The vast majority of people are leaving themselves at risk of identity theft, fraud and extortion by not taking simple but necessary steps to protect themselves online, according to a new study from Cyber Streetwise.
The security awareness campaign, run by the UK government, discovered that 75% of survey respondents were failing to follow best practice guidelines when creating complex passwords for new and existing accounts.
More than 1 in 3 (35%) of those questioned said they struggle to remember strong passwords, which is unsurprising given that the average Briton now has 19 of them to remember.
95% percent of those surveyed said they take responsibility for their own security online. That’s a good thing, but 47% admitted using particularly unsafe passwords such as notable dates and the names of their pets.
It appears that the population is aware of the role it has to play in protecting itself, but is lacking in the ability or knowledge to take the necessary steps.
We can help with that! Here’s a little video on how to pick a proper password
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
With cybercrime as a whole posing a sizable challenge to the UK, the government has pledged £860 million over 5 years as part of its plan to enhance the country’s response to online security threats.
With public awareness of online security forming a key part of the government’s initiative, Karen Bradley, Minister for Modern Slavery and Organised Crime, said:
When passwords are compromised, financial and banking details can be stolen, causing problems for the person affected, for businesses and for the economy. There is an emotional impact caused by the loss of irreplaceable photos, videos and personal emails, but even worse, these can be seized to extort money.
We can and must play a role in reducing our risk of falling victim to cyber crime. Most attacks can be prevented by taking some basic security steps, and I encourage everyone to do so.
So, when choosing passwords, avoid words found in a dictionary as well as anything which could be associated with you as a person, such as the maiden names and the birth dates of yourself or members of your family.
Use 14 characters or more and mix up UPPER CASE LETTERS, lower case letters, d1g1t5 and \/\/@ckies.
You can use a password manager, such as LastPass or KeePass which will remember your ever-growing list of login credentials so you don’t have to.
Sophos is supporting the Cyber Streetwise initiative with tools, tips, videos and more.
Image of password courtesy of Shutterstock.
14 comments on “Average person has 19 passwords – but 1 in 3 don’t make them strong enough”
I’m an ordinary, relatively competent user – note, a user, not a developer or an IT guru. I’ve just tried to download Keepass, which of course is free, open source software. All my alerts and warnings went off, so I cancelled installation of what looks like a complicated, difficult, user-unfriendly system.
How on earth is an ordinary user supposed to do this without frightening themselves half to death, inadvertently downloading malware or getting confused? Seriously, this problem has arisen because all of you IT guys work in silos and can’t think laterally.
You broke it – you fix it. And this time, think across the economy.
Did you try one of the other popular password managers?
Open source software does sometimes suffer from what you might call technocracy. You only have to look at the way Linus Torvalds treats the people beneath him (he’s the guy after whom Linux is named, and who is still its head honcho) to realise that commercial software has its place 🙂
Disclaimer: I am an IT developer. (So I’ll overlook the implication that all the difficulties of using IT are my personal fault.) I recommend that you persist with KeePass, which I have used for many years now. (I have nearly 300 passwords in my safe.) It’s much easier to master than other software you probably use every day like Word, Excel or an e-mail app. I’d include the web link to the download page but I suspect that would be against Sophos policies. Not hard to find. If your security software is really throwing up red alerts for KeePass, then either that software is poorly informed or you already have a compromised system. (If the alerts are just the usual “Do you really want to download and run this executable”, then you get that message wherever the software comes from, and it’s there to try to stop websites from installing stuff you didn’t ask for.)
I’m not sure it’s fair to blame IT people entirely for the issue, any more than it’s fair to blame the end users. The horrific state of cyber security today, including passwords, is a tragedy of the commons (the commons here being our collective safety and resilience to exploitation).
Developers are under constant pressure to build things as fast as possible with the fewest resources. Most hate passwords and would love to see them go, but are never given the time, money, or access to other talent they need to do it. Passwords Passwords are cheap and easy to implement, and they’re familiar to end users and marketing departments. Doing anything else takes ingenuity no one wants to pay for, as well as massive back-end authentication infrastructure investment that almost no one’s willing to do.
