The decades-long battle against bad passwords might be heading the wrong way in part because many users overestimate how savvy they are, per a recent survey by security firm CybSafe and the National Cybersecurity Alliance.
According to the report, many people have failed to put basic password hygiene into practice. For example, 40% of respondents said they use “single dictionary words or names” as passwords, while nearly as many (35%) include some degree of personal information. While 65% reported using unique passwords across important accounts, 18% of respondents said that was only the case half the time—and 17% reported using unique passwords a minority or none of the time.
While 54% of respondents said they had used a password manager—up 10% from the prior year’s edition of the survey—around 14% said they had given up using them. All told, 39% of the respondents said they just didn’t trust password managers.
Oz Alashe, CybSafe’s founder and CEO, said IT Brew security teams need to do better at communicating not just the benefits of security tools but the mechanisms they use. For example, the survey found a widespread perception password managers do little to enhance security; 48% of respondents who had never used or abandoned them said they wouldn’t stop cybercriminals.
“We know as professionals that [password managers] are one of the best ways for users to not just look after more passwords, but ensure they don’t reuse easy or inappropriate passwords,” Alashe said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Many rank-and-file users believe attacks are too “complex and sophisticated” for them to play any role in prevention, according to Alashe, even though research has shown basic precautions can drastically reduce the risks of an attack.
The report emphasized younger users are somewhat more prone to suboptimal password habits and more likely to be victimized, even as they claim to know how to recognize security threats.
“Generations exhibiting higher confidence in their ability to recognize cyber threats (like phishing attempts, and AI-generated content) also report higher rates of cybercrime victimization, specifically Gen Z and Millennials,” researchers wrote in the report.
“Research consistently highlights how people who overestimate their cyber skills, or even their organization’s technological security measures, are more vulnerable to victimization, due to their false sense of security,” the report concluded.
“A number of people consider themselves to be more savvy as it relates to cybersecurity than their behaviors would indicate—and that’s just overconfidence,” Alashe said.
“That is not fatalism, in many ways,” he added. “That’s actually just them simply believing that they are more adept than they are.”