Back to Blog

Users Suck at Passwords. Help Them.

How many of your users are using insecure and compromised passwords?

You may have a standard password strength meter on your site so you think your users are safe. Think again. 

Let me throw some numbers out at you:

  • The average online user has 90 accounts (inactive, active, personal, work, daily use, one-time purchase, etc.) That is a lot of passwords to remember…
  • According to an Ofcom poll,  55% of users  over 16 used the same password for most, if not all, websites. How many of your users are within that 55%?  Probably more than you would like to admit…
  • Over the past few months, we have collected over  1.4 Billion compromised passwords that are publicly available.  And that is just the tip of the iceberg.

So how does this translate?

As an example: If a company with 1,000 user accounts, around 550 of the users will use the same password across 90 accounts. Users Suck at Passwords.

That is a whopping 49,500 accounts!  Chances are pretty high that some of those accounts have already been exposed.

Hackers love that 55% because if they get credentials for one site, they can use the same credentials to gain access to other sites.

It has a nasty domino effect and can infect organizations in various ways.

  • Customers can be charged for purchases they did not make
  • Employees could have sensitive data stolen using their own credentials
  • Malware can be installed through legitimate accounts

All sorts of shenanigans.  And all because the user is unaware that they are using a known, compromised password.

Users are often the weakest link because they are lax about their own passwords.

Password strength meters and password complexity requirements are simply not enough.  IT Security and Development cannot combat it alone.

So what do you do? (besides locking users out of their accounts)

Inform your users of compromised passwords when they set up their accounts!

Enforce the right behavior for creating a strong password on your site. Enzoic is an easy-to-deploy enhanced password strength meter that checks for hacked passwords.