Meanwhile many, maybe most users decide basic security precautions are too hard or cumbersome while also refusing to put any effort at all into using tools that would make it easier on them. Or even not signing up for sites they may not need which just add to that password pile. My 80+ year old grandmother with minor brain damage can use a password manager. We did have to try a few. Grandpa is very happy with KeePass, but that didn’t work for Grandma. I think we settled on 1Password for her.
The essential issue is that we’re highly reliant today on authentication, but have no real way of authenticating anyone. Passwords are the crutch we’ve been limping on for a long time because we can’t be bothered to fix that foot. I’d really like to see the US invest in a real authentication ID system like India did (and also like India, give them away for free because done right they’re a huge enabler of economic growth, especially for the poor). But we won’t do that because we’re cheap and lacking the will to do anything. It’s a lot easier to wreck a collective system or resource than it is to build and maintain one.
“Average person has 19 passwords”
This is why I think the whole username/password model of authentication has to go. We techies are asking more of the general public than is fair or practical. I’ve been in the computer business for almost 40 years now and I have a hard time dealing with this password nonsense. if the Information Society is to prosper we must find a better way.
I’ve been thinking about some kind of personal certificate based on the existing PKI infrastructure. I’m not a security expert and so I haven’t thought through all the details of how this might work, but I think it’s time to bring modern technology to bear. The username/password model has been around, almost unchanged, since the birth of computing. It’s time for a change.
While I agree with the sentiment, I think it’s not really feasible. Two-factor authentication (2FA) says you should have at least two of these:
* Something you know (a password)
* Something you have (a phone or token)
* Something you are (fingerprint, etc.)
Unfortunately, eventually we’re going to need all 3. But even today, a password is almost always one of the 2 in 2FA simply because it’s the most technologically feasible of the 3. It’s relatively easy to implement correctly (compared to the other two).
You are correct, but I can’t see any way around the problem with current technology (and current technology costs).
“if the Information Society is to prosper we must find a better way.”
There’s actually a trend in that direction–towards a shared password scheme. Many sites let you create your own password–OR sign in with a Facebook password. (Well, maybe that wasn’t the best example…)
But other similar schemes have emerged. I recently discovered that my VoIP and broadband provider (AT&T U-verse) and my webmail provider (Yahoo!) are using a common password when I changed one and got locked out of the other. 🙁 I wonder if they are using a Radius server or something similar. It certainly makes things easier for AT&T to leave the security problems to Yahoo!.
Google and Microsoft also appear to be pursuing common password schemes.
That somebody can do it does not mean that everybody can do it.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Indeed. There was an interesting scheme used for a time on a secure website I visited. When you created your account you could upload a thumbnail image or select one from their collection.
Upon later logins you were challenged to select the correct thumbnail from a collection. If I remember correctly, this was subsequent to password validation, so it doesn’t solve the problem, but it’s a step in the right direction.
One problem is often the log-in page Itself. Far too many, including some big banks, don’t permit anything but alpha-numeric characters, and/or limit the length of the password to a ridiculously low figure.
This is the way it was, but not so much any more. My bank PW is strong and long. I suspect the better hackers and criminals get, the longer and stronger banks will require.
If not for our benefit, then to prevent lawsuits.
Only 19 passwords? Wow.. I thought it will be more. I have about 100 of them and without a password manager I will be lost. I use Sticky Password but I know there are also others like mentioned in the article.
Yeah, but the people who reads security blogs aren’t exactly normal computer users. And, those who post comments are probably even further from the norm.
Well I must the be most frequent user of my computer (sarcasm). Am I to believe that in 2014, folks get “scared” when an error or message pops up on their screen? Windows or OS/X message that details what you need to per the description on the message? Really?
Come on, you don’t need to be an “IT guru” when a windows message says “Do you want to run this application?” If you press No, the message goes away. If you press Yes, the application will run.
I know that most just want to look at Netflix and steal movies, but all you have to do is remember some letters and numbers. You went to school for over 12 years and all you are required to do is remember to pay your light bill and remember letters and numbers for a password people. the system was simple in the beginning for a reason. If it was to be more difficult, how could the masses catch up?