Why do we keep using bad passwords?

We have been using passwords and codes for hundreds of years, but still, it seems like our security thinking hasn’t evolved at all. A new survey from Qualtrics and Okta show that the user’s password-management is less than ideal.

For several years we have seen the lists of “most commonly used passwords”, and frequently it’s “123456”, “password” and “111111” that top the list. Other common passwords are ‘666666’, ‘654321’, ‘!@#$%^&*’, ‘charlie’, ‘password1’, and ‘donald’.

What’s more alarming though is that almost 40% of the people participating in the “Okta Business@Work 2019 Report” said they use the same 2-4 passwords for almost everything. Furthermore, a whopping 10% use the same password for everything! That means they use the same password for both their work-login and bank-app as for their Tinder account and Facebook-profile. If you think about a large number of hacks in recent years, you now see that a hacker easily can get access to far more places than the specific site they hacked. In fact, the study shows that 10 % of people have used one of the top 25 worst passwords (some of them stated above). So, a hacker doesn’t even need to hack a server to gain access to passwords. They can just try the ones on the list and they’ll be getting into far more places than they reasonably should in this day and age.

Of course, with all the information surrounding us today, remembering 10-20 different passwords, which should also be switched out regularly, is not an easy thing to do. This has caused a large number of users to write their password down. Unfortunately, they often keep it near their computer, so they always know where it is. More than half of the people in the survey store their password on either a piece of paper, on a sticky note, in a desktop file or the phone’s note-app. Neither of which can be considered very secure.

Luckily, there is also a huge rise in the use of multi-factor authentication apps and solutions. Even more satisfying is that a decreasing number of such systems are using SMS for the verification since SMS has been found very easy to reroute. The Okta-study shows that 70% of companies use two to four factors for authentication, and 29 % use more than four or more factors. This, however, increases the complexity for the users. And as we all know, complex systems are the mother of shadow-IT.

So, when choosing your multi-factor authentication system, security is not the only thing you need to consider. The users must find it easy to use, as well as feel that the system provides a reasonable level of security. A too complex system will both be frustrating to use and raise the question of why such a complex system is needed. In other words, you need to find a system that provides both security and simplicity of use. And please, find an app that can securely store your passwords so you don’t have to write them down on sticky notes and put on your screen.