SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Password hygiene in New Zealand: Statistics, standing and standpoints

Public Interest Journalism funded through NZ On Air.
Wed, 30th Mar 2022
FYI, this story is more than a year old

If you're over 60, you may have had some beloved millennial in your wider family harping on at you about changing your computer password from 123456, to something a little more obscure. The same tech-savvy youngster has probably prattled about finding all your banking passwords taped to the fridge, and you wish they would just stop laughing at “phluffeedog12”, the one you use for your Trademe account, which you once used on your first Vic-20 desktop back in 1984.

But if you're that bolshy millennial, you too have likely been scolded by a teacher or a post-modern parent, about sharing your passwords on Instagram and snapchat with people you don't know but want to make into instantly likeable friends. You might also have had a parent or kindly aunt bail you out of losses incurred because a scammer has been using brute force or dictionary attacks to scrape the credentials out of your PC.

Wherever in life you are, your easy normality is now described in the contemporary technology lexicon as “poor password hygiene”. That's right, you may well change socks and brush teeth every day without fail, but failing to change, adequately store and guard your passwords may confer on you a cyber stigma greater than any social ostracism that comes from a t-shirt worn for more than a day.

For me, a technophobic, fifty-something, digital migrant, password hygiene looks like a semantically incongruous fantasy straight out of a William Gibson novel. Yet, it is now a widely authenticated concept of online safety on which myriad kindly, sometimes proselytic articles have proliferated across the internet over the past decade. Like many cyber terms, it has a mysterious origin which no one can quite account for. It has crept into our vocabulary virtually unnoticed and like many tech terms, it remains only partially dressed,in a ragged garb of incomplete, banal or abstruse definitions.

The most eloquent definition of password hygiene I could find, comes from an article on which states that: “Password hygiene is the practice of ensuring passwords are unique, difficult to guess, and hard to crack. It is the set of guidelines and principles that, when leveraged correctly, help keep your passwords protected from cybercriminals.

You can find a plethora of “how to” guides on the net, but seldom can you find any statements on how “password hygienic” we Kiwis are, or how our state of hygiene compares with other countries. To answer these questions is not an easy task, and the root of this problem lies in two places, the international literature, and the gap between that, and what is published within or about New Zealand.

Words around the world

In preparing this article, I read at least 25 studies on different aspects of password hygiene across 12 countries, published within the last 20 years. Many concentrate on the influence of age or gender on different password-related behaviours, while others look at business settings, or comparisons and contrasts of levels of password awareness, between industries. Drawing even intra-national conclusions, let alone inter-national ones, is like trying to compare stewed apples with fried oysters. The task becomes futile when one realises no single study asks exactly the same questions as another, few use large sample sizes and most treat very specific and narrow segments of their chosen national populations as samples.

Yet, some findings are instructive, especially those concerning different age-groups. A study of 142 students and staff at a small university in the United Arab Emirates, published in 2019, found half of those surveyed used the same password for multiple accounts. Students were more likely to re-use the same password and only 33% did so after being involved with the university for over 4 years.

A 2018 study comparing the password hygiene of two different age-groups, (45 undergraduate computer science students and 47 from an online community of older adults), in the north-east of England, warrants some scrutiny. It found 82.2% of students and 93.6% of the older adults re-used passwords across different accounts while 80% of youngsters and 85.1% of older participants admitted to using variations of the same password over multiple accounts.

In this study 51.1% of young people share their passwords while only 27.7% of older adults report doing so. Changing passwords is poorly attested with 93.3% and 85.1% of younger and older participants, respectively, stating they change their passwords infrequently. Storing of passwords is one behaviour which showed a significant jump from younger to older participants, with 42.2% of youngsters and 90% of older respondents admitting to storing passwords in some way. Curiously, neither group made much use of password managers like Lastpass, with only 28.8% of the students and 17% of the older respondents using this technology.

Only a handful of studies deal with age and gender together, and even fewer examine the elements germane to all hygiene behaviours, the strength of the password itself. A rare example came from Lithuania in 2021, and it took a truly unique perspective to examine password strength – that of the cybercriminal who hacks and cracks your passwords.

Using a leaked database of 110,302 user records, from a car-share company, the authors recovered previously hashed passwords from 102,120 account-holders, or 92% of all users. They used a suite of brute force and dictionary attacks, via a range of software tools to attack this database and were able to match passwords to individual users, thereby determining users' ages and genders. The authors recovered 91.5% of all males' passwords from the entire database and 94.8% of passwords belonging to females.

