Persistent Password Problems: Why We Keep Reusing Compromised Passwords Despite Risks

Hackers are trying to steal your cryptocurrency with cheap and easy malware

Hackers are trying to steal your cryptocurrency with cheap and easy malware

Video Player is loading.

Play Video

PlaySkip BackwardSkip ForwardNext playlist item

Mute

Current Time 0:00

/

Duration 8:24

Loaded: 1.16%

0:00

Stream Type LIVE

Seek to live, currently behind liveLIVE

Remaining Time -8:24

1x

Playback Rate

Chapters

• Chapters

Descriptions

• descriptions off, selected

Captions

• captions settings, opens captions settings dialog
• captions off, selected
• Eng US

Share

Audio Track

• en (Main), selected

Fullscreen

This is a modal window.

Beginning of dialog window. Escape will cancel and close the window.

TextColorWhiteBlackRedGreenBlueYellowMagentaCyanOpacityOpaqueSemi-Transparent

Text BackgroundColorBlackWhiteRedGreenBlueYellowMagentaCyanOpacityOpaqueSemi-TransparentTransparent

Caption Area BackgroundColorBlackWhiteRedGreenBlueYellowMagentaCyanOpacityTransparentSemi-TransparentOpaque

Font Size50%75%100%125%150%175%200%300%400%

Text Edge StyleNoneRaisedDepressedUniformDrop shadow

Font FamilyProportional Sans-SerifMonospace Sans-SerifProportional SerifMonospace SerifCasualScriptSmall Caps

ResetDone

Close Modal Dialog

End of dialog window.

Close Modal Dialog

This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.

This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.

Share:

Facebook Twitter

Direct LinkEmbed Code

Close Modal Dialog

Passwords are a problem that big tech is trying to fix but they are still essential for accessing pretty much anything online. And even now people aren’t changing them after a breach and then still use the same password to access multiple sites.

SpyCloud, a security firm, highlights in a new report how people are struggling with passwords for multiple online accounts. Based on 1.7 billion username and password combinations it gathered from the 755 leaked sources in 2021, it estimates that 64% of people used the same password exposed in one breach for other accounts.

Privacy

• How to delete yourself from internet search results and hide your identity online
• The best browsers for privacy
• Samsung’s smartphone ‘Repair Mode’ stops technicians from viewing your photos
• Are period tracking apps safe?

Reused passwords are a potential security problem because if a password has been compromised once then hackers can use it to access other accounts if it’s been used as the sign-in for another site.

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

People also continue to pick bad passwords. This habit is common, with the leading examples remaining “123456”, “qwerty”, “admin”, and “password”.

SpyCloud, which focused on reused passwords, found an uptick in passwords based on content from online streaming services such as Netflix and Disney+. The top ‘pop culture’ password was Loki, followed by Falcon and Wanda.

Of the passwords it scooped up in publicly available breaches from 2021 and earlier, 64% were used for multiple sites today.

SpyCloud’s definition for password ‘reuse’ is a bit fuzzy and only shows likely trends. For example, it counts reuse samples as credentials it collected in a leak at one point in time that were observed in subsequent leaks it had access to. That doesn’t mean that people were necessarily using the same password at a given point; only that the same password combination was observed in data breaches it had access to over a given period.

“For users we can tie to breach exposures in 2021 and prior years with the same email address or username explored, 70% were still reusing the same exposed passwords,” it notes.

While the statistics are imprecise, the company does point out a trend that many people would be familiar with. That is that people have so many online accounts that they can’t remember good passwords and most people are not using password managers for Windows , macOS and Android. Apple’s built-in password manager is KeyChain, but third-party apps for Windows, macOS and mobile devices include LastPass and Dashlane.

ZDNET Recommends

The best password manager: Business and personal use Everyone needs a password manager. If you’re willing to pay a monthly or annual fee, these options are worth it. Read now

Arguably the single best answer to securing a computer when a password has been compromised is to use multi-factor authentication (MFA). It means a remote attacker needs physical access to a second factor, such as the legitimate user’s smartphone.

• Forgot password? Five reasons why you need a password manager

But even Windows-maker Microsoft has found that only 22% of enterprise customers that can implement MFA actually do it . That’s despite Microsoft sharing that 99% of compromised Microsoft accounts didn’t have MFA enabled.

And for anyone who might be perplexed by passwords, it should be remembered that even top engineers at Microsoft struggle with what it admits is a human problem. Only three years ago, Microsoft dropped its Windows policy for passwords to be changed every 60 days . That’s because when we change passwords, too often we only make a small and predictable alteration to the existing passwords – or forget the new ones.

Security

The best VPN services of 2024: Expert tested

How to turn on Private DNS Mode on Android (and why you should)

The best antivirus software and apps you can buy

The best VPN routers you can buy

How to find and remove spyware from your phone

• The best VPN services of 2024: Expert tested
• How to turn on Private DNS Mode on Android (and why you should)
• The best antivirus software and apps you can buy
• The best VPN routers you can buy
• How to find and remove spyware from your phone

Also read: