Business intelligence specialists Xoomworks have conducted research that shows that late August is the riskiest time of the year for information security in the UK.
The reason lies behind people coming back from their holidays having forgotten their passwords. Their study finds that a quarter of Britons have to get their passwords reset after a summer holiday and alarmingly – the new passwords they’re creating are deliberately weak and easier to guess, putting employers at risk of cyberattacks and hacks.
77 per cent of those who’ve forgotten a password admitted using a weaker one when resetting, with most citing the inconvenience of requesting a reset as motivation. The study, involving more than 1,000 UK adults who use employer-managed IT systems, found that 25 per cent of UK office workers say they’ve forgotten their password after coming back from holiday in the past three years, while 77 per cent of people who forget their password said they chose a password that was ‘significantly easier to remember’ as a result.
Only 20 per cent create an entirely new password each time they are prompted, but those that do are far less likely to forget their password, according to the study. 72 per cent of those who are required to update their passwords say they don’t create an entirely new password when prompted, instead modifying their existing password by three characters or fewer, while 8 per cent admit to modifying their password by just one character.
The study revealed a worrying pattern of behaviour among office workers, where the majority rely on a ‘stock’ password, such as a memorable word or phrase, which they modify slightly each time they update their password.
80 per cent of those who took part in the study say they rely on one memorable word or phrase, which they modify to create new passwords. Those who make the effort to create a unique password every time are significantly less likely to forget their password compared to those who modify.
Just 9 per cent of people who create new passwords forget them after a period of absence, compared to 29 per cent who rely on modifications. Of those who are required to periodically update their passwords, 69 per cent modify their existing password by two to three characters; 20 per cent create an entirely original password when requested; 8 per cent modify their existing password by a single character and 3 per cent modify by four or more characters.
When they return from holiday, users can typically remember the word or phrase, but not the most recent modification, so they revert to an easy-to-remember modification of that phrase.
Xoomworks are warning employers to stress the importance of using complex, unique passwords to employees requesting a password to be reset. Nicholas Henry of Xoomworks, who coordinated the study, says: “Forgetting your password is forgivable. Most of us know the frustration of coming back to the office and not being able to log in to our machine after a relaxing break.
“But as our study indicates, the people most likely to forget their password are those who have supposedly easier-to-remember, ‘modified’ passwords. Anecdotally, we believe this is because they have to recall their memorable phrase and the specific modification they made to it, rather than just remembering it or retrieving it from an encrypted vault.
“Once the system of modifying an old password fails, these individuals are more likely to create an even weaker password. Some of our study participants told us that the inconvenience of having to get their password reset, often via an IT helpdesk, motivated them to create an even easier-to-remember password. So a forgotten password becomes significantly less secure once reset.
“Hackers use sophisticated algorithms that factor in modification patterns when trying to guess a password. Changing a password by one character, or simply adding your birth year, or the year your football team last won the FA Cup, does little to improve the security of that password.
“It’s more secure and ultimately less hassle to create a unique password each time.”
Xoomworks have produced a case study which showed that one study participant, who works as project manager for a London-based digital marketing agency, confessed that he’d used the same memorable phrase as his password for the past six years, modifying it by one character each time he was prompted. He said:
“I enter passwords into approximately ten different applications and services on a daily basis. The majority are relatively low risk in terms of data security, for example open-source project management platforms.
“I’d find it quite difficult to maintain completely unique passwords for each of these applications, so I use one memorable phrase and modify it with the name of the application to which I’m logging in.
“I’ve used the same memorable phrase for my main login for six years and have modified it by a single character about 18 times.”
