A report published by Bitwarden ahead of World Password Day shows a slight improvement in user password security compared to a similar report published last year.
World Password Day was created by Intel in 2013 to raise awareness about the role of complex, unique passwords in securing online accounts. Subsequent World Password Days have been held each year on the first Thursday in May; and, to celebrate the event in 2021, Bitwarden – a leading provider of open-source password mangers for businesses and individuals – conducted a global password management survey.
Ahead of World Password Day 2022 on Thursday, Bitwarden has released the results of a second survey of over 2,000 Internet users in the U.S., United Kingdom, Germany, Japan, and Australia. While the primary takeaway is that businesses and individuals “continue to struggle with embracing habits that could better protect data”, if you compare the two reports side-by-side it is possible to identify a slight improvement in user password security.
Fewer Users Commit Passwords to Memory
Committing passwords to memory is the least secure password management practice, so it is good news that fewer users now do this. Users who memorize passwords tend to use weak passwords that include names, dates, and dictionary words that are easy to crack using brute force algorithms. It is also the case that users who memorize passwords tend to use the same weak password for multiple accounts or have so many passwords to remember they are frequently forgotten.
While forgetting passwords is not as unsecure as using the same password for multiple accounts, it takes time to reset passwords. The 2022 Bitwarden survey found that 21% of respondents were resetting passwords at least once a week – and this can create issues for businesses. According to Gartner, between 20% and 50% of IT help desk calls are for password resets, whilst Forrester calculated the average IT help desk labor cost for a single password reset is about $70.
Email Repositories a Concern for User Password Security
The smaller number of users recording passwords on paper documents or saving them in a computer file is a further improvement in user password security. Admittedly, paper documents cannot be hacked, but they can be lost, destroyed, and – in an office environment – stolen by another employee. The same risks can apply to passwords saved in computer files if they are not backed up, with the additional risk of the document being accessed remotely by a hacker.
The slight increase in users saving passwords in their email accounts is slightly concerning. If a hacker accesses a user´s email account, either via a brute force attack or a successful phishing attempt, the hacker can access the “keys to the kingdom”. Furthermore, when accounts are protected by a 2FA system that sends OTPs via email, the hacker not only has all the users´ passwords, but also the second authentication factor that usually prevents hackers exploiting exposed credentials.
Why More Users are Adopting Password Managers
Although the two Bitwarden reports fail to distinguish between what types of password managers users are adopting (browser, device, vault, etc.), the increase in adoption is promising as it indicates a more knowledgeable approach to user password security. It was also interesting to find out why people had adopted a password manager (multiple answers allowed):
- 50% responded “a good way to save passwords”
- 44% responded “I kept forgetting my passwords”
- 31% responded “I already used one at work”
- 22% responded “I read about it in the news”
- 16% responded “I wanted to share passwords with my family”
- 15% responded “I was hacked”
The inference that can be drawn from the answers to this question is that many users are not waiting until an adverse event happens before adopting a password manager but taking advantage of password managers´ capabilities in response to greater awareness. If true, this bodes well for future user password security, and it will be interesting to see what next year´s World Password Report reveals. You can access the full Bitwarden 2022 World Password Day report at Bitwarden.com.