Passwords can provide a good level of security, but all too often users choose weak passwords that present no challenge to hackers. Many of the most commonly used passwords can be cracked almost instantly. A recent study by NordPass involved an analysis of a 3TB database of passwords and found ‘password’ to have been used to secure 4.9 million accounts, with the next weakest password – 123456 – used on 1.5 million accounts.
Security awareness is improving, but many users still set weak passwords for convenience despite the risk of accounts being compromised. It is also common for users to set the same password for multiple accounts. This bad practice puts users at risk of credential stuffing attacks. If the password is compromised on one platform, all other accounts with the same username and password combination can also be accessed.
One of the most cost-effective and easiest ways to improve password security is to provide employees with a password manager. Password managers suggest strong, unique passwords, auto-fill them when they are needed, and they store the passwords securely in an encrypted vault. While password managers can significantly improve security, a recent Security.org survey of 1,047 U.S. adults for its Password Manager Annual Report 2022 has revealed an alarming practice that is putting users of password managers at risk of identity theft.
Password managers help to eliminate bad password practices as they make it as easy and convenient to set a strong password as a weak one. If users set strong and unique passwords for all of their accounts, that is far better than setting easy-to-remember passwords or reusing the same password on multiple accounts. One potential weak point is the master password that is used to secure the password vault of the password manager. If that password is guessed, it doesn’t matter how strong all the other passwords are as a hacker will be able to decrypt them and retrieve them from the user’s password vault. The master password for the password vault must therefore be long, complex, and unique.
The Security.org survey revealed that some users commit the cardinal sin of password manager use – failing to set a unique password for their password vault, and the number of people committing this sin is alarmingly high. 25% of respondents that use a password manager admitted to reusing their password manager master password for multiple accounts, despite that practice being incredibly risky. Worryingly, even though security awareness is improving, the practice of reusing master passwords is increasing. Last year, 19% of password manager users admitted to reusing their master password on multiple accounts. The survey also revealed that almost half of password manager users who had their identities stolen had reused their master password on multiple accounts.
Businesses that are considering providing a password manager to their employees to improve password security should take note and ensure that they stress the importance of setting a strong, unique password for the password manager and the importance of also setting up 2-factor authentication for the password manager.
Confidence in Password Managers Remains High
Confidence in the security of password managers remains high, although the data breaches experienced by LastPass have taken their toll. Last year, LastPass was the most popular password manager, yet the survey indicates it has fallen to fourth spot, behind Google Password Manager, iCloud Keychain, and Bitwarden. The LastPass data breach did not expose passwords, but it was enough to trigger many users to switch to alternative providers. Despite these two breaches, only 23% of respondents believe password managers to be unsafe.
Interestingly, 28% of non-password manager users said they didn’t use these tools because they thought them to be unsafe; however, 50% of users admitted to using the same few passwords for all of their accounts, 46% said their passwords are saved in a file on their computers, and 43% save passwords in their browsers, all of which are far riskier security practices than using a password manager.
The post Improper Use of Password Managers Is Increasing appeared first on HIPAA Journal.