Times used to be so simple – type in your pet's name, add a number or two, and voila! The perfect password. However, as technology advances and people are better able to navigate the digital world, the formula we use to protect our information needs to be progressively more complicated: a mix of uppercase and lowercase letters, numbers first, in between, or at the end, and very specific special characters. Even then, with a password too difficult to remember, hackers are always one step ahead.
From retail companies and grocery stores to social media platforms and credit reporting agencies, data breaches have continuously made headlines since 2017. Millions of people's private information is in the hands of hackers yet could have been prevented by one small change: using new or automatically generated passwords. With the persistent vulnerability of technology, how do Americans approach their passwords? Do they use the same passwords with slight changes or mix them up and store them in case they forget? We surveyed over 1,000 people to learn about their password strategies and security habits. Keep reading to see what we found.
Passwords in the Making
Before password generators like Apple's new automatic strong passwords feature, creating passwords that were easy to remember and secure took a lot of brain racking. Given the frustration that comes with forgetting a password, most people use a password they've used before with minor alterations.
The problem is – reusing old passwords comes with a risk. Breaches are quite common, and reusing old passwords allows hackers to do something called "credential stuffing." In other words, information gathered from previous hacks or breaches is later used to gain access to other accounts. Of course, this works when passwords are reused or used on multiple accounts, making a significant portion of the population vulnerable to such attacks.
While making slight adjustments to previous passwords was the most common, 32% of people also substituted letters with numbers and added symbols to bump up the complexity of their passwords. Overall, 17% of people frequently forgot their passwords, but certain strategies made them more likely to do so. Those who picked words from a dictionary were the most likely to forget their passwords, followed by people who rolled dice with words on them.
Those who came up with random words and numbers, rather than relying on a word generator like a dictionary or die, were the least likely to forget their passwords, suggesting it's more about where the random words come from than the lack of connection. In fact, using a template with random letter and number sequences was found to increase not only security but also the ease of remembering.
Meeting the Requirements
Password requirements differ for every website – while some platforms simply require a minimum number of characters, others require a mix of uppercase and lowercase letters, numbers, and special characters. Regardless of the requirements, the average password was nine characters, with the majority of users using uppercase and lowercase letters along with numbers and symbols. Despite caution against using personal information to create a password, one-third of people used their pet's name, 27% used their birth year, and 18% even used their first name.
Sticking to a mix of letters and personal information may not be recommended for security purposes, but Americans didn't see much wrong with it. Nearly 40% of people said their passwords were complicated, and 46% believed their passwords qualified as moderately complicated. Nevertheless, 14% admitted that their passwords were not at all complicated. Millennials were the most likely to admit to a lack of password complexity, but it seemed to help them remember – the youngest generation was also the least likely to forget their passwords.
Out With the New, In With the Old
As mentioned earlier, recycling passwords puts users at risk of being hacked, especially when passwords are reused within a company. Despite the risk, 72% of respondents reported recycling their passwords, with millennials being the most likely to do so. Compared to 56% of baby boomers, 70% of Gen Xers took the recycling route, while 76% of millennials did the same. People aren't sticking to recycling passwords on random, unimportant sites, though. Sixty-three percent of respondents used the same passwords for entertainment like streaming services and social media as they did for important sites like business, banking, and medical.
Another security no-no is sharing passwords – even when the other person is your boss or a colleague. Fortunately, Americans seem to be on the safe side when it comes to sharing. Eighty-two percent of respondents kept their personal passwords to themselves. Of the 18% who did share, more than half admitted to sharing passwords that were recycled and used for other services. This sharing of recycled passwords may have something to do with the number of people sharing login credentials for online streaming services like Netflix and Hulu.
In Case of Forgetting
If highly secured passwords mean a mix of letters, numbers, and special characters that have little to no connection to the user, how do people remember them? Nearly 40% of people thought their memory was the best storage method, while 27% thought password management apps reigned supreme. Seventy percent of millennials and 60% of Gen Xers relied on their memory to store their passwords, while baby boomers were the most likely to use physical notebooks.
Respondents may have thought password management apps were the best storage method, but less than a quarter actually used them. This is likely due to the risks associated with keeping all passwords in one place where hackers can reach them.
Some of the biggest names in food services and retail were victims of data breaches in 2018, yet only 30% of respondents were aware of their passwords being leaked due to a data breach. While major breaches don't affect everyone, it can be difficult to know whether your information is among the stolen data, especially if the company fails to notify each affected individual. However, 96% of Americans changed their password after learning about a data breach. According to the tech experts, changing passwords should be completed before a notification even hits your inbox.
Hackers may not be the only ones we worry about accessing our information, but the majority of people surveyed never had someone log into their account without their permission.
Protect Your Information
We live most of our lives online, with personal information protected by a simple combination of letters and numbers. Despite the importance of strong passwords, Americans tend to stick to the basics – a combination of uppercase and lowercase letters, or even their pet's name. While complex passwords increase security, they also increase the risk of being forgotten. Keeping passwords stored in a handy notebook or password management app may help people remember their credentials, but most rely on their own memory. After all, keeping personal information in your mind is the best way to prevent it from getting into the wrong hands.
To conduct this study, we collected responses from 1,012 respondents. Anyone who had at least one password in their lives was qualified to take the survey. Before respondents took the survey, they had to say they were comfortable answering questions about their password habits.
If respondents failed an attention-check question roughly halfway through the survey, they were disqualified from taking the rest of the survey and were excluded.
Fair Use Statement
Sharing this study is smarter than sharing your passwords, so feel free to show it off to your readers. We just ask that it is for noncommercial purposes and that you link back to this page.