We all should know by now that credential stuffing and password reuse is a big problem.
Many computers users make the mistake of trusting the same password to protect their different online accounts, not realising that if one site gets hacked that may provide the key for hackers to break in elsewhere. Malicious attackers don’t have to do this by hand, they can use credential stuffing techniques to automatically throw databases of stolen usernames and passwords at a site to see which combination will grant them access.
So it’s important to ensure that all your passwords are unique, as well as being impossible to guess and hard to crack.
But that doesn’t mean it’s good enough just to make a minor change to your passwords.
A survey of 200 people conducted by security outfit HYPR has some alarming findings.
For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.
Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users’ tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.
According to the survey, forgetting passwords is a big problem – with 78% of respondents saying that they had had to reset a password in their personal life within the last 90 days (57% said the same for the workplace). HYPR said that this was due to users’ forgetting their passwords, so I presume they are not including figures for users who have had password resets forced upon them due to a security incident.
I have over 1400 passwords, stored securely in a password manager. That means I don’t have to cram my brain with long, complicated, unique passwords, and can fill it up with something more interesting instead.
Trust me, when you have 1400 passwords like…
…it’s a big relief. (And no, that’s not one of my passwords)
I don’t use password rules to generate my password, because if someone works out your rule they can unlock your accounts.
And I don’t believe it’s a good idea to force users to change their passwords unless there’s a cause for concern. This survey appears to back up that belief, noting that many people might simply change “password1” to “password2” if asked to refresh their login credentials.
If you don’t need to change your passwords, maybe you shouldn’t.
If you want to learn more about sensible password security, be sure to listen to this a special “splinter” episode of “Smashing Security” podcast we recorded back in early 2017.