Listen to this article now
Passwords suck. It sucks to remember them. It sucks to update them. It sucks to create new variations of them across different accounts. What’s more: research shows we as humans are not very good at it. We make passwords that are easy to hack. We’re lazy about using different passwords for work and home. And yet, by and large, passwords are what we’ve relied upon to keep our information safe.
Consider just a few of these statistics:
- 60% of people reuse passwords across multiple sites on the regular
- 13% of people use the exact same password for all passworded accounts and devices
- More than 80% of data breaches are attributed to poor password security
- More than 60% of employees use the same password for work and home apps
- And the real kicker: more than 90% of participants surveyed said they understand the risk of password reuse … but 59% admitted to doing it anyway
Which begs the question: Is data security really a business problem? Or is it a consumer responsibility?
Big Tech’s Response to Consumer Password Issues
Honestly, the issue could be argued either way. Lucky for consumers, Big Tech is taking the brunt of the accountability. This past World Password Day, Google took the opportunity to announce a few developments designed to protect consumer data across devices. For instance, it’s moving toward two-step verification (2SV) for all Google accounts, with built-in security keys for Android and Google Smart Lock for iOS that allows phones to be used as a secondary form of authentication. This, in addition to an array of password managers and import programs to help keep users safe.
Apple, similarly, is working to help consumers keep their data safe, offering a “keychain” service that serves as an encrypted container that stores things like account names, passwords, credit card numbers, and account pins for Mac computers, apps, and websites. And obviously, its face recognition has helped improve security on iPhones specifically.
And, all of this is in addition to the security implemented by businesses like Target, Walmart, Amazon, etc. that are also working hard to keep customer data in line.
There is definitely a greater push to biometric, multi-factor authentication, stronger password requirements, and regular password updating coming from many companies. These are all positive steps that can significantly reduce the risk of hackers gaining access to accounts, even if they are somehow able to obtain sensitive data like password or credit card information. Adding at minimum two-factor authentication for services where highly sensitive data may live should really be a minimum requirement and companies should be aggressively pushing consumers toward utilizing it to keep their data as safe as possible.
So, Whose Issue Is It?
Companies could easily point to consumers’ refusal to create stronger passwords as a reason for the ongoing breach of content that costs companies billions each year. For instance, 59% of American’s use a person’s name or birthday in their passwords. Some 33% include a pet’s name. Clearly, it can’t be that difficult for hackers to guess based on information that is publicly available.
Still, as much as consumers can be blamed for lazy password practice, I do believe that the onus will always be on the part of companies to keep data safe. Why?
First of all, and most obviously, businesses are the ones making money from data that is stored online. It’s the company that wants their customer data to live and breathe on their website. It wants to make it as easy as possible for customers to buy more — and more often — on its website. Customers stand to lose if their data is breached. But he isn’t really gaining much besides a speedy checkout if it is kept safe.
Similarly, for the Big Tech companies: if they are going to create devices and applications that allow 24/7 connectivity, it is their responsibility to make that connectivity safe. When we purchase a new device or object—be it a car or a printer or a Peloton machine—don’t we all assume that item was proven to be safe? We need to believe that minds bigger than our own have already considered the potential dangers and come up with ways to thwart them.
Consumers simply don’t have access to things like SecOps and increased observability that big companies do to detect threats more quickly. They don’t have the ability to pay ransoms to get their data back. In fact, 55% of consumers believe the companies they deal with should pay a ransom to keep their data safe if the issue should arise.
As they say, using a password to keep your data safe is like using an old-fashioned lock to protect your home. These days, it just isn’t enough, and we all know that. Clearly, consumers can do better. We can do a better job of thinking of stronger passwords and playing an active role in the digital world in which we operate. But at the end of the day, it’s the businesses that make money from having us share our data online. And it’s the businesses that will need to play the greatest role in keeping that data safe.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
The original version of this article was first published on Forbes.