The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Awareness Training Does Not Appear to Improve Password Hygiene

Posted By on Nov 9, 2022

Security awareness training is a vital part of any security strategy; however, one area where it appears to be having little effect is improving password hygiene. Employees can be taught what a strong password is and how passwords should be created, but even though the theory is understood it is not being put into practice. Employees may be made aware of the importance of practicing good cyber hygiene when it comes to passwords, but creating complex, unique passwords for every account is difficult, and remembering those passwords is almost impossible.

Each year, LastPass conducts its Psychology of Passwords survey, which this year was conducted on 3,750 professionals. Respondents were probed about their password practices for their personal and work accounts. The survey revealed there was a high level of confidence in current password management practices, but in many cases, there was a false sense of safety, as good password hygiene was not always practiced.

The biggest disconnect was with Gen Z, which had the highest level of confidence in their password management practices, yet the poorest scores for password hygiene. Gen Z respondents were the most likely to be able to identify password risks, such as reusing passwords on multiple accounts, yet this age group reused passwords 69% of the time. Overall, 62% of respondents admitted to almost always or mostly using the same password or variations of it on their accounts.

The survey confirmed that 65% of the respondents had received some form of cybersecurity awareness training and 79% of those individuals said their education was effective. Overall, 89% of respondents said they knew that using the same password or variations of it was a security risk, but just 12% of respondents said they use a unique password for each account. When probed about changes to their password habits after receiving security awareness training, only 31% of respondents said they changed their password practices and stopped reusing the same password for multiple accounts and only 25% of respondents started using a password manager.

Accredited HIPAA Compliance Training

HIPAA Journal Recommends ComplianceJunction

Used By 1,000+ Healthcare Organizations & 100+ Universities

Learn More
Try Free Sample Modules

HIPAA Training For Individuals HIPAA Training For Universities

Most respondents used a risk-based approach when creating passwords, with 69% saying they create stronger passwords for financial accounts and 52% of respondents saying they use more complex passwords for their email accounts. Convenience is favored over security for other accounts, with 35% choosing stronger passwords for their health records, 32% for social media accounts, 18% for retail or online shopping accounts, and 14% for streaming accounts such as Netflix. 13% of respondents said they create passwords in the same way, regardless of what account the password is for. Worryingly, only 33% of respondents said they chose stronger passwords for their work accounts.

One of the ways that employers can improve password security is to provide their employees with a password manager. A password manager will suggest random, strong, unique passwords, will store them securely in an encrypted vault, and will autofill them when needed so they never need to be remembered. One way to encourage employees to use a password manager is for employers to provide one to employees for work and personal use and to stress the benefits in security awareness training sessions. The Bitwarden Password Decisions survey published last month found that 71% of respondents would be very likely to use a password manager if their company also provided a complimentary family account for personal use, with just 5% saying they would not be likely to use it.

“Our latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyberattacks, there continues to be a disconnect for people when it comes to protecting their digital lives,” said Christofer Hoff, Chief Secure Technology Officer at LastPass. “The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons. For both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com