- "4 in 10 respondents shared passwords with at least one person in the past year."
- I haven't done this one, but I've encouraged my wife to give me a couple of her passwords to help debug some problems she's having. I don't think she's making a huge mistake here. How many of those 4 in 10 shared passwords with a trusted loved one?
- "Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised."
- I use the same password all the time (I have about five that I generally use, across dozens of sites requiring a password). Sure, it's true that this means if one site is compromised then so might others. But the person getting that password would have to know which sites, and my usernames on those sites. That's not necessarily all that easy.
- "Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords."
- Not necessarily. Most use of special characters is in "133t" spelling: instead of your password being "password", it'll be "p455w0rd" or something like that. I've written dictionary attack software. Adding 133t spelling adds some words to check, but it's not that big a deal. It's true that a password like "5*(AJS*&1" is hard to crack, but then so is "jka82pma8". Furthermore, most sites lock you out after a small number of wrong guesses, so dictionary attacks aren't really very effective.
- "30 percent [of young people] logged into a site requiring a password over public WiFi (vs. 21 percent overall)."
- Again, this is no big deal... if you do it over SSL encryption. True, sending a password on an unencrypted public WiFi channel is risky. Don't do that. But your bank's Web site is SSL-encrypted, so don't worry about that.
- "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."
- No less a security guru than Bruce Schneier has endorsed this practice, and I completely agree. Hackers can't hack your desk, or your wallet. You're far better off having hard passwords written down in a fairly secure location than really bad passwords (e.g. "123456") that you can remember.
There are, of course, good password practices and bad. But I'm not convinced that surveys like this really reveal that people are as stupid as they think (they may be, but not for the reasons put forth in the survey).
Having a different password for every site, as they recommend, is a wonderful idea. It's also totally impractical. They're also correct that having a single password you use for every site is also a bad idea. The happy medium is to have a few passwords. Use one you can easily remember for all the stuff you don't care much about: Facebook, Slashdot, etc. Use a somewhat harder one for online stores (and don't trust any online store that makes it easy to retrieve your credit card number). And use your best one - maybe here it makes sense to go the "one per site" route - for online banking and brokerage accounts.