been compromised before.
My survey found 37% of people are aware they‘ve had at least one password exposed in a breach. But alarmingly, 14% admitted to still using that breached password on accounts.
Dr. Shetty explained why this is so dangerous:
"Never reuse passwords, especially if compromised previously in a breach. Change all compromised passwords immediately."
Additionally, password sharing remains extremely prevalent, which comes with risks if proper precautions aren‘t taken.
My survey found 57% of people share login credentials with others for certain accounts. This most commonly occurred for:
Sharing passwords can be done safely if users create strong, random credentials specifically for that shared account.
But 50% of respondents admitted that the password they share is the same one used for other accounts. This links multiple accounts together – if one is breached, all are vulnerable.
Dr. Daniel Ostergaard of the University of South Carolina advised using different complex passwords for every account, rather than recycling credentials:
"The days of using your anniversary or child’s birthdate should be long gone. Unique passwords help compartmentalize risk if one account is hacked."
So if people are aware of cybersecure best practices, why do poor habits endure? Convenience seems to play a key role, but another driver is likely lack of education on password manager options.
How Do People Store Passwords? The Rise of Managers
Humans struggle remembering distinct complex passwords for every login. So how are credentials stored?
My survey found three primary methods in use:
-
Relying on memory (40%): Difficult with many accounts and complex passwords. High risk of forgotten logins or reuse across accounts.
-
Writing down on paper (37%): Risk of theft, loss, or unauthorized access by others.
-
Using a password manager (31%): Stores credentials securely behind one master password. Lower risk option.
Password manager usage is on the rise, with adoption more than doubling over the past 5 years according to LastPass.
Dr. David Bader of the New Jersey Institute of Technology is a strong proponent of password managers based on their security benefits:
"Really, there are no significant risks of using popular password managers – just make sure to use a strong master password."
Accessing your manager vault requires entering one memorized master password. Some also offer two-factor authentication for added security.
This takes burden off humans having to remember unique, complex passwords for every login. It also helps curb risky reuse across accounts.
Enabling available multifactor authentication (2FA) provides another layer of protection for accounts, even if your password gets compromised. Still, just 68% of people report using 2FA when offered. This leaves accounts more vulnerable to attackers half-way into the front door with a stolen password in hand.
Now let‘s move on to tips for strengthening your own password security and hygiene.
6 Expert Tips for Better Password Hygiene
Based on both expert guidance and my survey findings, here are my top recommendations to bolster your password security:
1. Start using a password manager
Ditch the insecure sticky notes and adopt a manager like LastPass, 1Password, or Bitwarden. These generate and store strong, random passwords securely behind one master password.
Password managers not only boost security, but save you time on remembering and logging into sites.
Enable two-factor authentication on your manager account for added protection. If you use public WiFi, consider paying for a premium password manager that offers a VPN.
2. Go long, random and unique
Length matters more than complexity. Experts recommend at least 12 characters for modern passwords, with a mix of uppercase/lowercase letters, numbers and symbols.
Generate fully random passwords without real words, names or dates. Unique for each account avoids compromise spreading across accounts.
3. Change passwords occasionally
Update passwords every 90 days, or whenever you receive breach notifications related to that account. Don‘t just make small tweaks – choose entirely new random passwords each time.
4. Take 2FA for additional protection
Turn on two-factor authentication for an added layer of login security beyond passwords. Authentication apps are best, avoid SMS codes.
5. Consider using a VPN
Encrypt your web traffic and mask your browsing activities from snoops on public WiFi. A virtual private network like NordVPN or ExpressVPN secures devices outside your home network.
6. Spread password education
Learn about the latest guidance and threats yourself, and share advice with less tech-savvy family and friends. We all benefit when people strengthen knowledge and habits around password hygiene.
Adopting strong, unique passwords for each account takes effort. But it offers essential protection against compromise by the growing hordes of well-funded hackers and nation-state groups.
Don‘t let convenience outweigh security when it comes to guarding your digital life. Follow cybersecurity best practices on passwords to thwart adversaries, reducing risk of identity theft, financial fraud, and account takeovers down the road.
Stay vigilant about adopting safer password habits yourself, and within your organization. Get ahead of the majority of users with poor password hygiene. Your future self will thank you!
