We often write about passwords and password policies from the IT/security administrator side, usually after a password becomes compromised. We recently found a survey that looked at compromised passwords from the user’s side to better understand how users feel about them. The survey shows a few key points that shed light on the social side of passwords. We suspect the motivation to guess passwords is different in this group because the goals change from monetary to curiosity or maybe even blackmail. The results of the survey show some of the motivations of the average user. These differ from the motivation of an experienced hacker who might try to gain access for financial gain. Here are some highlights.
- 43.7% of respondents tried to discover the password to someone else’s personal email, but only 12.9% tried to access someone else’s crypto wallet.
- 25.7% of respondents revealed their bank account password. We can only hope they would just share it with their spouse.
We did find some discrepancies in what the respondents say they use in a password and what we find in a password breach. We often see explicit words in passwords, especially ones coming from forum or game breaches. We also see a lot of sports team names in passwords, but this didn’t show up on the list from the survey for some reason.
What we found as the most concerning result from the survey is that 37.6% don’t ever use a password manager. The use of password manager has steadily increased, but some users still don’t use one at all. Not to mention the number of users who use password managers only occasionally.
Though many of us have done it in the past, giving your password to someone decreases the security of the password so we can’t recommend this. Password managers help create good passwords while removing the need to create difficult-to-remember passwords for each account. We recommend using one for every service.