SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

Password hygiene in New Zealand: Statistics, standing and standpoints

By Matthew Lark
Wed 30 Mar 2022

If you’re over 60, you may have had some beloved millennial in your wider family harping on at you about changing your computer password from 123456, to something a little more obscure. The same tech-savvy youngster has probably prattled about finding all your banking passwords taped to the fridge, and you wish they would just stop laughing at “phluffeedog12”, the one you use for your Trademe account, which you once used on your first Vic-20 desktop back in 1984. 

But if you’re that bolshy millennial, you too have likely been scolded by a teacher or a post-modern parent, about sharing your passwords on Instagram and snapchat with people you don’t know but want to make into instantly likeable friends. You might also have had a parent or kindly aunt bail you out of losses incurred because a scammer has been using brute force or dictionary attacks to scrape the credentials out of your PC.

Wherever in life you are, your easy normality is now described in the contemporary technology lexicon as “poor password hygiene”. That’s right, you may well change socks and brush teeth every day without fail, but failing to change, adequately store and guard your passwords may confer on you a cyber stigma greater than any social ostracism that comes from a t-shirt worn for more than a day. 

For me, a technophobic, fifty-something, digital migrant, password hygiene looks like a semantically incongruous fantasy straight out of a William Gibson novel. Yet, it is now a widely authenticated concept of online safety on which myriad kindly, sometimes proselytic articles have proliferated across the internet over the past decade. Like many cyber terms, it has a mysterious origin which no one can quite account for. It has crept into our vocabulary virtually unnoticed and like many tech terms, it remains only partially dressed,in a ragged garb of incomplete, banal or abstruse definitions.

The most eloquent definition of password hygiene I could find, comes from an article on Securityscorecard.com which states that: “Password hygiene is the practice of ensuring passwords are unique, difficult to guess, and hard to crack. It is the set of guidelines and principles that, when leveraged correctly, help keep your passwords protected from cybercriminals.”

You can find a plethora of “how to” guides on the net, but seldom can you find any statements on how “password hygienic” we Kiwis are, or how our state of hygiene compares with other countries. To answer these questions is not an easy task, and the root of this problem lies in two places, the international literature, and the gap between that, and what is published within or about New Zealand.

Words around the world

In preparing this article, I read at least 25 studies on different aspects of password hygiene across 12 countries, published within the last 20 years. Many concentrate on the influence of age or gender on different password-related behaviours, while others look at business settings, or comparisons and contrasts of levels of password awareness, between industries. Drawing even intra-national conclusions, let alone inter-national ones, is like trying to compare stewed apples with fried oysters. The task becomes futile when one realises no single study asks exactly the same questions as another, few use large sample sizes and most treat very specific and narrow segments of their chosen national populations as samples.

Yet, some findings are instructive, especially those concerning different age-groups. A study of 142 students and staff at a small university in the United Arab Emirates, published in 2019, found half of those surveyed used the same password for multiple accounts. Students were more likely to re-use the same password and only 33% did so after being involved with the university for over 4 years. 

A 2018 study comparing the password hygiene of two different age-groups, (45 undergraduate computer science students and 47 from an online community of older adults), in the north-east of England, warrants some scrutiny. It found 82.2% of students and 93.6% of the older adults re-used passwords across different accounts while 80% of youngsters and 85.1% of older participants admitted to using variations of the same password over multiple accounts. 

In this study 51.1% of young people share their passwords while only 27.7% of older adults report doing so. Changing passwords is poorly attested with 93.3% and 85.1% of younger and older participants, respectively, stating they change their passwords infrequently. Storing of passwords is one behaviour which showed a significant jump from younger to older participants, with 42.2% of youngsters and 90% of older respondents admitting to storing passwords in some way. Curiously, neither group made much use of password managers like Lastpass, with only 28.8% of the students and 17% of the older respondents using this technology. 

Only a handful of studies deal with age and gender together, and even fewer examine the elements germane to all hygiene behaviours, the strength of the password itself. A rare example came from Lithuania in 2021, and it took a truly unique perspective to examine password strength – that of the cybercriminal who hacks and cracks your passwords.

Using a leaked database of 110,302 user records, from a car-share company, the authors recovered previously hashed passwords from 102,120 account-holders, or 92% of all users. They used a suite of brute force and dictionary attacks, via a range of software tools to attack this database and were able to match passwords to individual users, thereby determining users’ ages and genders. The authors recovered 91.5% of all males’ passwords from the entire database and 94.8% of passwords belonging to females.

This study reports that: “Males significantly had stronger passwords than females for all age groups. Males aged 26–45 were also significantly different from all other groups, and password complexity decreased with age for both genders equally. Overall, very weak password hygiene was observed, 72% of users based their password on a word or used a simple sequence of digits, and passwords of over 39% of users were found in word lists of previous leaks.”

The study found that males of all ages have stronger passwords than females, and concerningly, that females habitually use the weakest passwords.