This study reports that: “Males significantly had stronger passwords than females for all age groups. Males aged 26–45 were also significantly different from all other groups, and password complexity decreased with age for both genders equally. Overall, very weak password hygiene was observed, 72% of users based their password on a word or used a simple sequence of digits, and passwords of over 39% of users were found in word lists of previous leaks.

The study found that males of all ages have stronger passwords than females, and concerningly, that females habitually use the weakest passwords.

New Zealand data, what there is of it

The preceding section might have the reader hoping for similar sophisticated nuanced results from learned studies done in this country. But there simply aren't any, with no single study published in the same 15 year time period on any sector of society or business, within New Zealand. Fragmentary data that does exist comes from disparate and disjunctive sources and the recoverable statistics need only fill a few brief paragraphs.

In 2020, CERT NZ and Consumer Protection, both divisions of the Ministry of Business, Innovation and Employment, conducted two studies: one on online shopping; the other on cybersecurity in New Zealand firms. The shopping study found only 41% of Kiwis say they always make sure their passwords are distinct, long, and complex when signing up to new websites or online services. It found that few are likely to change their passwords or use a password manager.

The study of business security awareness found that 91% of 1009 respondents knew that keeping passwords long and strong was an effective safety precaution, while 86% understood that updating of operating systems was similarly useful. This study delved no further into password management behaviour of businesses.

Netsafe's ‘State of the Online Nation' report of 2021 makes only brief mention of password hygiene. The study found the most popular online safety measures adopted among its 808 respondents were updating passwords (64%) and reviewing and updating privacy and security settings (57%). Updating passwords was less preferred by males (59%) than by females (68%) as a security measure.

We find more comprehensive data in a Google New Zealand study of online habits, published in 2021. It found that 69% of Kiwis are not always taking deliberate steps to improve their online security, despite 30% admitting that they are aware they have had a password compromised or hacked and 20% having fallen victim to phishing or an online scam.

The Google study found 13% of respondents have shared their password with a family member or friend, and a further 6% have texted or emailed it to someone. Just 26% use a password manager. Protection levels beyond the password were poorly understood by participants in this study, with 18% being unaware of two factor authentication, (the addition of app or text approval to access an account) and just 9% always using this layer of protection.

Only one study, by LastPass, in 2018 actually measures New Zealanders' password security against other countries. The firm created a benchmarking system, using aggregated data from 43,000 companies over a large number of developed countries. It produced two descriptive scores, one for overall security, the other for password strength. It ranked these scores from 1 to 100 for each and found the average security strength score was a “fair” 52. Germany held the highest security score at 56 while New Zealand trailed near the bottom of the table at 42.

Our password strength score was a little better at 53, another “fair” result, according to Last Pass, but well behind Germany who had the strongest score at 62.

Last pass also examined rates of adoption of multi-factor authentication. It found 63% of companies in its sample who used MFA, were in the United States. Only 1% of companies it examined in New Zealand, were taking advantage of this newer form of protection.

And there it is, scattered, difficult to deduce from, but nonetheless, the lion's share of all the current data on New Zealand password hygiene from all reputable sources.

Insights from educators

If raw quantitative data is lacking, perspectives on our password hygiene behaviours are easy to find amongst those who educate the public and deal with business security.

The government lead on cybersecurity education is CERT NZ. Sam Leggett, one of its senior threat analysts, sees different rates of change in different social sectors.

“We have seen awareness of the need for strong passwords happening quickly on the business front due to implementation of business-wide security policies, such as two factor authentication and password managers. In terms of the public, CERT NZ still sees reports from those who, for various reasons, don't understand how to create good passwords and maintain them. These are the people that we target through more accessible campaigns such as Cyber Smart Week,” Leggett remarks.

CERT NZ launched a video and online education campaign in 2021 called ‘Password perfect' and Leggett says this was meant to offer easily digestible information on improving password hygiene for public use.

“At the time of the campaign, the webpage had 6000 clicks and the YouTube video had over 112,000 views, which are good proxies for the number of people who received our advice,” Leggett says.

Netsafe is New Zealand's most prominent non-government provider of preventive services and education for our online community. Its online safety operations centre manager, Sean Lyons, says his staff often find poor hygiene is the root of clients' compromises and problems.

“People will lose control of their email or social media platform or another online system they rely on, That their ID is intrinsically pinned to. The most common way we see people losing that control of access is by straight social engineering of themselves to give away their passwords or by some brute force attempt on their platform itself where someone has tried to cobble together a password and gain access that way,” Lyons says. “While the password hygiene or password itself isn't our primary interest, our focus is on ensuring the harm people experience is minimised and also trying to build their own strength and resilience around making sure it doesn't happen again as well as trying to retrieve the situation for them.”

