Despite Risks, Internet Users Remain Lax On Password Security

07/19/2011 11:19 am ET | Updated Sep 18, 2011

For the past six years, Rachel Tampier has used one password to unlock her entire digital world, from checking her email to accessing her bank account.

Even after a hacker tried to break into her email account, she still did not change her password, she said.

"I have so many pins and different email addresses and usernames," said Tampier, 25, who lives in suburban Chicago. "The last thing I want is another password to remember."

That attitude is all too common, experts say, contributing to a rising number of people falling prey to hackers.

In recent years, passwords have morphed from being portals to email to being keys to the vast world of online commerce.

But most Internet users leave themselves vulnerable to hackers by making their passwords too obvious or using just a few passwords for all their online accounts, experts say.

Not creating multiple, complex passwords "is like not closing your windows before you go out," said Graham Cluley, a senior technology consultant at the cyber-security firm Sophos.

"There are really no excuses," Cluley said.

Yet Internet users still come up with a wide range of them, according to interviews. Many say creating several intricate passwords would be too difficult to remember. Some say they don't believe they will be targeted by hackers. Others say they trust corporations to keep their data safe.

"I pay all my bills online and I shop online and I've never had a problem so why worry?" Tampier said. "What do I really have to hide besides my bank account?"

Plenty, security experts say.

If hackers gain access to a user's email account, for example, they can infiltrate other accounts by resetting passwords or spy on victims by creating a feature that forwards their emails without their knowledge, Cluley said.

"Then the rest of your online identity begins to unravel," Cluley said.

To make a password easy to recall but hard to crack, Cluley recommends taking a sentence, using the first letter of each word, then replacing some letters with symbols and numbers, like "&" instead of "and" and "4" instead of "four."

After infiltrating the computer networks of several corporations, the hacker group LulzSec last month posted 62,000 user emails and passwords online, revealing how thousands of people use simple passwords like "writerlady," "baseball," "kindle" and perhaps the most obvious of them all -- "password."

The data dump likely forced those users to change their passwords, which they may have used for other accounts. About 75 percent of people use identical passwords for their social networking and email accounts, according to a study last year by the cyber-security company BitDefender.

Even the president has been guilty of using a weak password: Last year, a French computer hacker was arrested for hacking Obama's personal Twitter account by correctly guessing his password was "Bo," the name of his dog, according to the Daily Mail.

The security breakdown among corporations and consumers has led to nearly 23 million records being compromised so far this year, according to the Privacy Rights Clearinghouse.

It has reached the point where companies now help users strengthen their passwords. Last week, Microsoft announced a new feature that prevents Hotmail users from using certain obvious passwords -- such as "123456" -- to make life more difficult for hackers.

Meanwhile, password management programs such as KeePass or LastPass have hit the market, part of a cottage industry helping users with multiple passwords by storing all of them under one password-protected program. KeePass or LastPass are free, but others are not, and users must accept the inherent risk of storing all their passwords in one location.

Instead of using a password manager, David Pinero, 45, of Queens, keeps a spreadsheet that lists his passwords for about 200 online accounts, including dozens of Internet message boards.

He feels safe from hackers because his spreadsheet is protected by a "crazy password" that is not written down anywhere, he said.

But except for a few complex codes for accessing banking and other sensitive data, Pinero said many of his passwords are the same.

"To have a unique password for each of 200 accounts," he said, "would be impossible to memorize."

Once, Pinero was tricked into revealing his password after clicking on a link from what appeared to be a trusted source, he said. When he realized it wasn't, he immediately started changing all 200 passwords, which took him nearly an hour, he said.

"What I worry about is we don't know who is administering these accounts," Pinero said. "You can't really distinguish between what's an established, secure service and one run by a hacker or a startup of irresponsible people."

Lately, though, even major corporations have suffered major security breaches, and thousands of customers' passwords have been stolen through no fault of their own.

Further, companies are often reluctant to tell customers about security breaches out of fear of damaging shareholder value or losing business, experts say.

In the last year, 90 percent of businesses suffered at least one data breach, according to a study released last month by the Ponemon Institute. Yet only 40 percent of U.S. companies disclose all security breaches, while 60 percent report only major ones, according to a study released this year by the security firm McAfee.

In response, lawmakers in Washington have introduced several bills in Congress that compell companies to protect consumer data online and report when consumer data has been compromised.

In the meantime, Internet users are sometimes forced to change their passwords for their own good.

Lindsey Jensen, 21, a student at University of Virginia, said her school forces her to use letters, numbers and symbols for her password and change it every 90 days.

"In your daily life, you don't put it on the top of your priority list," Jensen said.

Justin Cappa, 21, a senior at New York University, said having multiple complex passwords for all his online accounts was "like having too many remotes."

"It gets to be too much of a hassle," he said. "I'll deal with it if someone hacks into it, but it's not really worth the trouble until then."

Even after his instant messenger account was hacked, spewing spam to friends until it was deleted, Cappa still used the compromised password for other accounts, he said.

While Cluley and other cyber-security experts have applauded Microsoft for requiring Hotmail users to have more stringent passwords, Cappa said he found such features "annoying."

"I have way too much other stuff I'm worried about," he said. "If somebody hacks my account, that's my problem. Let me make my password my dog's name. It'll make my life a little easier."


[NOTE: Do you use a password manager? Do you find the software effective for keeping your passwords safe? Let us know: email]