Why Users Find Password Management Stressful
Security managers face an uphill battle keeping passwords effective in their fight against data breaches.
- By James E. Powell
- June 5, 2020
Keeping passwords strong, secure, and ever-changing is an important strategy for protecting an enterprise’s assets from data breaches. Results of a new survey show what enterprise security managers are up against when it comes to end-user attitudes about password management.
The survey of 700 people in the United States and UK conducted by NordPass, a password management software developer, revealed that “more than 30 percent of people think that resetting and coping with passwords is hugely stressful and can be compared to the stress of ceasing to work.” Losing a vital password without an option to reset it is far more stressful; two-thirds of respondents (67 percent) “agreed that it’s as stressful as dismissal from work or changing jobs.”
Why are these numbers so high? Two-thirds of survey participants (66 percent) said “it’s because they simply have too many accounts to manage.” Four in ten (41 percent) say they can’t remember which password goes with which account. Ironically, 38 percent can’t remember their passwords because they are unique for every account -- a security best practice.
Unfortunately, that best practice isn’t top of mind for users. NordPass points out that “even the most critical accounts are left insufficiently secured. For example, only 53 percent use a unique password to protect banking or other financial accounts. Similarly, only 46 percent protect their personal email account with a unique password.”
This isn’t surprising, says Chad Hammond, security expert at NordPass, “Our study revealed that 7 out of 10 respondents in the U.S. have more than 10 password-protected accounts for personal use. 2 out of 10 have more than 50 such accounts. On top of that, add all work and school-related accounts, and it ends up being a huge amount of information.
“People tend to worry about financial accounts more. But it’s important to remember that if you use weak or repurposed passwords, it doesn’t matter which account gets hacked. In essence, all accounts become jeopardized.”
Three-quarters of survey respondents (76 percent) compared the stress of an actual data breach to personal injury, illness, and financial problems; 80 percent compared identity theft to having personal documents stolen or losing a wallet.
Actual victims of cybercrime have a different attitude toward passwords, but that attitude doesn’t reflect itself in action. Hammond says that victims are “more concerned about their email, forums or entertainment, communication, [and] health apps’ accounts. They also acknowledge the necessity of strong passwords for these accounts more often. However, they don’t seem to take any action. Victims of cybercrime don’t tend to secure their accounts with unique passwords more often than those who haven’t experienced cybercrime.”
NIST Offers Password Relief
The National Institute of Standards and Technology (NIST) may provide some relief to password stress. The organization revised its recommendations, last updated in 2017, and the new guidelines should make password creation and use much easier.
For example, NIST now says that users don’t have to include special characters in their passwords because any benefits are outweighed by the negative impact to usability and “memorability.”
User memory is also at the heart of another recommendation -- that users be able to use all characters. Passwords should be at least 8 characters long but should allowed up to at least 64 characters “to support the use of passphrases” which can now include “any characters [users] like (including spaces), thus aiding memorization.” Consecutive spaces, however, are discouraged.
Gone, too, is the recommendation that passwords must be a mix of different character types (numbers, characters, uppercase, etc.).
Perhaps best of all, NIST says goodbye to the requirement that “memorized secrets [meaning passwords] be changed arbitrarily (e.g., periodically).” Instead of requiring password changes every 30 days, for example, passwords should be changed if there is “a user request or evidence of authenticator compromise.” Most “enforced updates” only lead to weak password changes anyway, NIST explains, which don’t enhance security and won’t pose a serious hurdle to cyber attackers.
A good overview of the major NIST changes is available here.
James E. Powell is the editorial director of TDWI, including research reports, the Business Intelligence Journal, and Upside newsletter. You can contact him
via email here.