Australian password practices get a mixed report card

Stephen Withers
Wednesday, 21 September 2011 15:28

Your IT - Home IT

New research suggests Australians seem to be reasonably cluey when it comes to Internet passwords, but it's not so clear whether they're putting their knowledge into action.

Research conducted by PayPal and the Centre for Internet Safety at the University of Canberra suggests most Australians know what they need to do to keep their Internet passwords secure. They might be talking the talk, but are they also walking the walk?

The survey was completed by over 1000 respondents, with a good distribution by age, sex and state, so the results can be given more credence than some research promoted by vendors.

One of the biggest concerns is that 63% of respondents (77% among 18-24 year olds) said they use the same password with multiple accounts. That's not really a black and white issue. While it is clearly risky to reuse passwords on sites of any real significance (eg, webmail, Facebook, online banking) it's not unusual for people to reuse a password when they register to use yet another forum without revealing their identity. If there's a breach at Alice's Security Blog and you used the same name and password to post a recipe on Bob's Sausage Blog, does it really matter?

Choosing a good password is an important issue, and 78% said their passwords contained no personally identifying information, and only 10% thought their passwords could be easily guessed. However, the researchers point out that analyses of large scale password breaches suggest many users make password choices that are relatively easy to crack using automated methods.

The trouble with passwords that are difficult to crack or guess is that they tend to be difficult to remember, which means people have to record them somewhere. 46% write down their passwords ("a harmless practice assuming that the piece of paper is not stuck to the computer hardware and is stored in a separate location"), and 17% store them in a computer document (hopefully using a secure password manager rather than an unencrypted document such as a spreadsheet).

If you don't record passwords somewhere, you'll probably forget them - see page 2.