Password handling: challenges, costs, and current behavior
Online passwords are a pain, and not just when you have to type them to access your online bank account or shop at your favorite digital emporium. Password pain extends to the people who have to manage them. A few weeks ago we shared some initial findings from a recent poll of 2,129 U.S. adults (aged 18 and over) conducted for ESET by Harris Interactive.
Consider how people react to a request to change their online password. Here’s how people answered when we asked: If a social media site or online company with whom you have an account requests that you change your password, which of the following would you most likely do?
- Always change my password: 31%
- Sometimes change my password: 19%
- Ignore the request: 18%
- Contact company to see if request is genuine: 32%
In other words, a company asking its online account users to change their password can only count on 3 out of 10 them making the change. Half of the requests will either be ignored or, in a reflection of the sad state of online trust, generate some sort of customer service contact seeking verification of the request.
This finding provides a fresh way of looking at the cost of distrust. If a security breach creates a need to request 3 million users to reset their online passwords, you could be looking at 1 million unbudgeted customer service contacts. If you can keep average cost per contact as low as $1 that is still a $1 million bill.
Switching to a user perspective on passwords, I think many of us share the feeling that password changing is burdensome. That burden can mean passwords are not changed as often as they should be to properly protect accounts.
Nevertheless, our survey revealed that some people are making an effort. We asked “How frequently do you change the password for the online account you use most often?” Here’s a breakdown of the responses:
- About once a year: 46%
- About once every 6 months: 31%
- At least once a month: 8%
- Never: 16%
Of course, when you map those frequencies against the current levels of online attack they might not seem adequate, but frankly they are better than I expected (I would like to research the extent to which some of these changes were due to the online account itself forcing a change, as opposed to the self-motivated diligence of the respondents).
The need to create and manage more and more passwords is one of the distinct downsides to living your life online. When it comes to password creation we all have our own strategies but in the survey we tried to get a sense of the elements people were using. We asked: “Which of the following do you use when creating a password for an online account?”
- Something unique and random: 39%
- Familiar name (e.g. of person, pet, or place): 21%
- Name of a location: 6%
- Sports team: 5%
- Something else: 37%
- Decline to answer: 19%
Again, I think these numbers are somewhat encouraging. The use of a familiar name is too high, but the number of people who were using something random, unique, or outside of the other categories was better than I expected. I also liked that almost 1 in 5 people declined to answer. The responses were pretty much the same across different demographic groups but, perhaps not surprisngly, men were more likely than women to use a sports team (7% to 4%). Women more likely to use a familiar name than men (24% to 16%).