Reading Time: ~ 3 min.

Your password passing habit may not be as be as harmless as
you think. And yes, that includes Netflix login info too.

That’s one finding to come out of our newly released study of
2020’s Most (and Least) Cyber-Secure States. In this year’s analysis of
the cyber readiness of all 50 U.S. states, and in partnership with Wakefield
Research, we created a “Cyber Risk Hygiene Index” based on 10 metrics meant to
measure individual and state-level cyber resilience against adverse online
events.

If you’re unfamiliar with the report, you can
read an introduction here.

Unfortunately for many Americans, two of
those cyber hygiene metrics involved questions about their password habits:

  • Do you avoid sharing passwords with others?
  • Do you avoid reusing passwords?

Now, these questions weren’t the only reason no American
received a passing grade on our Cyber Risk Hygiene Index, or that no state
scored higher than a D, but they didn’t help. In all, the report found that
more than one-third (34%) of Americans admit to sharing passwords and login
credentials with others. Nearly half (49%) report having more accounts than
passwords, meaning passwords are being reused across accounts.

Perhaps even more troubling is the finding that sharing
passwords for streaming services—that famously widespread and supposedly benign
new-age habit—has a worrying correlation: Americans who share passwords for
streaming services (38%) are twice as likely to say they have had their
identity stolen than those who do not (18%).

This is alarming because sharing and reusing passwords is
especially dangerous during this golden
age of phishing attacks
. It means that, as soon as a cybercriminal
achieves success in one phishing attack, those pinched credentials are likely
to work for several other popular sites. A single successful phishing
expedition could yield catches on banking sites, credit card applications,
online marketplaces, and in a host of other potentially lucrative instances.

Even by sharing passwords with those a smidge less than
trustworthy—or just careless—you’re increasing your attack surface area. Now
that network of individuals who now have access to your accounts are susceptible
to giving your information away if they take the bait in a phishing attack.

“Instead of giving away the keys to the guest room when you
share passwords, it’s more like giving away keys to the castle if they are
reused across multiple accounts,” says Webroot threat analyst Tyler Moffitt,
“you could begiving away the keys to the whole kingdom if that’s the only
password you use.”

More password facts from the report

  • Tech
    Experts, one of the riskiest categories of users studied in our report, are
    more likely to share passwords (66%) than the average American (44%). Clearly,
    we at Webroot are in no position to point fingers.
  • On
    brand, 66 percent of so-called “Mile Markers” refrained from sharing passwords,
    compared to 63 percent for the average American. This group scored the highest
    on our index and is defined by having progressed through life markers such as
    earning a degree, owning a home, or having children.
  • Home-based Very Small Businesses (VSBs) are less
    likely to work with a dedicated IT team. As a result, they are more likely to
    use their personal devices for work and share passwords. Of these, 71 percent
    use the same passwords for home and business accounts, potentially cross
    contaminating their work and personal lives with the same security gaps.
  • By generation, Gen Z is most likely to share
    passwords (56%), followed by Millennials (47%), Gen X (33%), and Boomers (19%).

How to address poor password practices

In terms of a personal password policy, it’s important to
set yourself up for success. Yes, it’s true the amount of passwords one is
responsible for can be dizzying, 191 per business according
to one popular study
.

That, and the parameters for creating a sound password
seemingly grow more complex by the day. It used to be enough just to have a
password. But now, they must be x characters long, contain one number and one
special characters and so-on… And did we mention we recommend it be a passphrase,
not a traditional password?

You get the gist.

That’s why our single strongest piece of advice to users
looking to upgrade their cyber resilience is to use a password
manager
. This allows you to create long, alphanumeric and otherwise
meaningless passwords without the need to keep tabs on them all.

After you’ve created a strong bank of passwords, managed
through a password management service, supplement your security by adding
two-factor authentication (2FA). Measures like 2FA pair your login credentials—something
you know—with something you have, like a biometric feature or a mobile phone. This
will ensure lifting your password (a unique one for each account, no doubt)
isn’t even enough to crack your account.

“Put simply, an account simply isn’t as secure as it could
be without 2FA,” says Moffitt. “And that means your credit card info, home
address, or bank accounts aren’t as safe as they could be.”

No more reusing passwords. And, hopefully, no more sharing
passwords. But that part’s up to you. You just have to ask yourself, is Netflix
access worth having your identity stolen?

The post Poor Password Practices: The Curse of the Cybersecurity Risk Index Score appeared first on Webroot Blog.