New Webroot Survey Reveals Poor Password Practices That May Put Consumers' Identities At Risk
Research Shows Younger Internet Users Are More Reckless, But All Groups Make Critical Mistakes
Bracknell, UK, 12 October, 2010
When it comes to safeguarding personal information online, many people leave their virtual keys in the front door. New research commissioned by Webroot, the first Internet security service company, uncovers common password practices that are putting consumers' identities and wallets at risk.
In a survey of more than 2,500 individuals across the United States, United Kingdom and Australia, Webroot found the most commonly used password-protected sites among consumers are banks (88 percent), personal email accounts (86 percent), and Facebook (72 percent) – all of which are rife with sensitive information.
Among the findings:
- 4 in 10 respondents shared passwords with at least one person in the past year.
- Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them is compromised.
- Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, which would make it more difficult for criminals to guess passwords.
- 2 in 10 have used a significant date, such as a birth date, or a pet's name as a password – information that's often publicly visible on social networks.
"We're seeing between 40,000 to 100,000 new samples of malware emerge daily and in most of those cases the motivation behind the malware is financial," said Jeff Horne, Director of Threat Research at Webroot. "In fact, earlier this month the FBI reported that Zbot, a Trojan known to steal passwords, led to the loss of million from its victims. Using good password and security practices will help thwart similar attacks: Make a common practice to never store your password in a browser or FTP site, and have reputable, up-to-date antimalware protection in place."
Summary of Key Findings:
Younger people are especially likely to take online security risks. Webroot found that among 18 to 29 year-olds:
- 12 percent have shared a password in a text message (vs. four percent overall).
- 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall).
- Over half (54 percent) have shared passwords with one or more people in the past year (vs. 41 percent of people overall).
But younger users aren't the only ones making mistakes when it comes to their passwords. The study also found:
- More than half (51 percent) of UK users never use special characters (! ? & #) in their passwords.
- A quarter of those surveyed from the UK use a significant date (such as their anniversary or birth date), and 21 percent use their pet's name, as a password.
- 41 percent of UK users claim they often, most of the time, or always use the same password for multiple accounts.
The number of Web sites requiring an extra layer of security has proliferated, driving careless habits:
- Three quarters (77 percent) of all those surveyed, and 81 percent of respondents from the UK, have five or more online accounts that require passwords.
- 39 percent of UK respondents have 10 or more password-protected accounts. Only one in 10 in the UK say they never use the same password on different accounts.
- UK users report that they most commonly access online banks and financial services (92 percent), email (88 percent), and online retailers (81 percent) using password-protected accounts.
- 55 percent of those in the UK report they occasionally, often, or always forget their passwords and have to use a recovery mechanism to log into an account.
Contradictions among consumers' password practices are prevalent:
- Nearly half (48 percent) of people in the UK feel their passwords are very or extremely secure, yet:
- 89 percent who access sensitive information from an unfamiliar computer don't ensure that the network connection is secure before they use it, and 96 percent don't check to see if the computer has antivirus installed before using it.
- 19 percent never change their banking password.
- A quarter of UK users chose a significant date for a password.
In addition, poor online password practices put consumers in danger of hacking and identity theft:
- 41 percent use the same password for multiple accounts.
- Only 16 percent create passwords with more than 10 characters in length.
- 4 in 10 people (41 percent) have shared passwords with one or more people in the past year.
- Almost half of Facebook users (47 percent) use their Facebook password on other accounts and 62 percent of Facebook users never change their password.
What Can You Do?
The threat experts at Webroot provide the following six Internet safety tips for developing passwords that will keep their information safe:
Make Your Password Unique – As a critical line of defense, choose passwords wisely. Incorporate numbers, letters and special characters like !, $, /, and * to strengthen your password. Form a password using letters, numbers and figures in a memorable sentence, such as "Webroot educated me in 10/10." Additionally, password management features in products like Webroot® Internet Security Complete can both help you select a secure password and protect you from online threats.
Use one password for one site – Once you've created a unique password, use it only for one Web site or one service. If you use the same password everywhere, you open up a gateway to the information stored on each of your password-protected sites if one of them is compromised. In addition, don't write down passwords and store them for your own recall on a notepad or in a Word document, both of which leaves them vulnerable to prying eyes. For help, use a password management tool.
Not Sharing is Caring – Never share any password with anyone: Not your boss, your best friend, your cousin, your significant other or your spouse. Once a password is out of your control, you don't know how it will be used. If you've shared a password, to regain control of your account change the password.
Change your passwords periodically – Change the passwords you use most frequently, and never keep the same password on any account for more than a year even if you rarely use the site. For help, a good password manager feature will remind you when it's time to switch it up.
Say no when browsers offer to save your password – Web site browsers like Firefox and Internet Explorer have a feature which lets users save passwords for later use. The most widely distributed password stealing Trojans, including Zbot and SpyEye, know where to look and how to steal that information if you get infected. This also applies if you use an FTP client.
Any account can be valuable to a criminal – Criminals use other people's identities for many purposes other than draining your bank account. Any old, unused free account on a message board, Web mail service, or social network can be hijacked for fraud. When you plan to quit a service or forum, change your password so criminals can't use your account for clickfraud, black hat SEO, or to try to convince your friends and family that you're stuck far from home and need a wire transfer to return.
About the Research
Between September 9, 2010 and September 12, 2010, Webroot sponsored an online survey of Internet users. Invitations to participate were emailed by e-Rewards to consumer panel members in Australia, the United Kingdom, and the United States. Respondents qualified for the survey if they spent at least one hour online at home each day and had at least one online account that requires a password. At the 95 percent confidence level the margin of error is ±1.9 percentage points for the full sample of 2,552 respondents, ±3.1 points for the US sample of 1,007, ±3.2 points for the UK sample of 924, and ±3.9 points for the Australian sample of 621.
Webroot is a leading provider of Internet security for consumers and businesses worldwide. Founded in 1997, Webroot is headquartered in Colorado and is the largest privately held Internet security company in the United States. The company employs more than 400 people globally and has operations across North America, Europe and the Asia Pacific region. Consistently rated among the best security offerings available, Webroot's products include email, Web and archiving security services for businesses, and antimalware, privacy and identity protection for consumers. For more information, visit http://www.webroot.co.uk or call 0845 0822 498.
Webroot Threat Blog: http://blog.webroot.com.
Follow Webroot on Twitter: http://twitter.com/webroot.
©2013 Webroot Software, Inc. All rights reserved. Webroot is a registered trademark of Webroot Software, Inc. in the United States and other countries. All other trademarks are properties of their respective owners.