A scary 92% of people use the same password across all websites including their email accounts this is the finding of a short research project we did for a client recently.
92% is a scary statistic here how we got it
Over the last 6 months we have been working with two clients to experiment with their security authentication methods our first issue was to see if what the issues was, one of the questions asked was do people use the same passwords across multiple sites.
So we set up a very simple test using several websites registration processes, we identified users who’s email address were yahoo, gmail, hotmail and a few of the smaller free email providers. Next we added a special terms and condition box (this was in addition to the normal terms and conditions) which they needed to opt into but was not defaulted to nor a requirement. We tried very hard to make sure what we were going to do was utterly transparent, to our surprise the opt-in rate was nearly 70% we can only assume people were blind clicking.
Why do we think they were Blind Clicking because they just agreed to:
Give xxxxxx permission to attempt to login to your mail account using the details you provided, no mail or contact details will be collected and no personal identifiable information will be stored about this attempt. Please be aware allowing this action maybe in breach of the terms of service for your email provider and could cause discontinuation of your service. xxxxxx will not be held liable in such cases.
We then provided a link with more explicit information on what we were planning on doing and all the legal arse covering bits. now we had just over 2000 “volunteer” that link was clicked just twice and one of them then went and agreed to it! Sadly as the data is dissociated with the account we have no way of knowing if that person did it because he knew it would be a failed login or not.
Once we had their permission we used a simple bot to attempt to login, storing successful logins in a database identifiable only by an ID and the mail server we never stored who’s email it was which is just as well as it would have been a privacy nightmare.
Our Registration pages were split into two types, one that required at minimum a weak password and ones that required alpha numeric password of more then 8 characters.
Finally we surveyed 1 in 10 about their email and password habits.
Gmail users the worst at password protection
With a little over 93% of the passwords working with their Gmail accounts, it would appear Gmail password users are the laziest of those we tested, though the figure dropped to 89% when a stronger password was required.
Yahoo Mail users have shocking memories
That’s the conclusion we reached as they were the only user group where the secure password sites had a higher % of successful logins then the weak account 91% vs 90% which is strange because it has only been recently that YMail has had any decent requirement for password strength.
Hotmail passwords most secure, surely not!
It’s true Hotmail users came out best but we are pretty sure we know why, in the follow up survey almost a third of Hotmail users claimed they believed their account had been hacked.
Oh and users lie about their password habits
We all know security and regularly changing and different passwords is important which is probably why only 42% of people asked admitted to using the same password on both email and the site they registered on.
So couple of take away points, people really really do not read terms and conditions and for god sake use a different password for your email to the one you use to register at free sites!
Go change it now…
update As if to reinforce the point news at thousands of Hotmail passwords being posted online is announced.
Passwords have been recently in the news in 2010 when a heap of twitter accounts were attacked and then used to grab GMail accounts. See Password Protection Round X