How privacy and security concerns affect password practices

Yubico announced the results of the company’s 2019 State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute, who surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France.

Understanding behavior

The purpose of this study is to understand the beliefs and behaviors surrounding password management and authentication practices for individuals both in the workplace and at home. The goal was to understand if these beliefs and behaviors align, and why or why not.

The conclusion is that despite the increasing concern regarding privacy and protection online and a greater understanding of the best security practices, individuals and businesses are still falling short. Both parties are in dire need of solutions that will offer both added security and convenience.

“For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorized access. However, this multi-country research illustrates the difficulties associated with proper password hygiene,” said Stina Ehrensvard, CEO, Yubico. “With every new password breach that we see, it’s become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally.”

Key findings

Sixty-three percent of respondents say they have become more concerned about the privacy and security of their personal data over the past two years. Respondents reported being most concerned with Social Security number or citizen ID, payment account details and health information. The reason respondents reported being more concerned about their privacy was due to government surveillance (59 percent), and the growing use of mobile devices (51 percent) and connected devices (40 percent).

Almost half of respondents (47 percent) say their companies are most concerned about protecting customer information and 45 percent of respondents say they are most concerned about protecting employee information.

As cyberattacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing. More than half of respondents (51 percent) say they have experienced a phishing attack in their personal life, while 44 percent of respondents have experienced a phishing attack at work. However, while phishing attacks are occurring on a frequent basis, 57 percent of respondents who have experienced a phishing attack have not changed their password behaviors.

Approximately two out of three respondents (69 percent) admit to sharing passwords with their colleagues in the workplace to access accounts and more than half of respondents (51 percent) reuse an average of five passwords across their business and/or personal accounts. Furthermore, added protection beyond a username and password, in the form of two-factor authentication, is not widely used. Sixty-seven percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work.

It is increasingly clear that new security approaches are needed to help individuals manage and protect their passwords both personally and professionally. On average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. Based on the average headcount in this research of almost 15,000, we estimate the annual cost of productivity and labor loss per company averages $5.2 million annually.

Because managing passwords is inconvenient and cumbersome, 57 percent of respondents expressed a preference for passwordless logins that protect their identity. Fifty-six percent of respondents believe that a physical hardware token offers better security.