Cybercriminals typically rely on weak passwords to break into online accounts of unsuspecting victims, which often leads to severe consequences. But despite understanding the importance of strong passwords as a critical security best practice, for most users the ease of memorizing only a few passwords and reusing them everywhere outweighs the increased security risk.
According to our 2021 global report on cybersecurity and online behaviors, slightly more than half of the over 10,000 consumers surveyed use either one single or a few passwords across their online accounts, and approximately a quarter are using one simple password for all of their online accounts.
Easy pickings for cybercriminals
The report notes that consumers feel worried about online threats, including financial fraud and impersonation on a social network. However, their actions don’t match their concerns – based on behaviors related to security products usage, password usage across platforms and account details sharing, almost 60% of the polled individuals are considered “exposed”. As cybercriminals are taking advantage of poor cybersecurity practices: 61% of users have experienced at least one threat in the past year, with scam messages/calls on mobile (36%) and phishing (23%) occurring most frequently.
Weak passwords provide an easy avenue for cybercriminals to exploit; they can sell this information on the dark web or use it to launch further attacks. If passwords are simple, short, (too) common, hackers can quickly crack them using widely available tools. In fact, a password containing less than eight characters can be compromised in a matter of seconds.
If hackers already have information on a victim – perhaps by purchasing it on the dark web or from a separate breach – they could also guess/deduce the password. That is why making sure all passwords are changed after a suspected large data leak is so important – even if the user does not believe their password has been compromised.
Cybercriminals also use phishing emails and malware campaigns as a common method for stealing login credentials, and much more: cookies and credit card data saved in browsers, information stored in crypto wallets, chat logs, VPN login credentials, text from files, etc.
After they’ve acquired stolen credentials, cybercriminals use them to commit identity theft and drain financial accounts. They also profit from selling the credentials on the dark web, so the victim may not even know how many threat actors have their information. In other cases, stolen credentials are used to hack into and take over other online accounts (e.g., social media profiles).
Stolen credentials may even have much wider implications than just personal accounts being compromised. If a person uses the same or similar passwords for other accounts – such as their work account – then this could result in giving the criminals a backdoor into their employer. For businesses, a leak of this sort could result in a massive financial loss and brand damage.
Consumers are leaving their passwords exposed
Mobile phones are a main and often overlooked concern. We found that 30% of respondents do not use antivirus on their phones, meaning they are not properly securing their devices. This is especially a concern as the demographic most often on their phones are also the ones who are less worried about online threats and vulnerabilities.
Password managers, passwords stored in an electronic file and or in physical format are used most frequently for work devices and least frequently for personal phones. The Autofill option and password managers are used most often by 25-44-year-olds and hard format is used more by those between 55-65.
But even if work accounts are secure, that doesn’t mean that sensitive information from work doesn’t carry over onto personal phones. Email and communication apps connected to work accounts are often downloaded onto personal devices, and if someone uses the same passwords across accounts, their personal devices being compromised means their work ones are as well.
How to stay safe
The key to improving general password security is to educate consumers on the risks associated with their online behaviors and provide realistic measures they can employ to better secure their passwords.
The first step is to diversify the existing cohort of passwords and make them more complex. Consumers should avoid reusing passwords or sharing passwords with multiple people. Avoid using well-known phrases (i.e., keyboard paths like 1234 or QAZ) or personal information (i.e., birthdays or pets’ names) in passwords. Another best practice is to change your password every three months (or as soon as you get a data breach notification).
Also, make sure to enable two-factor authentication (2FA) on every account that supports it. This is an extremely important layer of protection that helps you keep your account safe in the event the password gets into the wrong hands.
Even though these are the most basic steps, many are hesitant to take these actions because they are worried about forgetting their passwords. A password manager is a good solution for this; it creates randomized, strong and unique passwords – and then stores them securely.
Two-factor authentication can also be a good way to secure accounts even if a threat actor can guess a password, and antivirus software can protect devices against credential-stealing malware. Finally, when connecting to an unknown network, consumers should use a VPN.
In educating users on security, a special focus should be on mobile phones because, as discussed earlier, they are more exposed with a lower usage of security products/services and higher usage of simple passwords.