It’s been studied by behavioural scientists and computer security experts. It happens when users are bombarded with security warnings and demands for compliance. As a result, the studies show, three-quarters of computer users know how to make strong passwords but don’t practice what they know. It just seems too overwhelming.
Average users have dozens of accounts that require logins and passwords.
“We’ve been coming to realise that we’ve been asking people unreasonable things in terms of passwords,” said Dr Lujo Bauer of the school of electrical and computer engineering at Carnegie Mellon University in Pittsburgh.
“It’s not possible to create 100 strong passwords that are unique and actually remember them. It’s even worse if we have to periodically change them,” he said.
A government study titled Security Fatigue argues that users feel it’s gotten too hard to maintain adequate security, so they’ve become careless. Security may be getting worse.
“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” said the study by the National Institute of Standards and Technology, a unit of the Commerce Department.
It’s not just average users. Silicon Valley companies reuse the same simple password for multiple websites, a big problem for computer security.
Mark Zuckerberg’s Twitter and Pinterest accounts were hacked in June. His password for both accounts was “dadada,” according to the hackers.
Hillary Clinton campaign Chairman John Podesta’s Twitter account, his iPhone and his iPad were hacked recently. He apparently used the same password for his Apple ID and Twitter.
Concern about online security grows apace with the frequency and volume of hacks of retailers, banks, social media and other sites that let vast numbers of passwords fall into the hands of hackers. So far in 2016, more than 500 million passwords have been leaked, according to a study from LastPass, a password managing product.
“What you hear about is just the tip of the iceberg. People don’t even know that they’ve been hacked,” said Joe Siegrist, vice president of LastPass.
“It’s probable that everybody in the United States has lost a password or had one stolen, and they don’t even know about it,” Bauer said.
The problem is that if you reuse a password and it is stolen from a site that was hacked in the past year or so, bank or social media accounts could be at risk, experts said.
LastPass arranged a survey of 2,000 adults in the United States and five other developed countries to explore their password habits, and found that 91 percent know there is a risk to reusing passwords but 61 percent continue to do so.
“It’s a bit like all the people have their teeth falling out, and we say, ‘Use a toothbrush,’ your dentist is screaming at you, ‘Use a toothbrush,’ and you refuse to do it,” Siegrist said.
What users do, according to the survey, is prioritise their accounts, using stronger passwords for financial websites (69 percent) and weaker ones for social media (31 percent) and entertainment accounts (20 percent).
“If users are using the same or similar passwords across accounts — which a majority of respondents indicated — then they are also essentially handing the key to hackers to access their most critical information when they attack another, less important account,” the survey said.
Hackers are using algorithms to check stolen passwords and simple variations of them on other accounts, Bauer said, looking for variations that simply add exclamation points, pound signs and asterisks to the end.
The LastPass survey brought bad news for businesses: A third of respondents say they create stronger passwords for their personal accounts over work accounts.
Experts agree on asking users not to reuse passwords but disagree on what users should do for adequately strong passwords.
The LastPass survey called for “unique passwords that contain a minimum of 12-14 characters made up of numbers, letters and symbols.”
“If you make a password long, it’s strong,” Siegrist said. “The complexity explodes as you get longer.”
But maybe lengthy passwords aren’t needed, others said.
“An eight-character password is more than sufficient for your online account, because your account will get locked up after three or four attempts,” said Christopher Soghoian, a technologist with the American Civil Liberties Union and a visiting fellow at Yale Law School’s Information Society Project.
Companies that demand that employees change their passwords routinely may be exposing their networks to greater risks, Bauer said.
“The security is fairly dubious,” he said. “There is anecdotal evidence that it results in lower security because it makes people write down their passwords.”
Computer users create their passwords in secret, and despite the wishes of computer security experts, users often choose the easy way.
“If any security function requires a user to change the way they work, in this world of ‘Apple easy’ we find workarounds, or we just ignore security for the sake of ease,” said V Miller Newton, chief executive of PKWare, a Milwaukee-based vendor of data encryption software.
Password managers — low-cost or free programs that store encrypted passwords for all of a user’s accounts and require the user to remember just one master password — are widely recommended but have their own complications. Users must migrate account information into them.
“I’m still moving my life over to a password manager, and I’ve had one for three years,” Soghoian said. —McClatchy Washington Bureau/TNS
