Can you manage your passwords? Survey shows many feel overwhelmed yet overconfident about it

[midian182]

Facepalm: The connected world we live in means that most people manage numerous account credentials, and the majority feel overwhelmed by them. The finding comes from a recent survey, which also revealed that many are overconfident when it comes to cybersecurity practices.

Keeper Security, the maker of a popular password manager and digital vault that you can download here, revealed some interesting details in its Fortifying Cyber Resilience: Insights Into Global Cybersecurity Practices report.

The survey, which involved 6,000 participants from around the world, showed that 62% of people are worried that they are managing too many passwords, accounts and logins. It also revealed that despite 85% of respondents believing their passwords are secure, over half admit to sharing them, 2 in 5 say they reuse passwords across sites and apps, and 24% write them down.

Other users' answers about how they manage their passwords further illustrate this misplaced confidence. In addition to the near quarter of those who write them down, 26% simply rely on remembering them, and 19% store them in a browser or phone notes app.

Despite a crackdown on the practice by Netflix and Disney+, 34% say they still share passwords for streaming sites. This service was the most popular for password sharing, followed by shopping accounts (22%), personal emails (20%), social media (16%), work/school emails (16%), bank account passwords/pins (15%), and work productivity platforms (13%).

Keeper writes that the report highlights the challenges security experts face when advising people how to protect themselves online.

The report also underscores the importance of teaching people good security practices. The obvious one is to use a password manager and strong and unique passwords (I.e., none from this list) for each account. Enabling multi-factor authentication wherever it's available is also strongly advised.

Password managers aren't infallible, of course. LastPass has suffered more than one hack over the last few years, and Google this week apologized after a bug left 15 million Windows users unable to find or save their Google Password Manager credentials for almost 18 hours.

Permalink to story:

Can you manage your passwords? Survey shows many feel overwhelmed yet overconfident about it

 

[human7]

Passwords: in theory a perfectly fine way of authentication as long as there are some length requirements. In practice, they suffer from issues that creep in at scale, both from the user side and the platform side. Password managers go a long way to fixing that, but aren't fool proof or mandatory.

Passwords are a "knows a" method of authentication (an identity knows a secret). The "has a" method of authentication is a lot more robust (has an email address, has a phone number, has an authenticator app, has a physical passkey device, etc.), since, among other reasons, you can't give those things away to a phisher so easily.

But they can be inconvenient (especially compared to a memorized secret), suffers the central point of compromise vulnerability (whether a digital compromise or being physically stolen), can still be vulnerable to platform-side vulnerabilities, and can also be dependent on a "knows a" method of authentication (except for physical keys, where physically having the authenticator could be enough (though that's a bad idea), all "has a" methods cannot also require a "has a" method of access or it would result in an infinite chain or loop of authenticators).

Two-factor authentication is rightfully endorsed, especially in enterprise settings, but I deplore the smartphone requirements so many of them have (extra cost, and with phone number ties it can reduce privacy), as well as the fake two-factor scenario that occurs when you login from a mobile device and the two-factor push goes to that very same device.

And don't get me started on biometrics. If that's ever used, that should always be your username, it should never be a stand-in for a password. It can be convenient, but a "password" that you leave on everything you touch (your fingerprints, and DNA isn't far behind) or something reconstructable from some good images (your face) aren't exactly secret, they are just challenging (for now) for the average person to collect and duplicate.

 

[Zcolor]

Firefox does a good enough job for me...