New Research: Psychology of Passwords, Neglect is Helping Hackers Win

Psychology of Passwords header image

The breaches won’t stop coming – Equifax, Yahoo!, MyFitnessPal. The list goes on. We’ve become accustomed to seeing these breaches in the news over the past few years. So we were curious: Have individuals’ password behavior evolved and become more secure? Are employees more vigilant now about password security than in 2016, when we conducted our first survey on the topic?

That’s what we set out to determine in our Psychology of Passwords research. Again, we partnered with Lab42 to survey adults around the world on their attitudes and behaviors around password security. The results? We were surprised to find that password behaviors remain largely unchanged from two years ago. We continue to see some pretty risky behaviors. Top of the list is denial: only 55% would update their password if that account had been hacked. And ignorance: almost 50% do not create different passwords for personal and work accounts.

As with the previous results, fear is driving much of this behavior. Sure, there is fear of data breaches when discovered in the news and of risks to personal online security. However, the fear of forgetting one’s password tops it all, in turn causing 59% of people to use the same or similar password for multiple accounts. Password reuse continues to rear its ugly, ugly head.

With such poor password hygiene, it’s no surprise that hackers are taking advantage of the doors we’re leaving open for them. Check out the infographic below featuring results from the latest Psychology of Passwords research, and download the eBook for the complete results.


  • Mark says:

    I am starting to accept NIST’s new password guideline that suggests you should not require users to change passwords. I know this is controversial and took me a while to accept. First, there is no way users will periodically change all of their passwords for all their accounts. Second, it is hard enough to remember passwords (without a password manager)… but remembering a new set of them every 6 months as they are changed will never work. Finally, by requiring users to change them, you are exacerbating the need to write them down and the behavior of changing the password by one small change (e.g. adding a “1” to the end, the incrementing it to “2” the next time.).

  • John Chapman says:

    I’m frustrated by the number of organisations online who encourage poor passwords. For example my bank has a maximum password length and will not allow shifted numbers or punctuation in passwords. 8-12 characters is not enough! Every extra character makes a password harder to crack.