Despite many advances in technology, one issue is undermining efforts to keep networks and accounts secure – password apathy. This is not a new issue, but one that has existed since the earliest shared computers in the 1960s. Yet, in more than sixty years, nobody has found a way to resolve the issue of password apathy.
The earliest recorded example of password apathy appears in a UK TV program from the 1980s. In the program, a Prestel user demonstrates how he logs his computer into the system remotely. The user explains in great length how a connection is made between his computer and the Prestel system – the final stage being to enter a password. In this case “1234”.
Since the 1980s, millions of words have been written on how computer users sacrifice security for convenience when choosing passwords – discussing everything from the usability of passwords to the psychology of password management. Notably, most studies find users are aware of the importance of strong, unique passwords for each account – they simply don´t apply their knowledge.
Overhead or Apathy?
In his article “Passwords and Passion” author Warren Harrison suggests users don´t apply their knowledge because strong, unique passwords get in the way of productivity. He writes, “the problem is that where the security professional sees prudent, responsible behavior, users simply see overhead that gets in the way of performing whatever task they are trying to do.”
However, at the time the article was written, password managers had been around for many years, so the “overhead” argument doesn´t really wash. In contrast, a 2019 conference paper discussing password manager adoption found that – even in ideal circumstances – only 30% of users will voluntarily download a free password manager despite understanding the advantages.
The apathy argument is reinforced by the response to the launch of Google´s Password Checkup service. This free extension to the Chrome password manager alerts users to compromised passwords, but – despite significant coverage – it was downloaded by only 0.5% of Google account holders. Incredibly, just 25% of people who had gone to the trouble of downloading the extension changed a password after being notified it had been exposed in a data breach. Much the same happened when Microsoft launched its Password Monitor service for Microsoft Edge last year.
Technology vs Evangelism vs Enforcement
Since the Prestel user appeared on TV to demonstrate his lack of password security, there have been multiple advances in technology to make password management more convenient. Single sign-on solutions, security tokens, biometrics, voice recognition software, and near field communications (NFCs) have all attempted to reduce “user friction”. None have overcome the apathy issue.
Similarly, users continue to create weak passwords, re-use existing passwords, and ignore warnings about compromised passwords despite years (indeed, decades) of security and awareness training. Consequently, it would appear that password apathy is something that has been embedded in people for more than a generation, and no amount of password evangelism is going to change that.
Although not an ideal solution, the enforcement of password best practices seems to be the last remaining option for businesses that want to resolve the issue of password apathy. This involves taking advantage of password policy engines built into password managers and developing policies that force users to create strong, unique passwords for each account and take action if a password is leaked or compromised. The password manager should also have event logs and reporting capabilities so system administrators can identify attempts to circumnavigate its controls.
Anti-Password Apathy Solutions
There is a wide range of password managers that have the capabilities needed to resolve the issue of password apathy, and the choice of solution may be determined by the nature of a business´s operations, its propensity to risk, and its regulatory requirements. Some password managers – for example, Bitwarden) also allow businesses to self-host their solutions on-site.
Other considerations include ease of use (for both administrators and end users), cross-platform functionality, and the provision of a personal password manager for end users to get them used to password best practices in their home environment as well as in their work environment. Cost should be a determining factor only when every other requirement has been satisfied.
Ultimately, it is not possible to resolve the issue of password apathy overnight. Indeed, it may take another generation to un-embed the apathy, absentmindedness, and user susceptibility associated with online security. However, businesses cannot wait until tomorrow to keep networks and accounts secure and should prioritize the enforcement of password policies as part of a multi-layered defense against cyber threats.