The splendors and miseries of passwords on the web

Passwords are the main method of authentication for the Internet today. They were yesterday, the day before yesterday, and will probably be that way in the near future too. Accordingly,

Passwords are the main method of authentication for the Internet today. They were yesterday, the day before yesterday, and will probably be that way in the near future too. Accordingly, passwords are amongst the main points of interest for cybercriminals, especially when it comes to bank accounts or corporate resources. The company’s servers objectively represent special treats for hackers just because the servers often store the personal data of many people. Alas, they do not always safely encrypt the data though. The most hyped recent story, as we know, was the hacking of Sony’s servers in April 2011. That break-in affected nearly one hundred million people and countless credit card numbers were leaked because the data stored was very easy to access.

But that hacking was not the only large-scale data leak; we described a few others in July as well.

Despite these stories, there is still a significant group of people around the world who believe that their passwords are safe. According to the results of a survey by B2B International and Kaspersky Lab, the total number of such people is 40% on average; the biggest portion of them live in Japan (49%), the smallest in China (28%).

A total of 17% of users have not taken any steps to ensure additional protection of their passwords to financial and/or billing services. The least concerned group about their safety are Japanese (26%), with people in North America being the most careful (14%).

Neglecting the safety of passwords is manifested by the fact that a large portion of users. 39% globally, prefer to use one or just a few passwords for a whole range of resources they visit.

The reason for this is easy to understand. The more resources requiring authorization used in everyday life, the greater the temptation to reduce the number of memorized passwords to a minimum (the above mentioned survey by B2B International found 65% of users prefer to keep passwords in their minds), or use some combinations that are easy to remember. Unfortunately, the easily memorized passwords are usually easy to guess, especially if an attacker has some additional information about the potential victim. 21% of respondents generally use their birth dates as passwords. This is a common problem in China (37%), but is scarce amongst the inhabitants of North America (8%).

63% of respondents in the B2B International’s survey admitted that their passwords are generally easy to guess.

The smallest possible number of passwords is mostly preferred in China (47%), and Russians tend to use the biggest quantity of passwords (31%). Overall, 47% of respondents admit that they have fewer unique passwords than accounts on different resources.

The sum of this paints quite a sad picture. A significant number of people around the world prefer a limited number of passwords for a large variety of resources. Moreover, these passwords are often easy to guess, especially if the attackers know something about the potential victim, whether it is a user or an entire company.

This can lead, and often does lead, to “cascading troubles” when having received a single password the attacker finds out that it is a kind of master key to several “doors.” He then begins to open them one by one, and it is easy to imagine the possible consequences. By the way, the same survey shows that 23% of users have tried to guess passwords to other people’s accounts and 14% have succeeded.

The safest approach is using the maximum number of unique passwords. They may be hard to remember, but you do not actually have to. There are solutions such as Kaspersky Password Manager allowing you to store all the passwords used on your PC in a secure form and provide automatic authorization on any resource.

Unfortunately, users prefer not to bother with solutions alike. According to B2B International, only 9% of users store their passwords in a safe form. This number must increase.