A scary 92% of people use the same password across all websites including their email accounts this is the finding of a short research project we did for a client recently.
92% is a scary statistic here how we got it
Over the last 6 months we have been working with two clients to experiment with their security authentication methods our first issue was to see if what the issues was, one of the questions asked was do people use the same passwords across multiple sites.
So we set up a very simple test using several websites registration processes, we identified users who’s email address were yahoo, gmail, hotmail and a few of the smaller free email providers. Next we added a special terms and condition box (this was in addition to the normal terms and conditions) which they needed to opt into but was not defaulted to nor a requirement. We tried very hard to make sure what we were going to do was utterly transparent, to our surprise the opt-in rate was nearly 70% we can only assume people were blind clicking.
Why do we think they were Blind Clicking because they just agreed to:
Give xxxxxx permission to attempt to login to your mail account using the details you provided, no mail or contact details will be collected and no personal identifiable information will be stored about this attempt. Please be aware allowing this action maybe in breach of the terms of service for your email provider and could cause discontinuation of your service. xxxxxx will not be held liable in such cases.
We then provided a link with more explicit information on what we were planning on doing and all the legal arse covering bits. now we had just over 2000 “volunteer” that link was clicked just twice and one of them then went and agreed to it! Sadly as the data is dissociated with the account we have no way of knowing if that person did it because he knew it would be a failed login or not.
Once we had their permission we used a simple bot to attempt to login, storing successful logins in a database identifiable only by an ID and the mail server we never stored who’s email it was which is just as well as it would have been a privacy nightmare.
Our Registration pages were split into two types, one that required at minimum a weak password and ones that required alpha numeric password of more then 8 characters.
Finally we surveyed 1 in 10 about their email and password habits.
Gmail users the worst at password protection
With a little over 93% of the passwords working with their Gmail accounts, it would appear Gmail password users are the laziest of those we tested, though the figure dropped to 89% when a stronger password was required.
Yahoo Mail users have shocking memories
That’s the conclusion we reached as they were the only user group where the secure password sites had a higher % of successful logins then the weak account 91% vs 90% which is strange because it has only been recently that YMail has had any decent requirement for password strength.
Hotmail passwords most secure, surely not!
It’s true Hotmail users came out best but we are pretty sure we know why, in the follow up survey almost a third of Hotmail users claimed they believed their account had been hacked.
Oh and users lie about their password habits
We all know security and regularly changing and different passwords is important which is probably why only 42% of people asked admitted to using the same password on both email and the site they registered on.
So couple of take away points, people really really do not read terms and conditions and for god sake use a different password for your email to the one you use to register at free sites!
Go change it now…
update As if to reinforce the point news at thousands of Hotmail passwords being posted online is announced.
Passwords have been recently in the news in 2010 when a heap of twitter accounts were attacked and then used to grab GMail accounts. See Password Protection Round X
12 comments
I can honestly say that my Gmail password is unique. All my commonly used passwords are, but Gmail, banking passwords, and DNS related passwords are more random. I am also very very reluctant to give those password to 3rd partys and have no problem in emailing them to let them know that.
That being said when I sign up to a lot of beta services to try them out I use a standard password. If I use the service seriously then I change it. There is only just so much space in my head.
This is a big problem. Recently when setting up services for my family I have been told to use passwords that “I use for everything”. Even when the site requires a more complex password or frequent changing numbers are normally added, and predictable.
I honestly don’t believe enforcing more complex passwords is the solution. It only reduced the uniqueness by 4%, and I bet if the other sites imposed the same restrictions they would be the same again. This also increases the need for people to write the password down, normally in an obvious location.
My favoured solution to this is to first educate the user, and when that fails look at a more hardware based security key solution. If Google, Yahoo, and Microsoft adopted the same technology then there is a realistic possibility it would work. Now you must excuse me, I need to get back to cloud cuckoo land.
This highlights an increasing problem in modern society, not just on the web. We have passwords and PINs for just about everything.
How many bank cards do you have? Hmm, 2 credit cards, a debit for each of about 5 current and investment accounts, a business account. And I suspect others will have more than that with store cards and suchlike. How do you store the PINs? What do you mean you’re not supposed to store them anywhere – can you remember 8 different numbers reliably?
Websites; far too many to think about. Do I get the browser to save them all and risk someone stealing them from malware hacking my machine? If not do I note them all down somewhere and risk that being found? Maybe the only way is to use a standard password for all the non-critical sites and only use unique ones for the most important ones like bank accounts. But even then it’s a nightmare trying to keep track of them all – the human memory just isn’t up to the job, particularly with accounts that you maybe only access once or twice a year.
We are nowhere near a satisfactory solution to this and until we are users will continue to use soft and/or universal passwords. I hate to say it but only something like iris recognition can improve matters unless someone comes up with a master password system that is truely uncrackable – and I’m not at all sure that’s possible. But I don’t like the implications of what iris tracking might let loose.
I have always wondered about this and the fact that once you crack one password you have access to pretty much everything people do online. The bggest problem is that I have 100s of online accounts and no way of keeping track of them all. I know pen ID is a good start but why isn’t there a better system for logging in?
This should be known to everyone allready, as for managign passwords you can use things like fingertip recognition or siganture to sign into your accounts.
There’s no magic bullet, Tim. Authentication is just a hard problem.
We’ve known for decades that there’s three ways (“factors”) of authenticating a user: something you know, something you have, and something you are.
So long as we stick to “something you know”, we’re subject to the limits of human memory. That means that we’ll get short, repetitive patterns, because that’s what our brains can do. It also means that we’ll continue to have social attacks (phishing, etc.) because people believe that the way to prove they know something is to disclose it.
“Something you have” will be a more secure option for the foreseeable future (key chains, etc.) because a hardware key can’t be stolen remotely. The interesting thing is how few people thing of their desktop or laptop computer as “something you have” and are unwilling to just use long random passwords stored on their local computer (with a remote sync solution for roaming access).
“Something you are” is the gold standard, used mainly for military systems and controlled-access facilities… iris scanners, fingerprints, and so forth. The surprising thing, for those in the know, is how many false positives these systems have. In practice, they always need to be combined with one of the other two.
After reading your article I have decided that even though I do not use the same passwords for all of my internet stuff I do use it enough to be dangerous. The good news is I never used the same passwords for anything to do with finances or personal information. But all of my log ins for blogs, etc, were all the same password. I did this for expediency purposes and because it was not serious information that could be breached. For those important ones I have my password keeper program generate a longer alphanumeric pw.
This article was very informative, because I do place myself in the category using the same or similar password for each of the websites I have to log into. I think it’s easier for me to keep track of a password that is similar since I have some many log in information to remember. I do see the harm in doing that as well so I will keep this in mind the next time I create a new password.
Thanks for writing about this issue…
Now I have some passwords to go change. :-/