How important is cyber security to you? What would you give up to be safer in cyber space? Do you feel that sharing the password to your social media account is more intimate than sex? If you answered yes to any of these don’t worry, you are not alone. When asked it seems that Americans are putting cyber security higher up their agenda than intimacy and carnal pleasures. Be careful, however, as all may not be what it appears to be.
Password management company Dashlane asked Harris to conduct a poll of 2,000 people. They were looking at what people were doing with passwords. They also wanted to know how far people would go to stay safe online. The responses bring varying reactions from facepalm to the raised eyebrow. The details of the survey and its responses came in a blog from Ryan Merchant, Senior Manager, Dashlane.
Emmanuel Schalit, CEO of Dashlane said: “The nature of online security has changed dramatically. Five to ten years ago, cybersecurity was about protecting devices with anti-virus software. Today, data isn’t on our devices, but in the cloud – and the best line of defense we have to protect this data are passwords. This survey data continues to highlight an unfortunate trend – even with breaches happening to everyone from companies and celebrities to consumers, people are continuing to engage in risky password behavior. That’s why password managers, like Dashlane, are imperative for keeping online identities secure.”
Passwords refuse to die out
The cyber security industry has been pretty clear about its view on passwords. They are the weak link in security and should be phased out. As can be seen from the Schalit quote above, not everyone agrees with that. Companies still use passwords because they are a simpler form of security to implement. Moving to multi-factor authentication can be costly and requires companies to review how their systems works.
That simplicity from some companies can go too far. There are a lot of sites that still restrict users to alphanumeric passwords. Some have character limits of as little as 10 characters. These are all relatively simple to crack with modern desktop technology. Using cloud-based systems it can take less time to crack a 10 character alphanumeric password than it takes to boil a kettle.
Some vendors are doing better. They allow additional characters and even certain character sets to be used in a password. More importantly they also allow the users longer length passwords.
The best vendors are using a mix of authentication types. The majority still use a password to start with but add other things. Fingerprints, images, retinal scans (still very rare) and voice (also rare) are being added. Sending check codes to mobile phones for authentication is relatively simple to implement but still seems to challenge a lot of companies.
People love to overshare when it comes to passwords
The survey shows just how many people are prepared to share their passwords. The most common is streaming media (21%) followed by mobile phones (19%), social media (16%) and online shopping (14%). When it comes to more sensitive data such as online banking, sharing is low. Access to online shopping accounts with cached payment details still allows people to buy using your details.
A look at the detailed data which we were allowed limited access to shows another common story. Age is the determining factor when it comes to sharing. Those under 34 are more likely to share passwords especially for streaming media (64%). There is generally little difference between the sexes at the lower age groups when it comes to sharing.
People are also more likely to share their passwords with their spouse or partner (70%) rather than a friend or colleague. This was a result that was remarkably consistent across all the age groups. There was also no real difference in attitude between men and women.
Poor choice of data in passwords
The lack of sensible choices in creating passwords continues. The amount of stolen personal data is constantly being mined by hackers to guess passwords. Using obvious data makes it so much easier to work out a password.
Pet’s names (31%) feature highly when it comes to passwords. A quick look around social media will give hackers a serious boost when it comes to breaking passwords. The use of number sequences (23%) comes in second. It would take < 1 minute to break a 10 digit numeric password with a modern desktop computer. If the numbers are in a logical sequence it would take less time.
These are followed by other common data such as family names (22%), birthday’s (21%), anniversaries (9%) and address (9%). Even using an uncommon name of a long dead ancestor is simple to work out. As people do their family ancestry they link and store the data online. It is simple to pretend to be researching a relative to then get access to that data. These are all common attack vectors for hackers. They are also risks that have been highlighted constantly by security companies. It is hard to know what needs to be done to stop people making it so easy to work out their passwords.
Sex for cyber security
Time to get back to that headline. Did people really say they would give up sex for better cyber security? You bet they did. The raw data is fascinating. Respondents were asked about giving up sex for a year if it meant never being hacked. 39% were prepared to go celibate to protect themselves online. Surprisingly males under 34 (45%) were more likely to give up sex than women their same age. Older women in all the age groups over 45 (>65%) were also prepared to pass on sex for better cyber security.
There is a twist. Giving up favourite food for a month gets a higher rating than giving up sex for a year (41% vs 39%). Surprisingly the researchers didn’t ask about giving up favourite food for a year. We will have to speculate on whether people are more willing to live without Marmite, pickles, burgers or fried chicken for a year or abstain from sex. Where else will this lead us? Will sex addicts be offered better cyber security to help them give up sex?
Some of the responses are predictable. The lazy choices for password data are what keeps the bar so low for hackers. The reuse of passwords is also a major contributor to the level of account compromise. What wasn’t expected is the what people will give up to be more secure. Perhaps, with a little more thought they could have better password security and not have to worry about choosing between their favourite food, sex or staying safe online.