Stories
Slash Boxes
Comments

SoylentNews is people

49% of Workers, When Forced to Update Their Password, Reuse the Same One With Just a Minor Change

posted by martyb on Friday December 13 2019, @03:11PM   Printer-friendly
from the https://xkcd.com/936/ dept.

An Anonymous Coward writes:

49% of workers, when forced to update their password, reuse the same one with just a minor change:

A survey of 200 people conducted by security outfit HYPR has some alarming findings.

For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.

Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users' tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.

What is so bad about changing "Password1" to "Password2"?

Original Submission

 
This discussion has been archived. No new comments can be posted.
49% of Workers, When Forced to Update Their Password, Reuse the Same One With Just a Minor Change | Log In/Create an Account | Top | 75 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by legont on Friday December 13 2019, @05:36PM (2 children)

    by legont (4179) on Friday December 13 2019, @05:36PM (#931766)

    My office explicitly prohibits using tools for storing passwords (and in fact my direct report was fired for doing so). We are supposed to be smart enough to remember. Therefore I do recycle so knowing one of my office passwords will reveal the rest in about a nanosecond. But guess what - their security password check is not that smart and so presumably all the hackers.

    One got to realize that password policy has nothing whatsoever to do with security. It has, on the other hand, everything to do with security *regulations*. Bosses are only interested in a reasonable way to avoid fines.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by DannyB on Friday December 13 2019, @06:23PM (1 child)

    by DannyB (5839) Subscriber Badge on Friday December 13 2019, @06:23PM (#931786) Journal

    It has, on the other hand, everything to do with security *regulations*.

    In other words: the appearance of security. Whether it's actually a good idea or not. It looks good.

    Or said differently: "we don't care if we get hacked, as long as we CYA."

    --
    The lower I set my standards the more accomplishments I have.

    • (Score: 2) by pipedwho on Saturday December 14 2019, @07:01AM

      by pipedwho (2032) on Saturday December 14 2019, @07:01AM (#931971)

      The CYA mentality only works when you are actually using good practices. When the NIST recommends against your policy, it is in your interest to do something about it. When the lawsuits come in, the CYA becomes 'we are using some inane insecure contraindicated security policy' - and that tends to look pretty bad as a defence to a law suit. I get called in for cybersecurity advice regularly, and some companies choose to ignore recommendations. But, they still sign off on the fault and security analysis, which includes agreeing to take the enumerated and highlighted risks/repercussions.