New Zealand data, what there is of it

The preceding section might have the reader hoping for similar sophisticated nuanced results from learned studies done in this country. But there simply aren’t any, with no single study published in the same 15 year time period on any sector of society or business, within New Zealand. Fragmentary data that does exist comes from disparate and disjunctive sources and the recoverable statistics need only fill a few brief paragraphs.

In 2020, CERT NZ and Consumer Protection, both divisions of the Ministry of Business, Innovation and Employment, conducted two studies: one on online shopping; the other on cybersecurity in New Zealand firms. The shopping study found only 41% of Kiwis say they always make sure their passwords are distinct, long, and complex when signing up to new websites or online services. It found that few are likely to change their passwords or use a password manager.

The study of business security awareness found that 91% of 1009 respondents knew that keeping passwords long and strong was an effective safety precaution, while 86% understood that updating of operating systems was similarly useful. This study delved no further into password management behaviour of businesses.

Netsafe’s ‘State of the Online Nation’ report of 2021 makes only brief mention of password hygiene. The study found the most popular online safety measures adopted among its 808 respondents were updating passwords (64%) and reviewing and updating privacy and security settings (57%). Updating passwords was less preferred by males (59%) than by females (68%) as a security measure.

We find more comprehensive data in a Google New Zealand study of online habits, published in 2021. It found that 69% of Kiwis are not always taking deliberate steps to improve their online security, despite 30% admitting that they are aware they have had a password compromised or hacked and 20% having fallen victim to phishing or an online scam. 

The Google study found 13% of respondents have shared their password with a family member or friend, and a further 6% have texted or emailed it to someone. Just 26% use a password manager. Protection levels beyond the password were poorly understood by participants in this study, with 18% being unaware of two factor authentication, (the addition of app or text approval to access an account) and just 9% always using this layer of protection.

Only one study, by LastPass, in 2018 actually measures New Zealanders’ password security against other countries. The firm created a benchmarking system, using aggregated data from 43,000 companies over a large number of developed countries. It produced two descriptive scores, one for overall security, the other for password strength. It ranked these scores from 1 to 100 for each and found the average security strength score was a “fair” 52. Germany held the highest security score at 56 while New Zealand trailed near the bottom of the table at 42.

Our password strength score was a little better at 53, another “fair” result, according to Last Pass, but well behind Germany who had the strongest score at 62.

Last pass also examined rates of adoption of multi-factor authentication. It found 63% of companies in its sample who used MFA, were in the United States. Only 1% of companies it examined in New Zealand, were taking advantage of this newer form of protection.

And there it is, scattered, difficult to deduce from, but nonetheless, the lion’s share of all the current data on New Zealand password hygiene from all reputable sources.

Insights from educators

If raw quantitative data is lacking, perspectives on our password hygiene behaviours are easy to find amongst those who educate the public and deal with business security. 

The government lead on cybersecurity education is CERT NZ. Sam Leggett, one of its senior threat analysts, sees different rates of change in different social sectors.

“We have seen awareness of the need for strong passwords happening quickly on the business front due to implementation of business-wide security policies, such as two factor authentication and password managers. In terms of the public, CERT NZ still sees reports from those who, for various reasons, don’t understand how to create good passwords and maintain them. These are the people that we target through more accessible campaigns such as Cyber Smart Week,” Leggett remarks. 

CERT NZ launched a video and online education campaign in 2021 called ‘Password perfect’ and Leggett says this was meant to offer easily digestible information on improving password hygiene for public use.

“At the time of the campaign, the webpage had 6000 clicks and the YouTube video had over 112,000 views, which are good proxies for the number of people who received our advice,” Leggett says.

Netsafe is New Zealand’s most prominent non-government provider of preventive services and education for our online community. Its online safety operations centre manager, Sean Lyons, says his staff often find poor hygiene is the root of clients’ compromises and problems.

“People will lose control of their email or social media platform or another online system they rely on, That their ID is intrinsically pinned to. The most common way we see people losing that control of access is by straight social engineering of themselves to give away their passwords or by some brute force attempt on their platform itself where someone has tried to cobble together a password and gain access that way,” Lyons says. “While the password hygiene or password itself isn’t our primary interest, our focus is on ensuring the harm people experience is minimised and also trying to build their own strength and resilience around making sure it doesn’t happen again as well as trying to retrieve the situation for them.” 

Lyons says pure sentiment is often a driver for the retention of old passwords for very long periods.

“Often people have become attached to their passwords; it's ‘their’ password,” he says. “The idea of investing mental capacity in coming up with some kind of scheme for themselves which involves more complex, or a wider range of passwords across platforms, is just too difficult in their minds.”

Moises Sanabria is identity security operations manager for Idcare, which assists victims of online identity fraud and theft, throughout Australasia. He says password hygiene and complexity of passwords are now better across New Zealand than they were historically.

