Most people still reuse passwords across multiple sites

midian182

Posts: 7,300   +65
Staff member
Why it matters: Do you, like many people, reuse passwords across multiple websites and services? It should go without saying that such action isn’t a good idea; it's a great way to fall victim to hackers. But a new survey shows that 70% of adults still use the same password for more than one thing.

In a survey of 1,041 US residents aged 18 or older, PCMag found that 25% of them admit to sometimes reusing the same password. A similar number (24%) said they do this most of the time, while 21% admitted to doing it all of the time.

As readers of this site will know, reusing passwords is something hackers love, especially as many websites and services use email addresses as usernames. Should these login credentials appear in mass data leaks, someone could simply try them across multiple locations to see if they get lucky. The 167 million LinkedIn accounts that went up for sale on the dark web in 2016 are suspected to have enabled hacks on high-profile accounts such as Mark Zuckerberg and Katy Perry, and it led to Microsoft banning stupid passwords.

The survey also asked how people store their passwords. The most popular method is to memorize them. That’s obviously very secure, but you do run the risk of forgetting them completely. Surprisingly, the second-most-popular method, preferred by 36% of people, is to write them down physically—not very safe—and 24% said they write them down in a phone or other electronic device, which is still risky.

The recommended method of using a password manager is preferred by 33% of participants. Password managers aren’t infallible, as we’ve seen in the past, but they’re certainly the safest option. They also create very strong passwords and make them easy to change, which is good as over a quarter of people said they never change theirs.

Interestingly, 54% of people said they had been a victim of cybercrime, with credit card fraud (27%), malware (18%), ID theft (17%), and phishing attacks (16%) the most common crimes. And just 53% said they use anti-virus software—though PCMag notes some might be using it without realizing.

Microsoft, a long-time campaigner for people to ditch passwords in favor of more secure alternatives, recently announced that users can now choose to remove the password from their Microsoft account and sign in using one of several other methods, including Windows Hello, the Microsoft Authenticator mobile app, a security key or via a verification code sent to an email or phone.

Check out all the survey results at PCMag.

Permalink to story.

 

Dimitriid

Posts: 1,343   +2,631
If you're compromised I agree that's not good.

However for an average user it's not necessarily *that* much worst: assuming most companies do their jobs and are not compromised all the time (I know, big assumption that's basically impossible today but nevertheless) your average user might be asked to remember upwards of 10, 20, 30 different passwords on just normal day to day: banking, email services, at least 2 or 3 forms of social media, shopping sites, news sites, etc. Then usually do it all again for work credentials.

So again for an average user, it's much harder to remember 20 different single passwords like "Yellow20@" and "Organge!55" than it is to just reuse a single, strong, uncompromised password like "GxC22405581Y#112657" and use that on all places. Nobody is going to go through the trouble of brute forcing that and while yes that's a lot to remember and type the simple repetition of having it on so many sites will make it easier to memorize than 20 or 30 different, simple passwords.
 

wiyosaya

Posts: 6,760   +5,204
For most places that require an e-mail address as a user name, I use an anonymized e-mail service which generates random e-mail addresses that are then forwarded to a main e-mail address that I have. This is far more secure than using, for example, JackSchitt@gmail.com for instance, as the username for every site and then the same password on each site.

In the real world, the combination of username and password is harder to hack, and for me, especially with sites that use e-mail addresses that I have deliberately randomized with an easy means to track them, that makes them virtually impossible to hack. I have a few different passwords, all of which would require enormous amounts of brute-force time to hack, that I use from site to site.

The anonymized e-mail addresses makes spam almost a thing of the past for me, and it makes it easy to find out if any of them are compromised since I use one anonymous e-mail address for each site that requires an account. If a site does get compromised, all I need to do is change my e-mail address to another anonymized e-mail address.
 

ziffel66

Posts: 136   +229
I don't blame this on the end-user so much. They are just trying to simplify things. It's not smart, but noobs gonna noob.
 

bviktor

Posts: 545   +886
If you're compromised I agree that's not good.

However for an average user it's not necessarily *that* much worst: assuming most companies do their jobs and are not compromised all the time (I know, big assumption that's basically impossible today but nevertheless) your average user might be asked to remember upwards of 10, 20, 30 different passwords on just normal day to day: banking, email services, at least 2 or 3 forms of social media, shopping sites, news sites, etc. Then usually do it all again for work credentials.

So again for an average user, it's much harder to remember 20 different single passwords like "Yellow20@" and "Organge!55" than it is to just reuse a single, strong, uncompromised password like "GxC22405581Y#112657" and use that on all places. Nobody is going to go through the trouble of brute forcing that and while yes that's a lot to remember and type the simple repetition of having it on so many sites will make it easier to memorize than 20 or 30 different, simple passwords.
Just stop with the rationalization and excuses already, and get a password manager. It's free. If in doubt, go Bitwarden.
 

Dimitriid

Posts: 1,343   +2,631
Just stop with the rationalization and excuses already, and get a password manager. It's free. If in doubt, go Bitwarden.
Password managers are still a single point of failure and have been compromised before. No solution is perfect, a password manager is better than not changing passwords or re-using them but I just don't see password managers being widely adopted without some pretty tremendously huge caveats like what Microsoft wants: No passwords just use Windows hello authentication for everything...And nothing else.
 

theruck

Posts: 439   +256
If you have 10 credit cards I doubt you would have 10 different pin codes so here we are. humans. its about time that the technology shall adapt to people not vice versa. screw password managers and generators. its the most stupid way to authenticate as anybody can guess your password whatever it is. its fake security with the password managers and password rules.