Why are we so careless with our passwords?
Weak passwords are responsible for most data breaches, yet despite this, many people do not take the time or trouble to devise more complex ones. Cybernews reached out to some industry experts to find out why.
“The idea that using an easily guessed password is a result of laziness or a form of self-sabotage is an interesting one,” says GRIMM senior cybersecurity engineer Morgan Whitlow when I put it to her.
But she thinks people’s laxness in this area probably has as much to do with ignorance of the potential risks, and information overload, as it does with complacency.
“Both the human mind and cybersecurity are ultra-complex subjects, in a world already hyper-saturated with information, and often people are overwhelmed,” she explains. “The bar for something to be both important and urgent enough to get people to allocate limited attention and time is higher than ever.”
She clarifies: “In some cases it is a lack of awareness not just of the threat itself, but of the potential impact and how common it is. They don't realize that having one account breached, even a potentially unimportant one, can often give a criminal leverage to access other completely different accounts.”
Whitlow also posits that it is the abstract nature of the threat posed by cybercriminals on the hunt for credentials that ends up contributing to the average computer user’s lack of concern about password security.
She isn’t alone in thinking this. Bojan Simic, CTO of passwordless tech startup HYPR, based in New York, has previously spoken to me about how the remote nature of their infractions makes it easier for cybercriminals to engage in behavior that many would consider to be sociopathic.
“We previously discussed how black-hat hackers don't feel remorse or understand the impact of their actions because they are all happening digitally instead of physically,” he recalls. “I think a similar phenomenon happens when people use passwords. Let's say for example that the average person knows for certain that one out of every 500 times you use a password your account will be compromised. People would probably still use passwords. Similarly, if that same logic applied to the lock on your front door, we would be looking for a better solution almost immediately.”
Comfort vs wellbeing
This brings me to another parallel: where physical safety is concerned, many people today still choose to drink and smoke. And in this case, one cannot plead ignorance or information overload – we know both of these behaviors harm us, yet many opt for a life of short-term comfort over long-term wellbeing. So what hope that ordinary computer users will ever listen to what cybersecurity professionals are telling them about their password security?
Simic agrees that there is something to be said for such a comparison. “It wasn't until you couldn't smoke in restaurants and bars that we saw meaningful reductions in tobacco usage – even though we knew that smoking kills,” he says. “The same can be said about passwords. We all know they are insecure, but every website – the bars and restaurants of the smoking example – still supports them, so it continues to be the primary method of securing access.”
“Passwords just don’t work as a form of security and never really have,” agrees Jack Nichelson, CISO of cyber risk management firm Inversion6. “Because when you are asked to create a password, you must meet two conflicting requirements. First, it must be strong with a minimum length and so many special characters. Second, you must never forget your password or you will lose access. This creates psychological distress, and as a result we all create weak passwords to protect ourselves from forgetting and reduce the stress of remembering.”
"It wasn't until you couldn't smoke in restaurants and bars that we saw meaningful reductions in tobacco usage. The same can be said about passwords. Every website still supports them, so it continues to be the primary method of securing access."Bojan Simic, CTO of passwordless tech firm HYPR
Much like the smoker who keeps on smoking because the stress of quitting seems too much to bear, many of us continue using easily hackable passwords because the idea of remembering multiple 12-digit sequences of alpha-numeric gibberish sends us fleeing into the comfort zone.
Of course, it isn’t a perfect analogy. Smoking and drinking are inherently pleasurable activities that carry potentially severe health hazards; using a six-digit password for all our accounts and devices is not.
But in doing the latter, we seek to avoid pain and take the shortest route to wherever it is we want to go – choosing to run the risk of incurring far greater harm in the long run. Clearly then, there are some parallels here touching on innate human psychology that cannot be ignored.
A first-world problem
“Undisciplined people are having a very hard time dealing with the smartphone and social media age,” says Eric Florence, a cybersecurity entrepreneur who also offers consultancy services. “Choosing terribly simple passwords doesn’t really come from laziness, it comes from needing to be able to recall the password. We all live very busy, distracted lives where people who are not disciplined are bombarded with irrelevant information that wastes their bandwidth, and makes it impossible to recall a secure password.”
Florence adds that people who become addicted to their smartphones end up living for “hits of dopamine just to feel normal.” This kind of mentality – one that becomes intrinsically averse to “doing difficult, uncomfortable things in real life” – does not sit easily with the kind of mindset required to memorize complex passwords or seek out technological alternatives such as password managers or generators.
“The password has been used for so long that the average user doesn’t want to put in something more complicated like MFA [multi-factor authentication],” says Michael Famum, a cybersecurity expert who recently spoke to Cybernews about IT security solutions. This comfort-seeking lifestyle has itself been facilitated by the same high-tech developments that made passwords a necessity in the first place, he adds.
“Many people in more technically and economically advanced nations aren’t trained to think of danger in everyday situations, even when their financial and physical well-being are on the line,” he says.
