Hacking risk doesn’t stop most Americans from being careless with their passwords

A stunning number of Americans say they’ve been victimized by a digital crime, like credit card fraud (41 percent). But even more say they write their passwords down on a piece of paper (49 percent).

Bob Sullivan, veteran journalist and a founding member of msnbc.com

In fact, Americans have a lot of bad digital habits. Some 41 percent say they have given their password to a friend or family member (you shouldn’t); 39 percent use the same password across their accounts (you really shouldn’t); 28 percent don’t bother putting a lock screen on their smartphones (that’s a terrible idea); and nearly one in five say their main tool for keeping track of passwords is … paper.

The data comes from a new Pew Research Center survey that labels these unsafe folks “password challenged.”

More about the challenged: Some 39 percent of Americans say they have a hard time keeping track of passwords—and 25 percent say they use less secure passwords because they are easier to remember.

Fear’s there; action isn’t

It’s not that people aren’t scared. Most expect bad things to happen. Most Americans anticipate major cyber attacks in the next five years on the nation’s public infrastructure (70 percent) or banking and financial systems (66 percent), Pew said.

And it’s not because bad things haven’t already happened. Really bad things. To a lot of people.

• 35 percent have received notices that some type of sensitive information (like an account number) had been compromised.

• 16 percent say that someone has taken over their email accounts.

• z13 percent say someone has taken over one of their social media accounts.

But this might be the most stunning find of all in the Pew report: “Americans who have personally experienced a major data breach are generally no more likely than average to take additional means to secure their passwords.”

I’d call this a clear example of something sociologists call “learned helplessness.”

Many feel security steps are futile

I’ve seen findings like this before in the related world of privacy. Most folks want more privacy, but feel helpless in their efforts to get it, and have no idea what to do to get it. Security has a similar problem. It’s not clear what people can do to keep their online accounts safer, other than not falling for phishing attacks. Many times, consumers are victims and there wasn’t anything they could have done—as when there is a large-scale database hack from a previously reputable website.

Understood in that light, it’s rational for consumers to go on and live their lives without the ongoing hassle of remembering 12-character passwords. Why make your day-to-day life harder if, in the end, you aren’t safer anyway?

Then there’s this: Perhaps the world’s foremost security writer has been suggesting that people write their passwords down on a piece of paper for years. Really.

Bad advice heeded

“People can no longer remember passwords good enough to reliably defend against dictionary attacks and are much more secure if they choose a password too complicated to remember and then write it down,” security expert Bruce Schneier wrote back in 2005. “We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.”

I’m going to go out on a limb and say that most people who admitted using paper in Pew’s study aren’t doing so in order to use a highly complex password. (I wish Pew had asked that question). So if that’s you, at least use your paper trick to enhance your personal security. In the end, what the world needs is to finally move away from user/password combinations as the way we secure everything. And on that front, the Pew study offers a tiny bit of hope. Slightly more than half (52 percent) say they use two-step authentication on at least some of their online accounts. And that is a step in the right direction.

BY BOB SULLIVAN, SPECIAL TO THIRDCERTAINTY