The psychological reasons behind risky password practices

Despite high-profile, large-scale data breaches dominating the news cycle – and repeated recommendations from experts to use strong passwords – consumers have yet to adjust their own behavior when it comes to password reuse.

A Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Your personality will determine why – but not how – you get hacked

When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. Among key findings around personality types and online behavior, nearly half of respondents who identify as a Type A personality did not believe that they are at an increased risk by reusing passwords because of their own proactive efforts, which implies their behavior stems from their need to be in control.

In contrast, more than half of respondents who identify as a Type B personality believe they need to limit their online accounts and activities due to fear of a password breach. By convincing themselves that their accounts are of little value to hackers, they are able to maintain their casual, laid-back attitude towards password security. This suggests that while personality types didn’t factor into the end result of poor password habits, it does provide insight around why people behave this way.

Password paradox: You know it’s bad but you do it anyway

The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it.

Only five percent of respondents didn’t know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk.

What consumers prioritize when it comes to passwords

Consumers continue to fall short in their password creation. The survey findings show that when attempting to create secure passwords, 47 percent of respondents included family names or initials. Another 42 percent contain significant dates or numbers and 26 percent use the family pet – all information that is generally easily obtainable through social media sites or a casual acquaintance.

Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).

While it may seem counterintuitive to prioritize all of these accounts at the same level, the Identity Theft Resource Center reports that just 21 financial institutions have been breached in 2016 out of more than 657 businesses. If passwords are being reused across accounts, cybercriminals who hack a lower-prioritized account can easily gain access to something that is more critical, like a savings or credit card account.

“Developing poor password habits is a universal problem affecting users of any age, gender or personality type,” says Joe Siegrist, VP and GM of LastPass. “Most users admit to understanding the risks but continue to repeat the behavior despite knowing they’re leaving sensitive information vulnerable to potential hackers. In order to establish more effective defenses, we need to better understand why individuals act a certain way online and a system that makes it easier for the average user to better manage their password behavior.”