Latest News

Why asking you to change your password makes it easier to hack the system

Many computer users feel overwhelmed by the dozens of passwords they must remember, leading them to suffer from what some experts call “security fatigue.”
Many computer users feel overwhelmed by the dozens of passwords they must remember, leading them to suffer from what some experts call “security fatigue.” McClatchy

The requests cascade in: Reset your password. Update your anti-virus program. If, as a computer user, such digital demands irritate you, you may have computer “security fatigue.”

It’s an actual phenomenon, studied by behavioral scientists and computer security experts. It happens when users get bombarded with security warnings and demands for compliance. As a result, the studies show, three-quarters of computer users know how to make strong passwords but don’t practice what they know. It just seems too overwhelming.

After all, average users have dozens of accounts that require logins and passwords.

“We’ve been coming to realize that we’ve been asking people unreasonable things in terms of passwords,” said Dr. Lujo Bauer of the school of electrical and computer engineering at Carnegie Mellon University in Pittsburgh.

“It’s not possible to create 100 strong passwords that are unique and actually remember them. It’s even worse if we have to periodically change them,” he added.

A new government study titled “Security Fatigue” argues that users feel it’s gotten too hard to maintain adequate security, so they’ve grown careless. Security may be getting worse.

“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” warned the study by the National Institute of Standards and Technology, a unit of the Commerce Department.

And, hey, it’s not just average users. Think Silicon Valley tech honchos. Some of them just reuse the same simple password for multiple sites, a big no-no for computer security.

How else did Mark Zuckerberg have his Twitter and Pinterest accounts hacked last June? His password for both accounts was “dadada,” according to the hackers. Then there was Hillary Clinton campaign Chairman John Podesta, who this week had his Twitter account, his iPhone and his iPad hacked because he apparently used the same password for his Apple ID and Twitter.

Concern about online security grows apace with the frequency and volume of hacks of retailers, banks, social media and other sites that let vast numbers of passwords fall into the hands of hackers. So far in 2016, more than 500 million passwords have been leaked, according to a new study from LastPass, a password manager product from, a Boston-based software and cloud management company.

“What you hear about is just the tip of the iceberg. People don’t even know that they’ve been hacked,” said Joe Siegrist, vice president of LastPass.

“It’s probable that everybody in the United States has lost a password or had one stolen, and they don’t even know about it,” Bauer said.

Problem is, if you reuse the password and it got swiped from LinkedIn or Ashley Madison or some other site that was hacked in the past year or so, maybe your bank account or social media account is at risk, experts said.

LastPass arranged a survey of 2,000 adults in the United States and five other developed countries to explore their password habits, and found that 91 percent know there is a risk to reusing passwords but 61 percent continue to do so.

“It’s a bit like all the people have their teeth falling out, and we say, ‘Use a toothbrush,’ your dentist is screaming at you, ‘Use a toothbrush,’ and you refuse to do it,” Siegrist said.

What users do, according to the survey, is prioritize their accounts, using stronger passwords for financial websites (69 percent) and weaker ones for social media (31 percent) and entertainment accounts (20 percent).

“If users are using the same or similar passwords across accounts – which a majority of respondents indicated – then they are also essentially handing the key to hackers to access their most critical information when they attack another, less important account,” the survey said.

Hackers are using algorithms to check stolen passwords and simple variations of them on other accounts, Bauer said, looking for variations that simply add exclamation points, pound signs and asterisks to the end.

The LastPass survey brought bad news for businesses: A third of respondents say they create stronger passwords for their personal accounts over work accounts.

Experts agree on asking users not to reuse passwords but disagree on what users should do for adequately strong passwords.

The LastPass survey called for “unique passwords that contain a minimum of 12-14 characters made up of numbers, letters and symbols.”

“If you make a password long, it’s strong,” Siegrist said. “The complexity explodes as you get longer.”

But maybe lengthy passwords aren’t needed, others said.

“An eight-character password is more than sufficient for your online account, because your account will get locked up after three or four attempts,” said Christopher Soghoian, a technologist with the American Civil Liberties Union and a visiting fellow at Yale Law School’s Information Society Project.

Worksites that demand that employees change their passwords on a routine basis may actually be exposing their networks to greater risks, Bauer said.

“The security is fairly dubious,” he said. “There is anecdotal evidence that it results in lower security because it makes people write down their passwords.”

Computer users create their passwords in secret, and despite the wishes of computer security experts, users often opt for ease.

“If any security function requires a user to change the way they work, in this world of ‘Apple easy’ we find workarounds, or we just ignore security for the sake of ease,” said V. Miller Newton, chief executive of PKWare, a Milwaukee-based vendor of data encryption software.

Password managers – low-cost or free programs that store encrypted passwords for all of a user’s accounts and require the user to remember just one master password – are widely recommended but have their own complications. Users must migrate account information into them.

“I’m still moving my life over to a password manager, and I’ve had one for three years,” Soghoian said.

Tim Johnson: 202-383-6028, @timjohnson4