49% of workers, when forced to update their password, reuse the same one with just a minor change

Graham Cluley
@gcluley

We all should know by now that credential stuffing and password reuse is a big problem.

Many computers users make the mistake of trusting the same password to protect their different online accounts, not realising that if one site gets hacked that may provide the key for hackers to break in elsewhere. Malicious attackers don’t have to do this by hand, they can use credential stuffing techniques to automatically throw databases of stolen usernames and passwords at a site to see which combination will grant them access.

So it’s important to ensure that all your passwords are unique, as well as being impossible to guess and hard to crack.

Sign up to our newsletter
Security news, advice, and tips.

But that doesn’t mean it’s good enough just to make a minor change to your passwords.

A survey of 200 people conducted by security outfit HYPR has some alarming findings.

For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.

Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users’ tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.

According to the survey, forgetting passwords is a big problem – with 78% of respondents saying that they had had to reset a password in their personal life within the last 90 days (57% said the same for the workplace). HYPR said that this was due to users’ forgetting their passwords, so I presume they are not including figures for users who have had password resets forced upon them due to a security incident.

I have over 1400 passwords, stored securely in a password manager. That means I don’t have to cram my brain with long, complicated, unique passwords, and can fill it up with something more interesting instead.

Trust me, when you have 1400 passwords like…

…it’s a big relief. (And no, that’s not one of my passwords)

I don’t use password rules to generate my password, because if someone works out your rule they can unlock your accounts.

And I don’t believe it’s a good idea to force users to change their passwords unless there’s a cause for concern. This survey appears to back up that belief, noting that many people might simply change “password1” to “password2” if asked to refresh their login credentials.

If you don’t need to change your passwords, maybe you shouldn’t.

If you want to learn more about sensible password security, be sure to listen to this a special “splinter” episode of “Smashing Security” podcast we recorded back in early 2017.

'Passwords - a Smashing Security splinter'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/2946c0dd-0826-4340-9ea6-e30a0a48232a.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

7 comments on “49% of workers, when forced to update their password, reuse the same one with just a minor change”

  1. Making a minor change, as opposed to a major change, isn't relevant. Changing even a single character creates an entirely new password, at least as far as authentication systems are concerned.

    The real problem is making a *predictable* change. Example: If the password to my email account is "password" and I change it to "p@ssword", that's a fairly predictable change and offers no benefit. "p@ssword" is predictable and frequently checked in dictionary attacks. Changing to "pass|word" creates a less predictable string of characters. It's less likely to be checked in a dictionary attack, and will definitely protect against credential stuffing. However, is still very short so still offers little benefit should the site's password store be stolen and the attacker has the opportunity to run more thorough brute force attacks..

    If my password is "Tir,Lti2xs.-DA", which is relatively resistant to dictionary attacks and brute force attacks, then I should be able to make relatively minor and easy to remember changes that will still be unpredictable. Changing to "Tir,Lti2Xs.-DA" is a minor change but one that doesn't make the account less secure. Changing it to "Tir,Lti2xs.-DA2" doesn't really help much, because it's relatively easy to take a repository of good account credentials and add "1" or "2" to the end of the password if the credentials turn out to be invalid. Because that's a predictable change.

  2. The problem here is not the users. The users are making a *rational* response to a bad policy (requiring frequent password resets).

  3. Unless someone has a history of your password changes… eg, some systems keep a history of old passwords to prevent reuse. now if someone stole the backups (because they may not be as secure as the production systems, see eg. the Adobe password leak)

    now they can try to work out your usual pattern to deal with the 3-monthly required password change, and figure out what your next/current password is likely to be.

    really, just use a password manager and random passwords, so you can stop worrying about how predictable or not a specific system of managing passwords is…

  4. It's easy to say "just use a password manager". And maybe that works for you, if you have only one computer that you use. But it doesn't work well for us power users. On any given day I'm likely to use my iPhone smart phone, my Android tablet, my Windows laptop at work, my Linux workstation at home, and OpenBSD and Solaris on my servers. I have yet to find a password manager that will work perfectly on all of those platforms.

    I do not want to use any service that stores the passwords remotely, as I then have to trust the service providers involved. That is something I might do for some of my less-important passwords, but not for my critical ones.

    The only password manager I've found so far that works on all of the devices and platforms that I use on a daily basis is my brain.

    Eleanor

    1. You should look at how exactly the different password managers work. For example, the good ones synchronise across all devices but do NOT decrypt your passwords on the cloud /(whatever that means). In other words, your password database is only decrypted on your devices and only when you need to fetch a credential set (ID+password).I, for one, don't trust my punny human brain to remember more than a couple of complex passwords, and it's proven time and time again that reusing passwords is the worst habit of them all.

  5. Just tweeted about this topic and came across your article on search, the problem is how people think – a minor change in my old password will solve everything which is so annoying!
    https://twitter.com/Matrix3D_India/status/1209046758405263360?s=20

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.