Lyons says pure sentiment is often a driver for the retention of old passwords for very long periods.

“Often people have become attached to their passwords; it's ‘their' password,” he says. “The idea of investing mental capacity in coming up with some kind of scheme for themselves which involves more complex, or a wider range of passwords across platforms, is just too difficult in their minds.

Moises Sanabria is identity security operations manager for Idcare, which assists victims of online identity fraud and theft, throughout Australasia. He says password hygiene and complexity of passwords are now better across New Zealand than they were historically.

“I think people in New Zealand are more aware of the importance of really good password strategy and implementing passwords that are difficult to penetrate. But there is still a lack of understanding and awareness of how one password compromise can lead to other account takeovers,” He observes. “People fail to join the dots and have that education and it has to come from outfits like CERT NZ from a higher level, which demystify basic concepts and through better campaigns for cyber hygiene which emphasise measures like 2-FA,” Sanabria says.

He doesn't believe age or gender have any significant bearing on password hygiene among the clients he deals with, a notion shared by Sean Lyons of Netsafe. But he does believe New Zealand is well behind Australia in some key areas.

“Where New Zealand compares unfavourably to Australia is in the implementing of two factor authentication and the complexity of passwords, especially in small and medium-sized businesses,” he says. He also observes Australia has been quicker to adopt the use of password managers than New Zealand.

Targeting tricky sectors

Daniel Watson has been the owner and managing director of Auckland firm Vertech IT, since 2010. He's an author and specialist provider of cybersecurity services to the finance and logistics sectors. He sees poor password hygiene in businesses daily but suggests one simple step may offer fast, tangible gains.

“Give them easy to use tools that actually make good password hygiene a doddle and then train them,” he urges. “A mediocre password management tool that has been schooled into the team such that active uptake - daily usage is high across the whole organisation is much better than one awesome tool that only the IT admin person uses.

Watson uses a range of social media and software instruments to get into the heads of his commercial clients; some of these can be passively digested, where others require focused real time responses.

“I started pumping out weekly cybersecurity tip videos and publishing them on youtube, facebook, email and Linkedin two years ago, to try to reach our clients and raise their situational awareness,” he comments.

"Alongside those we've added tools like IDagent's Darkweb ID scan, to monitor our clients domains - principal's home email addresses, to alert us if an account has been compromised. we also provide monthly online interaction training for a client's entire staff plus we often send simulated test scams to keep their staff on their toes.

Watson's firm sets a baseline standard when dealing with clients who need better cybersecurity.

“We now have a minimum set of practices that we insist on for our clients including password management tools - enforcing multi-factor authentication,” he says. “We are becoming increasingly less tolerant of working for clients that don't wish to meet us there. At the end of the day if we put in a partial solution and they get hit then we always get tarred for having failed them.

Older people are often the subjects of myth and presumption where online activity is concerned. If results reported in this article speak for seniors in other countries, no studies of their password hygiene have represented them at all here.

Heather Newell is the executive officer of Seniornet, which trains older people through 50 learning centres around the country.

“Although passwords sound like a simple topic, for many attendees at SeniorNet's Learning Centres, it's either very boring or very scary,” Newell says.

Seniornet has developed 15 online learning sessions on password hygiene and online safety and Heather Newell says her tutors work through a careful, gradual education process.

“We have a number of layers of learning; starting with an explanation of what long and strong actually means, through to managing your online privacy settings, using incognito and the pros and cons of password managers.

She says her organisation has to grow confidence in its clients as part of teaching about all online safety and one problem is common to many.

“One of the biggest fears we encounter is the fear of forgetting a password. We recommend that people use long sentences including letters, numbers and symbols and that they adopt two factor authentication. Simple hints and tips are introduced and repeated within our learning sessions,” Newell says.

Heather Newell personally favours pass-phrases over passwords and makes them part of seniornet's training. She finds many clients resist the idea of two factor authentication, largely because they don't have their mobile phones with them 24 hours a day.

Password hygiene is certainly present and poignant for New Zealanders. All of those spoken to for this article see it as an ongoing challenge with evolving emphases and increasing influence on that elusive end goal of total online safety. It seems, from the scarcity of formal studies, and the consequent dearth of data, that much future public education and improvement of outcomes for Kiwis, may have to rely more on what we see and react to, than what we know with certainty.

Follow us on: