Half of Finns use the same password for everything – bad idea

Cybercriminals know that people tend to recycle their passwords out of laziness. When criminals gain access to passwords, for example through hacking, they try them out on all the popular web services. Remembering a large number of unique passwords can be a challenge, but for some reason for example Brits seem to be better at it than Finns. You can also let your computer do the remembering for you – as long as you do it wisely.

Cybercriminals are recycling your passwords

Avoiding effort is a basic human characteristic. Passwords are hard to remember, so people tend to use the same password for several services and choose passwords that are easy to guess.

Criminals know this. They collect personal data on internet users for example by using fake user surveys, create likely usernames based on the data they get and combine them with typical passwords. Then they attempt to access popular online services using these combinations. This method is rarely successful, but by letting a computer program handle all the trial-and-errors, they succeed often enough.

A more advance technique is to break into the server of a password-protected web service and steal the user database. If the passwords in the database are not properly protected, the cybercriminals get direct access to username and password combinations, some of which are likely to provide access to other services, too. In recent years, we have witnessed several data system break-ins where the credentials of more than a billion users have been stolen.

Therefore even the passwords for unimportant services matter. An ideal password is different from any other password you use, or at least different from the passwords for your most important services, such as your online bank, work computer or main email account. If a criminal gets hold of the credentials to an unimportant service, they are likely to try if the same credentials give access to more important services. Cybercriminals have many tricks up their sleeve, and when they access someone's email, they can cause direct financial damage to their victim.

FICORA’s consumer survey showed that 15 to 24-year-olds were the most likely to reuse a password (54%). Surprisingly, there was a correlation between the number of members in a household and people's likelihood to change their password: 52% of households of four or more people were password recyclers.

Finland faring relatively poorly in international comparison

According to the FICORA survey, 9% of Finns use the same password in all online services, while 41% use several passwords but reuse some of them. One in ten Finns responded that they were unable to say how they chose and managed their passwords. We can only assume that most of these people reuse at least some of their passwords.

Similar surveys from abroad show that Finns have some improvement to do. A study conducted in 2015 by Ofcom in Great Britain found that an average of 42% of adult Britons were reusing at least one of their passwords. According to a study by Pew Research Center, 39% of Americans said that they used the same or a very similar password across sites, as opposed to using a 'very different password' on each account. However, a study by Adobe concluded that that only 24% of Americans had a unique password for every account. Password habits are difficult to measure in a consistent and comparable way.

Store your passwords in a vault

Very few Finns use a password manager (about 2 per cent of the respondents), even though password management seems to be a problem for many. 25- to 35-year-olds (5%) were the most likely to use a password manager. According to Statista, a total of 8% of Swedes use such software. Adobe found that in the US, as many as 11% were using a password manager.

The protection and quality of the passwords of your most valuable services are of crucial importance. First you need to determine which services are the most important to you. For many, their primary email address is of high value, also because forgotten passwords for other services are sent to that address. If your password cannot be restored through another service, make sure you memorise your password well, and choose a strong hack-proof password.

Consider getting a password manager. Password managers save data in a container file and encrypt it using a random encryption key, which is encrypted using a passphrase chosen by the user. When a program remembers all your passwords for you, you can set any random sequence of characters as your password, making it unique and impossible to guess.

Cryptographic strength is a key requirement for an effective password manager. Password manager-encrypted passwords should be practically impossible to break. We therefore recommend that you choose a password manager which uses acknowledged encryption algorithms and long keys.

The most obvious weakness of password manager software is the passphrase. If a user forgets their passphrase, and the password manager is good, there is no way to unlock the credentials. Or if an outsider learns the passphrase and gains access to the vault, all the passwords it contains are revealed. Also the availability of the vault is critical for information security: if you lose your vault for example because your device breaks down, the passwords become unavailable. Creating a back-up of the password vault is therefore of crucial importance.

Some of the password managers on the market store the user’s passwords on the user’s device and some in an online service (cloud). Examples of password manager products on the market are KeePass, KeePassX, Dashlane, 1Password, LastPass, Apple Keychain, F-Secure Key and PasswordSafe. FICORA has not tested the above products and does not have an opinion on whether they work as promised.

Further information

Ofcom: Internet use and attitudes bulletin
Pew Research Centers: Password management and mobile security
Keeper Security: What the Most Common Passwords of 2016 List Reveals [Research Study] 
Adobe Security Survey
Statista: Use of password manager tools in Sweden in 2016:
Wikipedia: Password manager
Mirai is alive and well – in your modem!
FICORA's consument survey: Internet calls have increased significantly


Update history

Key words: Information security , Cybercrime , Data break-in , Email , Encryption , Password , Phishing , Information security now!

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248