Bad password habits continue with 53% admitting to using the same password

Ahead of World Password Day, a survey finds management is worse than junior staff at practicing good password hygiene, according to SecureAuth.

Just in time for World Password Day Thursday, password reuse remains rampant, with 53% of people admitting they use the same password for different accounts, which exemplifies poor password hygiene, according to a newly released report by identity company SecureAuth.

Among respondents using the same password, most are using it across three to seven accounts (62%), and 10% said they are using over 10 accounts with the same password, the SecureAuth report said.

“No matter how much cyber experts preach, bad password habits are always going to be a large problem for our personal and work lives,” the report noted.

One issue is that people are blurring the lines between work and personal passwords with 21% of workers acknowledging  they use the same password at work as they use for their personal email; this was the case for 33% of Gen Zers and 26% of millennials, according to the report.

A reason? People find truly unique passwords are a headache to remember, the report said. Management is also guilty of this. Only 38% of those in leadership positions said their work passwords are unique, compared to 70% of non-management employees. And 34% in those management roles admit to having used one of the most common passwords such as:
·         Password
·         123456789
·         Abc123
·         Qwerty123
·         Iloveyou

The lines between home and work are rapidly disappearing thanks to digital transformation, and this is causing people to struggle with keeping their personal and work identities separate, said Bil Harmer, CISO at SecureAuth. “While people may use different usernames for their work and personal accounts, 44% of people have admitted to using their personal passwords at work,” Harmer said. 

“For the average person, passwords are difficult to keep straight, so no matter how much security professionals, like myself, warn the public of the new and evolving threat landscape, the harsh reality is people will continue to do what’s easiest for them and their productivity,” he added.

Streaming service accounts have the most shared passwords or login credentials, followed by gaming accounts and mobile phone passwords, according to the report. “The type of account with the least shared credentials/passwords are work email accounts, but even still, 34% have shared their work email password.”

SEE:  The end of passwords: Industry experts explore the possibilities and challenges (TechRepublic)

Another disturbing finding is that most consumers are sharing passwords in ways that are easily hacked, with 20% of respondents indicating they share them via text message followed by 19% on a phone call; 15% in a written note; and 10% in an email.

Although the future of identity lies in biometrics, the SecureAuth report said, more education is needed to increase appetite and willingness among consumers. Currently, fewer than one in three consumers said they are comfortable sharing various forms of their biometric data with either a company they purchase goods and services from, or the government.

However, despite high levels of discomfort when asked about biometrics, the data shows that 51% of average consumers are already using biometrics in multiple contexts: 31% are using fingerprint or facial ID to unlock their phone; 12% to unlock a computer; 12% for TSA identity verification; and 10% for banking.

Consumers are also willing to share their biometric data to save time. The survey found 13% will share to save 30 seconds or less; 12% to save minutes; and 10% to save between 10 and 30 minutes.

The continued reliance on passwords allows cybercriminals to use the exact same playbook they have for decades, SecureAuth noted. The casual attitude toward passwords is even more disturbing with the massive shift to remote work during the COVID-19 crisis, the company said.

“Criminals are playing the long game,” Harmer said. “It’s important to remember that even if passwords are encrypted, once they have stolen a database of credentials, they can use brute force against them and find out what they are.”

The victim will have no advanced warning, “which is why we need to move beyond passwords and instead rely on an elevated form of continuous authentication that incorporates risk-based analysis techniques,” he said. This can be everything from biometrics, geographic location analysis, and device recognition to IP reputation-based threat services and user behavior analytics, Harmer said.

SecureAuth recommends that people commemorate World Password Day by changing an old password to one that is long and strong or by turning on two-factor authentication for their important accounts.

The survey of 2,000 US consumers was conducted between March 16 and March 21, SecureAuth said. 

Esther Shein

This article originally appeared on Tech Republic

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Recorded Webinars

Analyst Reports

Innovation Labs


Support Portal

Events & Webinars



Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth