full screen background image

Post holiday clues – Why passwords are easier to guess in August


Late August is the riskiest time of the year for information security in the UK- and it’s due to people coming back from their holidays having forgotten their passwords, according to new research from business intelligence specialists Xoomworks.

A quarter of Britons have to get their passwords reset after a summer holiday and alarmingly – the new passwords they’re creating are deliberately weak and easier to guess, putting employers at risk of cyber attacks and hacks.

77% of those who’ve forgotten a password admitted using a weaker one when resetting, with most citing the inconvenience of requesting a reset as motivation

The study, involving more than 1,000 UK adults who use employer-managed IT systems, also found:

* A quarter (25%) of UK office workers say they’ve forgotten their password after coming back from holiday in the past 3 years.

* More than three quarters (77%) of people who forget their password said they chose a password that was ‘significantly easier to remember’ as a result.

* Only 20% create an entirely new password each time they are prompted, but those that do are far less likely to forget their password.

* 72% of those who are required to update their passwords say they don’t create an entirely new password when prompted, instead modifying their existing password by 3 characters or fewer.

* 8% admit to modifying their password by just one character.

Password habits in UK offices

The study revealed a worrying pattern of behaviour among office workers, where the majority rely on a ‘stock’ password, such as a memorable word or phrase, which they modify slightly each time they update their password.

80% of those who took part in the study say they rely on one memorable word or phrase, which they modify to create new passwords.

Those who make the effort to create a unique password every time are significantly less likely to forget their password compared to those who modify.

Just 9% of people who create new passwords forget them after a period of absence, compared to 29% who rely on modifications.

Of those who are required to periodically update their passwords.

Passwords2016-08-26

When they return from holiday, users can typically remember the word or phrase, but not the most recent modification, so they revert to an easy-to-remember modification of that phrase.

Xoomworks are warning employers to stress the importance of using complex, unique passwords to employees requesting a password to be reset.

Nicholas Henry of Xoomworks, who coordinated the study, explained:

“Forgetting your password is forgivable. Most of us know the frustration of coming back to the office and not being able to log in to our machine after a relaxing break.

“But as our study indicates, the people most likely to forget their password are those who have supposedly easier-to-remember, ‘modified’ passwords. Anecdotally, we believe this is because they have to recall their memorable phrase and the specific modification they made to it, rather than just remembering it or retrieving it from an encrypted vault.

“Once the system of modifying an old password fails, these individuals are more likely to create an even weaker password. Some of our study participants told us that the inconvenience of having to get their password reset, often via an IT helpdesk, motivated them to create an even easier-to-remember password.

“So a forgotten password becomes significantly less secure once reset.

“Hackers use sophisticated algorithms that factor in modification patterns when trying to guess a password. Changing a password by one character, or simply adding your birth year, or the year your football team last won the FA Cup, does little to improve the security of that password.

“It’s more secure and ultimately less hassle to create a unique password each time.”

Case study

One study participant, who works as project manager for a London-based digital marketing agency, confessed that he’d used the same memorable phrase as his password for the past six years, modifying it by one character each time he was prompted:

“I enter passwords into approximately ten different applications and services on a daily basis. The majority are relatively low risk in terms of data security, for example open-source project management platforms.

“I’d find it quite difficult to maintain completely unique passwords for each of these applications, so I use one memorable phrase and modify it with the name of the application to which I’m logging in.

“I’ve used the same memorable phrase for my main login for six years and have modified it by a single character about 18 times.”

Facebook Comments



Editor at large, SalfordOnline.com