“The constant reminder to make sure your password is secure actually starts to become background noise. Some of that is because they have been trained to think someone else will take care of the problem. Banks and credit cards often will just fix the issue if you get hit by a malicious actor. So why would I put in the effort? Sometimes laws favor the institution versus the customer, but the point holds in many advanced economies.”
Complacency helps the crooks
And even when computer users think they have put in that extra bit of effort to secure themselves, chances are they still haven’t done enough.
“It’s being overconfident and reckless that gets the best of us,” says Andreas Grant, founder of Networks Hardware, who designs cybersecurity solutions for a living. Unlike other experts I’ve spoken to, he doesn’t believe the problem is one of people using simple passwords, but rather of underestimating the persistence of malicious hackers.
“Almost all of us take our time to choose a difficult but memorable password,” he claims, but adds: “You might throw in an exclamation point here, a random number there, and believe this is good enough to beat the attackers. This leads to a false sense of satisfaction. We keep using this password for too long and end up using it everywhere.”
Grant even admits that he himself sometimes stores passwords for less cybersecurity-sensitive accounts in his browser – although this is something he strongly advocates against doing for the more important ones.
"You might throw in an exclamation point here, a random number there, and believe this is good enough to beat the attackers. This leads to a false sense of satisfaction."Andreas Grant, founder of cybersecurity solutions company Networks Hardware
“If people are giving away information about their more important passwords, setting difficult passwords won’t save these people either,” he stresses. “At the end of the day, thousands of articles on password psychology won’t be able to save us unless we realize the importance of good cyber-hygiene.”
And yet, surely that realization must be rooted in human psychology. Perhaps then, the answer is rather more prosaic: as pleasure-seeking, pain-avoiding mammals, we just don’t like to consider the worst until it has already happened.
“Passwords are much like the roof to your house – you don't think about it unless there is a problem,” says Richard Gardner, CEO of Modulus, which provides high-tech solutions to clients in more than 90 countries. “Once there is a leak, a homeowner immediately realizes the value of their roof. Same thing with passwords: until they've been breached, most people don't consider the looming threat that a poor password poses. They just think of it as a necessary evil in order to access the content in which they have a real interest, be it their Snapchat or their bill-pay account.”
Time to force the issue?
All this makes me wonder if Simic was closest to the truth when he suggested that some kind of enforcement might be needed to bring about a real shift in human behavior around passwords. In the case of authentication technology, this need not necessarily be solely state-led, but could consist of governments and tech innovators working hand in hand together.
Passwordless technology providers, including Simic, that I have spoken to are marketing to large organizations, but seem confident that in time it will be much more widely taken up. Rather than continue to flog the dead horse of password security, wouldn’t it be better then to let technology simply take its course and phase out the need for passwords altogether?
Jim Taylor, chief product officer at identity company SecurID, certainly seems to think so. “I don’t think it’s useful or productive to examine human psychology as the reason driving poor password security,” he says. “Doing so lets passwords specifically, and security generally, off the hook. Passwords are garbage. They’re a relic from an earlier era of computing that simply does not address the new problems we face today.”
"Passwords are garbage. They're a relic from an earlier era of computing that simply does not address the new problems we face today."Jim Taylor, chief product officer at identity company SecurID
The average internet user has around a hundred passwords, he tells me: cybersecurity teams that are pushing for ever longer, more complex iterations therefore inevitably end up pushing hapless users into recycling their passwords.
“Two in three people continue to use the same password across multiple accounts, and we really only have ourselves to blame,” he says. “We need to remove passwords altogether. They’re costly to maintain, a gaping security issue, and prevent legitimate users from gaining access to what they need.”
Taylor hopes that passwordless options such as biometrics or contextual, risk-based authentication will eventually make passwords redundant, creating a win-win situation for cybersecurity professionals and end users alike. “Taking these steps advances security, creates a more pleasant and productive user experience, and moves organizations closer to zero trust,” he believes.
Some problems can’t be intuited
Whether or not big tech oversees a mass migration away from passwords, or the public is left to stumble on through the system that has served it so poorly for so long, one thing seems certain – some of us will always struggle with them more than others. I leave the last word to Greg Scott, a cybersecurity veteran and author, who offers his own personal insight into the matter.
“My wife Tina is probably typical of the way the public deals with passwords,” he tells me. “I preach security all the time, so she does not use easy-to-guess passwords anymore. But she hates passwords because they never work right for her. Sometimes it’s upper- versus lower-case letters, sometimes she just doesn’t remember the last password she gave whatever website, sometimes the ‘forgot password’ links don’t behave as she expects.
“But at the bottom of all of it is a different style of thinking. She leads with intuition, I lead with a rational bias. For Star Trek fans, it’s like Commander Data versus Deanna Troi. For intuitive people, managing passwords is a form of torture. Tina carries an old-fashioned notebook to keep hers, and with my haranguing, she mostly keeps it current. But she would rather sit through an amputation than manage a bunch of passwords.”
More from Cybernews:
Subscribe to our newsletter