Consumer views and behaviors on creating and using passwords

17% of consumers would rather watch paint dry than create a unique password for every service they use, an Onfido survey reveals.

The study polled more than 4,000 consumers in the United States, the United Kingdom, France and Germany on their password habits, attitudes and more.

Despite widely recognized security risks, passwords remain the de facto standard for user access and authentication for online applications, with the average person having 100 passwords. Survey results indicate many consumers find password creation cumbersome, and widespread poor password hygiene could put consumers and the brands they engage with at risk.

People would rather get a root canal

Consumers would rather do mundane, uncomfortable and, in some cases, painful activities than create a unique password for every online account they have.

Seventeen percent of respondents would rather file their taxes. One in 10 people would rather get a root canal or colonoscopy, and 15% of respondents would rather wait in line to update their vehicle registration or driver’s license (e.g. at the DMV or RMV).

Many predict a no password future is imminent

Fifty-eight percent of respondents predict that passwords will be extinct within nine years or less, with 40% predicting in five years or less.

58% say they would use biometrics (i.e., fingerprint or facial biometrics) in place of a password for all of their accounts if the brands and services they used offered it.

Bad password habits persist among consumers

Fifty percent of people globally reuse passwords (17% use only one for all accounts; 33% use a handful rotated across all accounts).

One in five people have a core password that they adapt to meet brands’ password strength requirements (such as character length, special characters, etc. – a well-recognized best practice for protecting accounts from bad actors that use tactics like credential stuffing that capitalize on repeat passwords).

Consumers prioritize tough-to-crack passwords

When coming up with new passwords, 29% of consumers say creating passwords that are hard to crack is a top priority. One in four say meeting the requirements of the service they are interacting with is top priority, while nearly 18% prioritize simplicity and about one in 10 prioritize it matching other passwords.

22% use birthdays as inspiration for passwords, while 19% use pet names, 19% use family names, 14% use a hobby, 12% use time of year (seasons, months, year), and 10% use their mother’s maiden name, sports teams, street names/addresses, and phone numbers. Stealthy hackers can find much of this information about a given person online with just a few searches, which put consumers at risk.

Accounts within specific industries prioritize password complexity

The survey also asked consumers to rate the importance of having a complex and secure password versus a simple and memorable password for accounts within specific industries (on a scale of “1” being simple and memorable and “5” being complex and secure). 57% selected complex and secure for banking, 47% selected the same for crypto exchanges, software or services used for work (48%), and home security applications (48%).

35% prioritize password complexity and security for online health services and gambling/betting (35%), and 28% make password complexity and security a priority for travel applications, online education (25%), gaming platforms (24%), and food delivery (21%).

“Passwords are an insufficient form of authentication because the onus lies on consumers to remember them and ensure their complexity. With today’s fraudsters carrying out highly sophisticated attacks using data from the dark web, even the lengthiest and seemingly strongest passwords can be relatively easy to hack,” said Sarah Munro, Director of Personal Identity at Onfido.

“A better, more secure path forward is for organizations to invest in biometrics-based technology that can offer a more convenient and secure experience for consumers.”

According to Forrester’s Q3 2020 survey, 46% of respondents already use passwordless authentication for popular consumer websites, while 51% of consumers believe biometric login should be optional for mobile apps.