Around Internet, password fatigue setting in

April 23, 2014

Beth Teitell

Protection becomes a not-so-secret frustration

After Daphne Strassmann’s credit card number and other personal information were stolen in the Target data breach last fall, she diligently went about changing 10 online passwords. The process involved channeling nonsense words inspired by the view from her couch: a banana, a squirrel, a picture of her nana.

But when it came time to log back onto those accounts, Strassmann couldn’t remember a single password. “I need to hire a hacker to get them back,” she said.

So in early April when the next whopper data breach hit — this time it was the Heartbleed security bug, which may have affected as much as two-thirds of the Internet — Strassmann didn’t change anything. “Enough is enough,” she said.

Around the Internet, password fatigue is setting in. And taking serious precautions, like using a multistep authentication process to log into e-mail or subscribing to a password management system that holds encrypted data, still seems unnecessary and just too much work for some users.

An April YouGov/Huffington Post survey of 1,000 adults found that just 6 percent changed all their passwords after discovery of the widespread Heartbleed security flaw, while 62 percent changed none.

“A lot of people, until they are burned, don’t really think they need to do anything about it,” said Joe Siegrist, the chief executive of LastPass, a Virginia-based password management system that remembers users passwords for them, with fees ranging from nothing to $12 a year. “The younger generation especially seems to be flippant about it.”

This is how careless we are. For two years running, the most popular online password was the word “password,” according to SplashData, a California-based provider of password management applications. Using files containing millions of stolen passwords posted online, it compiles an annual list of the top 25 “worst passwords.”

In 2013, the password “password” was unseated from its top spot of shame by the equally lazy “123456,” according SplashData. Other passwords on the list of shame include: “qwerty,” and “iloveyou.”

And not only are our passwords weak, but users spritz passwords around the Web so casually most people don’t even remember all the accounts they’ve created.

“When I ask people they think they’ve got fewer than 10 [accounts],” said LastPass’s Siegrist. That is until he brings up a list of frequently visited sites, and people realize they probably have 40 or more.