By Brian Chappell, Senior Director, Enterprise and Solution Architecture, BeyondTrust
You would think that Millennials would be better with their passwords. I mean, this is the generation – born between the early 80s and the mid-90s – that grew up with and continues to largely define the way we use the Internet.
Still, a recent IBM study showed that 41% of millennials are likely to reuse passwords and 42% are likely to use simple passwords.
Another recent UK government survey revealed that 52% of adults aged 18 to 25 reuse email passwords for multiple online accounts. However, only 13% of over 55s did the same.
The IBM study also goes on to show older generations to be more canny than their tech-savvy juniors, in at least one way. The average millennial uses eight passwords over multiple accounts, while over 55s use over 12 passwords.
But why are millennials so bad with passwords? There are a couple of theories:
One might be that many millennials have a lot less to actually lose. Many of them are still waiting for the day when they have homes, families or capital of any significance – a cybercriminal attack will simply sting less than it would for somebody who has a retirement account or their children’s college fund to protect.
Another holds that millennials are more active online and simply have more accounts, which makes it harder to put in place unique credentials for every single one of them. The IBM survey partially bears this out, showing that younger users were more likely to forgo security considerations in exchange for ‘one to 10’ seconds of convenience.
Given that a human being can only remember a few passwords at any one time, it might not be surprising that millennials use fewer passwords, over a wider span of internet usage.
Similarly, a variety of studies show that older generations simply use the Internet less and thus might have a smaller collection of online accounts which they prize all the more.
Recent studies by Pew Research have shown that as of 2018, 85% of millennials use social media, compared with 57% of baby boomers (aged between 54 and 72) and 23% of those between 73 and 90.
An older, less confident generation might surf the Internet with slightly more caution than their younger counterparts, afraid of what its data ridden depths might hide. Fear and mistrust should not be the abiding principle of Internet use, but it’s not exactly useless.
That caution might be why older people have generally better password practices. They might not know how to use Skype, but they probably have a better alphanumeric multi-phrase password on it than their kids.
To state the obvious, this is troubling. Password reuse is clearly a cardinal sin and can easily turn one breach into multiple breaches.
One of the cybercriminal’s favorite tools is known as credential stuffing. Essentially, when an attacker uses large tranches of usernames and passwords – commonly taken from mega breaches on consumer facing companies like Yahoo or Target – to automatically inject into other sites.
Many of those stolen credentials will be useless but many more won’t, resulting in more personal data breaches and more illicit account access granted to hijackers, hackers and cybercriminals. To make matters worse, the credential datasets taken from mega breaches are not hard to find nor are the tools needed to carry out credential stuffing attacks.
Most millennials might not be old enough to hold positions in the halls of power yet. But when they are, let’s hope they don’t reuse their JustEat login on the nuclear command. Needless to say these findings could have larger, darker implications further down the line.
It’s not all bad. This millennial attitude to passwords, may well correlate with the rise of authentication methods. The IBM study found that three quarters of millennials are willing and comfortable to use biometrics and 32% were more likely to enable 2FA and let go of a service after its been breached.
This might also provide a good explanation for their use of passwords. Generally, millennials favour mobile devices, which have taken up alternative authentication methods with great enthusiasm – whether that is biometrics or multifactor authentication. Simply, millennial users need fewer passwords to surf securely.
This could be a promising development. The death of the password has long been predicted, even though the time-tested authentication method is still with us. Other options are on the horizon – multifactor authentication is pointed skyward and is now found in a number of widely used consumer products. Other solutions like SSO, device authentication, password managers and biometrics are also set to take the place that the simple password now holds.
But we are not quite there yet, these findings show that being a digital native does not necessarily come with the security awareness that this increasingly connected world requires.
Ultimately, poor passwords cut across every demographic and enterprises would be well placed to take advantage of password and session managers which can check that box, as well as provide analytics that can help spot dangerous password practices. Until the bell finally tolls for the password, people would be wise to fall back on solutions which circumvent the inherent weaknesses of the password and help protect the enterprise from the mistakes of every generation.
Click below to share this article
