Why do employees create hackable passwords? It's personal, not laziness

The reasons the password "123456" is made for an email account is often attributed to ignorance or laziness; however, other weak passwords are not because they are random, but personal to users, according to an opinion piece in The Wall Street Journal by Dr. Karen Renaud of Abertay University in Dundee, Scotland.

Dr. Renaud and two researchers at Mississippi State University evaluated why so many passwords are hackable even though companies train employees to develop strong and safe passwords. The research was conducted through surveys.

Their research suggested that people have personal connections to their passwords. When bosses or cybersecurity experts tell people to their passwords are weak, it can trigger defensiveness and little willingness to change them, Dr. Renaud reports.

People come up with passwords based on routines, including combinations of birthdays, addresses, names and sequences of numbers. When these patterns are developed, they can be hard to change. Dr. Renaud found it is because users overvalue their passwords.

When asked what it would take for a person with a weak password to change his or her password, it came with a significant cost.

"People overestimated the strength of the passwords created by their routines and overvalued them. When we asked them how much they would need to be paid to choose stronger passwords, and how much other people ought to be paid to do the same, they wanted significantly more money to switch than they thought other people should be paid," Dr. Renaud concluded.

When training employees on password security, Dr. Renaud recommends focusing on the efforts it takes to remember strong passwords. It also may help to use password managers, making it so employees only need to remember one good password, Dr. Renaud said.

"They key is to understand that people aren't choosing easy passwords just out of ignorance or laziness. They also care more about their passwords than the rest of us can imagine. And it's crucial that cybersecurity advocates make it easier for them to let go," Dr. Renaud said.

More articles on cybersecurity:
Cancer Treatment Centers of America notifies 16,800 patients of another phishing attack
Quest Diagnostics vendor data breach exposes 11.9 million patients: 5 things to know
How organizations can use identity management to mitigate internal threats to cybersecurity

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months