Cybersecurity Education Failing to Improve Password Hygiene

Businesses are realizing the importance of providing security awareness training for the workforce to teach cybersecurity best practices, how to recognize phishing emails, and to highlight the importance of practicing good cyber hygiene. Training the workforce is an essential element of any cybersecurity strategy, as employees are targeted by threat actors. If employees are not trained, human weaknesses are likely to be exploited by malicious actors to gain access to business networks.

Regular security awareness training has been shown to significantly reduce susceptibility to phishing attacks when combined with phishing simulations, with KnowBe4 reporting that its training and phishing simulation data show susceptibility to phishing emails is reduced by 75%. However, one area where security awareness training appears to be failing is at improving password hygiene. Employees are being trained on the importance of setting strong, unique passwords for all accounts, but a recent survey has shown that poor password practices continue.

According to the LastPass 2022 Psychology of Passwords Report, 65% of the 3,750 respondents to the survey said they had received some form of cybersecurity education, which was either provided at school, work, on social media sites, or through books and courses, yet despite this, 62% admitted to using the same password or a close variation almost all of the time.

89% of respondents said they know that using the same password on multiple accounts or close variations is a security risk, but only 31% of respondents said they changed their password practices after receiving cybersecurity education, and just 12% of respondents said they use a unique password for all accounts. Setting unique, strong passwords for each account is not a major hardship if a password manager is used. These tools suggest strong passwords, store them, and autofill them when required, yet despite their convenience, only 25% of respondents said they started using a password manager after cybersecurity education.

Worryingly, cybersecurity education is giving people a false sense of security, as the majority of surveyed professionals said they were confident about password management, despite the fact that they were taking considerable risks with their password practices. The biggest disconnect was with Gen Z, which had the highest levels of confidence about password management but the poorest scores when it came to password hygiene. They were the age group that were most confident about their password practices being safe and were more likely than other age groups to create strong passwords for their social media and entertainment accounts. They also scored highly for recognizing that password reuse on multiple accounts was a security risk, yet 69% of Gen Z respondents said they reuse passwords on multiple accounts or close variations most of the time.  Millennials were also major offenders, with 66% of respondents in that age group saying they mostly use the same or a close variation of their password on their accounts.

There are many reasons why poor password practices persist. A commonly held view is that the passwords used are sufficiently complex to protect accounts, and that they are unlikely to be targeted. Convenience is another issue. Setting strong, unique passwords can slow down access and disrupt workflows, although these issues can be avoided with a password manager.

Businesses should take note of the survey and should emphasize the importance of password hygiene and should provide a password manager to their employees. In another recent password management report, Bitwarden suggested a plan of attack that could improve the adoption of password managers. Businesses could offer employees a free password manager for work, but also provide employees with a free family password manager account. Bitwarden’s survey suggests 71% of employees would welcome that offer and would be very likely to start using a password manager and 24% could consider using it if it was provided for free by their employer.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of