Security awareness training is a vital part of any security strategy; however, one area where it appears to be having little effect is improving password hygiene. Employees can be taught what a strong password is and how passwords should be created, but even though the theory is understood it is not being put into practice. Employees may be made aware of the importance of practicing good cyber hygiene when it comes to passwords, but creating complex, unique passwords for every account is difficult, and remembering those passwords is almost impossible.
Each year, LastPass conducts its Psychology of Passwords survey, which this year was conducted on 3,750 professionals. Respondents were probed about their password practices for their personal and work accounts. The survey revealed there was a high level of confidence in current password management practices, but in many cases, there was a false sense of safety, as good password hygiene was not always practiced.
The biggest disconnect was with Gen Z, which had the highest level of confidence in their password management practices, yet the poorest scores for password hygiene. Gen Z respondents were the most likely to be able to identify password risks, such as reusing passwords on multiple accounts, yet this age group reused passwords 69% of the time. Overall, 62% of respondents admitted to almost always or mostly using the same password or variations of it on their accounts.
The survey confirmed that 65% of the respondents had received some form of cybersecurity awareness training and 79% of those individuals said their education was effective. Overall, 89% of respondents said they know that using the same password or variations of it was a security risk, but just 12% of respondents said they use a unique password for each account. When probed about changes to their password habits after receiving security awareness training, only 31% of respondents said they changed their password practices and stopped reusing the same password for multiple accounts and only 25% of respondents started using a password manager.
Most respondents used a risk-based approach when creating passwords, with 69% saying they create stronger passwords for financial accounts and 52% of respondents saying they use more complex passwords for their email accounts. Convenience is favored over security for other accounts, with 35% choosing stronger passwords for their health records, 32% for social media accounts, 18% for retail or online shopping accounts, and 14% for streaming accounts such as Netflix. 13% of respondents said they create passwords in the same way, regardless of what account the password is for. Worryingly, only 33% of respondents said they choose stronger passwords for their work accounts.
One of the ways that employers can improve password security is to provide their employees with a password manager. A password manager will suggest random, strong, unique passwords, will store them securely in an encrypted vault, and will autofill them when needed so they never need to be remembered. One way to encourage employees to use a password manager is for employers to provide one to employees for work and personal use and to stress the benefits in security awareness training sessions. The Bitwarden Password Decisions survey published last month found 71% of respondents would be very likely to use a password manager if their company also provided a complimentary family account for personal use, with just 5% saying they would not be likely to use it.
“Our latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyberattacks, there continues to be a disconnect for people when it comes to protecting their digital lives,” said Christofer Hoff, Chief Secure Technology Officer at LastPass. “The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons. For both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure.”
The post Security Awareness Training Does Not Appear to Improve Password Hygiene appeared first on HIPAA Journal.