The theory goes – if you want to be truly certain that your passwords are not lost or stolen, make sure they are only stored in your head.
From your personal email accounts to the computer system in your car, hackers can disrupt your life and steal valuable information from just about any device with an Internet connection. With more devices connected to the Internet than ever before, the only logical place to keep your passwords and information safe is in your brain, right?
There are many questions and answers inside this theory, but for now, let’s focus on this one: Can you rely on your memory to store all of your passwords? In sum, your passwords depend on your fallible human memory, and with the increasing complexity and quantity of passwords, it’s almost impossible for us to remember all of your passwords.
Here are a few reasons why relying on your memory could compromise your security.
You have way more passwords than you think
Think about how many websites you log into every day: Facebook, Twitter, Gmail, Netflix, probably an online banking site. What about those websites you sign into a few times a week: gaming websites, online forums, shopping websites, digital publications, blogs, etc. Don’t forget—but you probably have forgotten—about all of those websites that you’ve only logged into once or those mobile and web apps that you’re always logged into.
The number of accounts you have really start adding up! Last year, we conducted a study about password overload with anonymous data from more than 20,000 users of our email-auditing tool, Dashlane Inbox Scan, and learned that the average number of accounts registered to one email address is 130 in the United States, 118 in the United Kingdom, 95 in France, and 92 for the rest of the world. If this trend continues, we’ll have an average of 207 accounts per Internet user by the year 2020!
You (and passwords) are easily predictable
We’ve all forgotten a password before. In fact, last year, our inbox scan study discovered that the average number of “forgot password” emails per inbox was 37, and the average number of passwords forgotten per year was 11.
But why? You most likely didn’t forget a password because it was too long, but because it was too complex. According to the annual list of the most popular stolen passwords for 2015, “123456” takes the top spot, followed by “password,” and “12345678.”
It goes without saying that using “123456” as your password is a terrible idea, but the reason it is still popular is because it is simple to use and remember. One consumer password study found that 60% of people are guilty of creating a password from a small set of alphanumeric characters, and about 30% select passwords that are equal or shorter than six characters. You may want to think twice before selecting an “easy” password. Using one of the top 10 overused passwords, a hacker would be able to access 1000 accounts in about 17 minutes!
There’s also a scientific reason as to why you are more inclined to choose a weak password. Researchers at Harvard and MIT published a study on visual memory capacity, arguing that it is easier to remember images and information that we are already familiar with and have some meaning to us. This is one reason why you often create easy-to-remember, yet predictable passwords based on your birthday, the name of a close family member, a street address, etc.
You’ll recognize a password better than recalling a password.
Besides the fact that weak passwords are predictable and easy to remember, we also choose weak passwords because they’re easier to recall.
For instance, if someone asked you, “Is President Barack Obama the 44th President of the United States?”, you would answer simply by recognizing if the information provided is true or false. In contrast, if someone asked you, “Who is the 44th President of the United States?”, you would use your memory to recall the correct answer to the question. Therefore, it is easier to recognize something than recall it, simply because it involves more clues that can help you remember.
When you look at a website that only prompts you for a username or email, and a password, there are very few clues on that web page to help you recall that information. This is not necessarily a bad thing, but it is another important factor that causes many users to reuse passwords on multiple accounts, create a password related to that specific site, or create a password with personal information that is predictable or easily recognizable.
Also, be on the lookout for websites with weak password security policies. These include sites that still accept the most commonly used passwords online, sites that will still allow you to access your account after 10 failed login attempts, that don’t require case-sensitive or alphanumeric passwords, etc. If a site’s password policies are inadequate, it’s a big red flag that could indicate a major built-in security flaw.
Sometimes, it’s not your memory’s fault.
A recent Wired article suggested that policies requiring employees to change passwords frequently are actually making your system less secure. According to a 2010 University of North Carolina at Chapel Hill study, people “tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).” This supports the Federal Trade Commission’s Chief Technologist Lorrie Cranor’s argument that requiring frequent password changes actually encourages you to create weaker ones or cause you to reuse passwords with tiny changes.
Similarly, Microsoft researcher Cormac Herley published a study on why Internet users often reject security advice that casts doubts over the benefits of certain password rules. He essentially argues that users ignore security advice, like changing your passwords at specified intervals, not because we’re lazy, but because password security advice is becoming more complex, the benefits are “largely speculative or moot,” and password policies can “shield [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.”
Now you know why memorizing a strong, unique password feels more like is a big hassle than a benefit, but that doesn’t mean you shouldn’t take the time to improve the strength your passwords.
“What’s the worst that could happen if I forget or reuse a password?”
In the last few years, LinkedIn, Twitter, Yahoo, Gmail, AOL, Gawker and RockYou users, unfortunately, learned about the consequences of using and reusing weak passwords the hard way. These high-profile security breaches were responsible for compromising millions of users’ passwords and private data.
A hacker with your username/email and password from a single compromised database can use that information to access other sensitive accounts, like your social media profiles, your online shopping accounts, or even your online banking account.
However, there is a silver lining! Here’s one thing you can do to protect your passwords and data when your memory (or website’s password policy) fails: use a trusted, secure password manager, like Dashlane! Then you’ll get these memory-busting password benefits:
- Create strong, unique passwords for every website in a snap
- Easily and safely share passwords, as well as other sensitive data, like Wi-Fi passwords, legal documents, etc.
- Change weak or compromised passwords on all of your favorite sites with one click
- Safely store your credit cards, addresses, and personal data to make online shopping a breeze
- Get alerts about security breaches sent directly to your phone or computer
- Enable use of 2-Factor Authentication for maximum protection
Have some other mind-boggling questions about password security? Please don’t hesitate to ask me in the comments below!