Passwords Concept

Password Psychology: users know reuse is bad, do it anyway

More than 90% of employees know re-using passwords between accounts is a dangerous business, but two thirds of them do it anyway. Rachael Stockton of LastPass* digs into the “why” of password insecurity in the latest LastPass Psychology of Passwords report.


For an IT administrator, the human element is the hardest to control. IT doesn’t have the power to ensure that employees will follow best practices to keep the business safe. And with more employees working remotely, the challenges of managing user behaviors are increasing.

But it is helpful to remember that employees are consumers too. And the security habits they practice at home can affect the workplace – especially now!

The new LastPass Psychology of Passwords report asked 3,250 consumers from around the world[1] about their online security behaviors – providing valuable insights on user behaviors in their personal lives and how they extend to the office.

Poor password habits linked to fear, control

The LastPass survey showed that 66% of respondents always or mostly use the same password for their accounts. However, 91% say they know that using the same password is a security risk.

Episode 162: Have We missed Electric Grid Cyber Attacks for Years? Also: Breaking Bad Security Habits

Rachael Stockton of LogMeIn
Rachael Stockton is the Senior Director of Product Marketing at LogMeIn.

This kind of cognitive dissonance came up over and over throughout the findings. Respondents know what they should do, but they don’t take action to protect themselves. Why don’t they create unique passwords if they know they should? The top reasons were fear of forgetting (60%) and desire for control (52%).

This is an opportunity for education. We need to educate users that tools like password managers, multi-factor authentication (MFA) are safe and effective ways to keep themselves safe. Even if it feels like they are giving up some control, they are actually protecting themselves.

Protecting work accounts: not a priority

When people do create strong passwords, it’s not often for their work accounts, unfortunately.

Spotlight Podcast: Breaking Bad Password Habits to Fight Advanced Threats

When asked which accounts they create stronger passwords for: 69% said financial, 47% said email, 31% said medical records, and less than a third (29%) said work accounts. Clearly, people are more worried about protecting their own money and personal information, which isn’t surprising. That’s not to say they want to put their employer at risk, but password security at work just isn’t top of mind for most.

Work accounts need multi-factor

Though weak, guessable passwords are a security hazard, MFA can counteract some of those risks. Encouragingly, many of our survey respondents were aware of and regularly use MFA for added protection of online accounts.

54% of respondents said they use MFA for their personal accounts, but only 34% use it for work related accounts.

— LastPass Psychology of Passwords Report

Of the personal accounts for which they have multi-factor authentication enabled, the top two responses were financial accounts (62%) and email (45%). Again, it seems that protecting their money and personal information comes first, but the high usage of MFA on personal devices suggests that businesses could require more employees to use MFA.

Passwordless? Imagining the Future of Authentication

Key takeaways for IT

While consumers are still exhibiting poor online security behaviors, there are some encouraging signs that IT could translate to the business. Consumers are protecting the accounts they think are most valuable – like personal financial and email accounts– so there is an opportunity for education around why their work accounts need to be protected as well.

Also, consumers trust biometrics: 65% reported that they trust fingerprint and facial recognition more than traditional text passwords. This is encouraging because it shows that when consumers use something frequently (like biometrics on their smartphones) they are likely to adopt and trust it. IT admins need to make their security apps mobile-friendly and user-friendly to encourage adoption.

Be sure to read the Psychology of Passwords report for the complete research.


[1] Survey conducted by Lab42 with respondents from US, UK, Australia, Singapore, Brazil and Germany

(*) Disclosure: This contributed article is sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.