The Psychological Reasons Behind Risky Password Practices

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."

Passwords exist

That's the reason.

Re:Passwords exist

[thsths]

Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.

You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).

Millions of little websites still use passwords.

Re:Passwords exist

[tburkhol]

We can download a password manager for free. Authentication token managers are going to cost money, with the price depending on how many authentication tokens you need them to manage.

You can get a U2F USB token about the size of your house key for $8 that will manage as many separate authentications as you like. For $50, you can get one with NFC that will talk to your phone.

They look like a great system now, until you lose the physical token. If they ever become popular, then I'm sure there will be techniques to subvert them - MITM, phishing or misdirection - I'm not smart enough to guess. If they every become popular, then I'm sure the 'lost token' problem will frequently be solved by having a password backdoor around the token.

Re:The author has a certain level of understanding

I'm pretty sure that most employees who are forced to pick new passwords once/month just use something like:

Password@7/16
Password@8/16
Password@9/16

This meets all of the upper/lower/digit/symbol requirements, and it never repeats.
I also think the ones that don't use this method just write the password down on a post-it note that they keep in the office.

Long story short

[wonkey_monkey]

Begin article.

Passwords are a chore to remember. People are lazy.

End article.

Re:A password should NOT contain a mix of characte

[shilly]

There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.