By Daniel J. Solove
A recent study by TeleSign revealed that many people engage in some troublesome password practices. Some of the most alarming findings from the report include:
— 73% of accounts use duplicate passwords.
— Nearly half of consumers have a password they haven’t changed in 5+ years
— “Consumers have an average of 24 online accounts, but use only 6 unique passwords.”
— “Only 30 percent of consumers are confident that their passwords will protect the security of their online accounts.”
These findings demonstrate why better authentication is needed. Enforcing good password practices is tremendously difficult. People have so many passwords that they must memorize, and if they must be long and complex, this compounds the challenge. Alternative means of authentication — such as two-factor authentication — should be explored, as they can be affordable and efficient.
Additionally, organizations must train employees about good password practices. Employees should be taught not to use the same password for work as for other accounts. The work password should always be unique. Employees should understand why choosing long and complex passwords matters. They should also be taught how to create passwords they can remember.
Training on passwords alone isn’t sufficient, because people can be tricked into giving out their passwords. They must receive phishing training and social engineering training too. All of these things are interrelated.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.