What is a password in general? Many treat this as some kind of obligation. For example, at work he was given a new computer and it is necessary to put a password – a very complex password. In this case, the person will be unhappy with the fact that corporate security policy obliges him to enter a complex password every day. The situation is different when you need to set a password on your smartphone. This is where a secret agent wakes up in everyone and people start to invent such passwords that, as they think, will reliably protect them from any special services in the world. And it doesn't matter that the phone has nothing but pictures of your beloved cat, but all this is accompanied by fingerprint, face, and sometimes even retinal locks. However, people put such protection, but still they are irresponsible about security.
Users do not understand where the password should be complex, and where not.
How users feel about their passwords
According to a recent study, most people don't take password change too seriously after a data breach. According to a study presented some time ago by the Institute for Security and Privacy at Carnegie Mellon University (CyLab), about a third of users usually change their password after announcing a massive hack of a service.
It seems that this is not so little, because it is a whole third. But we must understand that another two-thirds simply do not think that someone could get access to their data and will either use it for their own purposes, or simply use someone else's page for their illegal actions.
The researchers analyzed internet traffic collected through the University's Security Behavior Observatory (SBO), a group where users can register to share their browser history to aid in various studies. Data on 249 participants was collected between January 2017 and December 2018. After that, they were processed and summarized to make a conclusion.
How often should you update your password
63 users of those who took part in the study had accounts in those services in which there were recorded massive data leaks. Of those 63 users, only 21 went to hacked sites to change their password. In addition, only 15 of these users did so within three months of the announcement. And all this despite the fact that the problems were massively covered and such a large number of people simply could not help but know about the hacking.
There is another interesting point related to the complexity of passwords. The SBO data included information about the passwords that users set. The CyLab team also analyzed the complexity of the new passwords. The researchers found that out of 21 people who changed their password, only a third changed it to a more secure one. Others created a new password that was as complex at best. Others made the new password even easier.
Users often overestimate the importance of some passwords and underestimate the importance of others.
Researchers believe that frequent data leaks are due to the fact that users often simply do not follow the password security rules. They not only do not set complex passwords for accessing services, but also set the same passwords for all accounts that they have. Almost all sites where you register, it is written that it is not recommended to set the same passwords. The only problem is that in most cases it is written in the user agreement. But does anyone read it? So users follow the path of least resistance when they think that no one will hack them for sure. And if it does hack, then it's not so scary. Really scary.
As a result, user data is very easy to steal. If you have an account where mail acts as a login, and the same login-password pair is used in other places, it becomes a matter of technique to hack you. Especially considering that the average user uses roughly the same set of tools as others.
Just take passwords a little more seriously.
Against this background, authorization by phone number or e-mail address, when you have to enter the sent code every time, does not seem so unnecessarily complicated. It may take longer, but the security will be at a much higher level.
It is especially important to protect important accounts. For example, the same e-mail, an account on Facebook, which for many is a business tool, and data, individual services – for example, State services. There are also those accounts that are not important for some, but more than for others. For example, an account on a site like ours for a simple user only means that he can write comments and receive notifications, but for authors it means access to the entire site.
Personal account without password
However, there are also places where I simply do not understand why everything is so complicated or forcing me to choose a difficult password. A simple example is when I registered on the site of one of the major electronics stores in order to make myself a bonus account, as I often buy electronics and sometimes even in this store. During registration, I was able to enter the password that arranged the system only the third time.
Even if I have a couple of thousand bonus rubles there, but I'm not sure if someone will try to steal them, because they may not be there. In any case, you can simply warn me with a full-screen font that “the password is simple, we are not responsible for hacking” and that's it.
I understand when such complexity is used for a corporate account. The password there needs to be changed every month, and so that it does not repeat itself, but some services simply go too far. Even the smartphone simply warns that the password “1111” is too simple and gives you the right to choose whether to leave it. Although, smartphones have a lot more valuable data. Some bank cards are worth something.