We need to quit recycling and stop trusting our own minds. This seemingly antisocial advice comes from a new study of password practices that reaches old conclusions: Too many people still try to ease online security by reusing the same passwords across multiple sites and keeping them simple enough to memorize.
The suggestions of this “Psychology of Passwords” survey, which was commissioned by password-manager app purveyor LastPass, are familiar and include—shocker!—using a password-manager app to create and store complex passwords in encrypted wallets. You should then defend those credentials with two-step verification to confirm logins with one-time codes available only to you.
That’s self-serving advice for LastPass, a subsidiary of Boston-based LogMeIn. But it also lines up with what security experts have been saying for years.
“Password reuse is the biggest password security error being committed by our survey respondents,” the reports leads off. “When asked how frequently they use the same password or a variation, 66% answered always or mostly—which is up 8% from our 2018 survey findings.”
The only consolation there is that some of these people must feel guilty about it, since 91% reported knowing that using identical or similar passwords can lead to an attacker taking over multiple accounts with one stolen password.
Earlier studies have found dismal results in this area. A 2017 report by the Pew Research Center, for instance, found that 39% of Americans admitted to extensive password recycling.
A separate category of password sharing—between different people—may also be up, thanks to the coronavirus pandemic. A survey released in April by the competing password-manager service Dashlane found that 32% of Americans had seen family members or coworkers sharing passwords for things such as streaming services or online shopping more often since the pandemic’s onset.
The LastPass-commissioned survey, conducted by the research firm Lab42 in March, gathered responses from 3,250 people aged 18 to 60 (about 1,000 in the U.S., with the balance in Australia, Brazil, Germany, Singapore, and the United Kingdom) who had multiple online accounts.
It also found that a slight majority of respondents, 54%, store passwords in their heads. While that has the advantage of requiring no external hardware, the limits of human memory often lead people to choose shorter and simpler passwords: Nobody is going to remember 26 random characters with a few punctuation marks thrown in.
And yet 25% of respondents to the LastPass survey admitted having to reset passwords at least once a month because they forgot them.
The password to your password manager had itself better be complex.
Many people shy away from trusting their passwords to an app, even though LastPass, 1Password, and Dashlane all encrypt stored passwords from end to end, keeping them inaccessible even to those firms.
That does, however, mean that the password to your password manager had itself better be complex. All three apps let you bypass that with biometric authentication on your phone or computer—but facial-recognition systems such as Apple’s Face ID can’t deal with face masks, while the lack of Touch ID or Face ID security on Apple’s desktops excludes them from this convenience.
The last bit of the LastPass report governs people’s use of two-step verification, which it labels “multi-factor authentication” or “MFA” for short. There, it offers some surprising good news: “Only 19% of survey respondents said they didn’t know what MFA was,” it said. “54% of respondents said they use it for their personal accounts and 37% use it at work.”
Apple announced in January that more than 75% of iCloud accounts are protected by two-step verification, but in January 2018 Google software engineer Grzegorz Milka said at the Usenix Enigma security conference that less than 10% of Google users employed it.
It’s possible that these users confused such backup authentication methods as security questions for more secure verification methods such as passwords texted to a phone, one-time codes computed by a mobile app, or USB security keys.
In an email sent by a publicist, LastPass product-strategy director Rachael Stockton Sr. said “we didn’t specifically ask if they understood the meaning of MFA” but expressed confidence that “people’s understanding of MFA has significantly improved over the years”—thanks in part to improved support for it from mainstream sites.
We can only hope that progress is real and continuing. But it’s still easier to believe that more of you are reusing passwords than are employing two-step verification.