Are younger people less aware of online security risks, or do they simply prefer to take more risks with their personal information? That's one of the questions raised by the findings of our recent poll of 2,129 U.S. adults (aged 18 and over) by Harris Interactive. For example, we asked survey participants if the following statement applied to them:
"When creating any personal password (e.g., online accounts, computer networks, device access codes), I use a combination of numbers, letters and symbols."
The percentage of respondents who said yes was 84%. This number may strike some people as surprisingly high given the numerous cases of "bad" passwords we have seen exposed in the last 12 months (for ample evidence of this, see David Harley's post on weak passwords seen on Yahoo!).
The fact that more than 4 out of 5 people are using some measure of complexity in their passwords might also surprise those who subscribe to the "stupid user" theory of system vulnerability. (We recently discussed the "stupid user" and "untrained user" perspectives here on the blog.) While cynics might say this result just reflects an increase in the number of online authentication systems that enforce strong password rules, I'm inclined to think it shows some progress in the general understanding of what is meant by "strong password".
The Demographics of Password Security
What may come as more of a surprise is the demographic breakdown of responses regarding password complexity. We found that the 18-34 age group got the lowest score on this question (77%) while the highest scoring demographic was the 55+ age group (89%).
Sociologists among our readership may be fascinated to know that a similar discrepancy was seen between married respondents (89%) and single/never married respondents (77%) when it came to creating more complex passwords.
We also found that results varied by income, with lower income respondents (79%) less likely to create complex passwords than higher income individuals (the $50K to $74.9K bracket scored 88%, while highest income bracket of $75K+ scored 89%).
The relationship between household size and password complexity was interesting and perhaps understandable, given human nature: users in smaller household sizes were less likely to create complex passwords. In households of just one person the score was 75%, jumping to 87% in homes with two occupants.
Perhaps the most worrying finding was that fewer students created complex passwords (77%) compared with individuals whose work status was full-time/self-employed/retired (each of those groups who scored 86%). It is not clear whether this represents an easy-going attitude, a lack of awareness of online threats, or simply "password fatigue" (which can be defined as "tired of having to remember all those different and difficult passwords").
A Pattern of Security Weakness?
This pattern of younger people and students exhibiting riskier behavior with respect to online security was underlined by the responses to this statement:
"I use the same password for several of my personal online accounts."
Some 46% of respondents admitted to using the same password for multiple accounts, with the group most likely to do this being those age 18-34 (49%). The least likely folks to do this were those 55 or older (43%). The largest groups of individuals to use the same password were females 18-34 (56%), with females 55+ being the least likely (35%).
General security awareness seemed to be higher when it came to PINs. We asked people to respond Yes or No to this statement:
My mobile PIN (i.e., voicemail password) is the same as my ATM PIN.
We found that, overall, less than 1 in 10 (8%) use the same PIN for both ATM and voicemail on their mobile phones. But again, those most likely to engage in the risky practice of using the same PIN for both were those age 18-34 (12%), while again, the 55+ group do this the least (3%). Interestingly, males 18-34 are the most frequent individual group (13%), with males 55+ (2%) being the least frequent group to double up on PIN use.
While there looks to be a clear trend here, of younger people taking less care with their digital credentials, there are some interesting wrinkles when looking at education level. For example, college graduates are the most likely education demographic to double up on PIN use (10%). College graduates are also the most likely group to use the same password for several of their personal online accounts (52%). On the other hand people with a high school education or less are the least likely to double up on passwords (41%).
As we work to better understand some of these behaviors it is worth remembering that passwords are still the front line of information security and privacy protection, from social media accounts to online prescription refills, bank accounts to network and device access (spanning desktops to laptops, smartphones to tablets). Of course, the bad guys seem to be the only demographic that is happy passwords are still playing such a vital and widespread role in protecting our privacy and security. So, until better means of authentication are more commonplace, we need to make the best of passwords and keep in mind the statement made by an FBI digital forensics expert at the recent Security Our eCity Symposium: "If only more people would use stronger passwords and do a better job of patching their systems, my caseload would be a lot lighter."
In our next post on this topic we will share more survey results, covering the use of web browsers and password managers to store passwords. But in the meantime you will find tips on building a stronger password in the free security training that ESET is providing during National Cyber Security Awareness Month (available to web users in North America). There are also many free security resources on the SOeC website.
Abbreviated Methodology: This survey was conducted online within the United States by Harris Interactive on behalf of ESET. from August 27-29, 2012 among 2,129 adults age 18+. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please contact stephen dot cobb at eset dot com.