“I think people in New Zealand are more aware of the importance of really good password strategy and implementing passwords that are difficult to penetrate. But there is still a lack of understanding and awareness of how one password compromise can lead to other account takeovers,” He observes. “People fail to join the dots and have that education and it has to come from outfits like CERT NZ from a higher level, which demystify basic concepts and through better campaigns for cyber hygiene which emphasise measures like 2-FA,” Sanabria says.

He doesn’t believe age or gender have any significant bearing on password hygiene among the clients he deals with, a notion shared by Sean Lyons of Netsafe. But he does believe New Zealand is well behind Australia in some key areas.

“Where New Zealand compares unfavourably to Australia is in the implementing of two factor authentication and the complexity of passwords, especially in small and medium-sized businesses,” he says. He also observes Australia has been quicker to adopt the use of password managers than New Zealand.

Targeting tricky sectors

Daniel Watson has been the owner and managing director of Auckland firm Vertech IT, since 2010. He’s an author and specialist provider of cybersecurity services to the finance and logistics sectors. He sees poor password hygiene in businesses daily but suggests one simple step may offer fast, tangible gains.

“Give them easy to use tools that actually make good password hygiene a doddle and then train them,” he urges. “A mediocre password management tool that has been schooled into the team such that active uptake & daily usage is high across the whole organisation is much better than one awesome tool that only the IT admin person uses.”

Watson uses a range of social media and software instruments to get into the heads of his commercial clients; some of these can be passively digested, where others require focused real time responses.

“I started pumping out weekly cybersecurity tip videos and publishing them on youtube, facebook, email and Linkedin two years ago, to try to reach our clients and raise their situational awareness,” he comments.

"Alongside those we’ve added tools like IDagent’s Darkweb ID scan, to monitor our clients domains & principal’s home email addresses, to alert us if an account has been compromised. we also provide monthly online interaction training for a client’s entire staff plus we often send simulated test scams to keep their staff on their toes.”

Watson’s firm sets a baseline standard when dealing with clients who need better cybersecurity.

“We now have a minimum set of practices that we insist on for our clients including password management tools & enforcing multi-factor authentication,” he says. “We are becoming increasingly less tolerant of working for clients that don’t wish to meet us there. At the end of the day if we put in a partial solution and they get hit then we always get tarred for having failed them.”

Older people are often the subjects of myth and presumption where online activity is concerned. If results reported in this article speak for seniors in other countries, no studies of their password hygiene have represented them at all here. 

Heather Newell is the executive officer of Seniornet, which trains older people through 50 learning centres around the country. 

“Although passwords sound like a simple topic, for many attendees at SeniorNet’s Learning Centres, it’s either very boring or very scary,” Newell says. 

Seniornet has developed 15 online learning sessions on password hygiene and online safety and Heather Newell says her tutors work through a careful, gradual education process.

“We have a number of layers of learning; starting with an explanation of what long and strong actually means, through to managing your online privacy settings, using incognito and the pros and cons of password managers.”

She says her organisation has to grow confidence in its clients as part of teaching about all online safety and one problem is common to many. 

“One of the biggest fears we encounter is the fear of forgetting a password. We recommend that people use long sentences including letters, numbers and symbols and that they adopt two factor authentication. Simple hints and tips are introduced and repeated within our learning sessions,” Newell says. 

Heather Newell personally favours pass-phrases over passwords and makes them part of seniornet’s training. She finds many clients resist the idea of two factor authentication, largely because they don’t have their mobile phones with them 24 hours a day.

Password hygiene is certainly present and poignant for New Zealanders. All of those spoken to for this article see it as an ongoing challenge with evolving emphases and increasing influence on that elusive end goal of total online safety. It seems, from the scarcity of formal studies, and the consequent dearth of data, that much future public education and improvement of outcomes for Kiwis, may have to rely more on what we see and react to, than what we know with certainty.

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Employment
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Migration
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Phishing
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Story image
Cybersecurity
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Cybersecurity
CyberArk launches $30M investment fund to advance security
CyberArk has announced the launch of CyberArk Ventures, a $30 million global investment fund dedicated to advancing the next generation of security disruptors.
Story image
Ransomware
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.
Booster
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
Cybersecurity
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Cybersecurity
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Ivanti
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
ChildFund
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
Sift
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Digital Transformation
How to modernise legacy apps without compromising security
At a time when digital transformation has become central to business, even the most important applications come with a ‘use-by’ date.
Story image
Microsoft
PwC NZ unveils new Cloud Security Operations Center
PwC New Zealand has unveiled its new Cloud Security Operations Center for the entire Microsoft technology stack.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Digital Transformation
Physical security systems guide the hybrid workplace to new heights
Organisations are reviewing how data gathered from their physical security systems can optimise, protect and enhance their business operations in unique ways.
Story image
Malware
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Cybersecurity
NCSC advisory highlights poor security configurations
The GCSB's National Cyber Security Centre (NCSC) has released a cyber security advisory identifying commonly exploited controls and practices.
Story image
Cybersecurity
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
Artificial Intelligence
ForgeRock releases Autonomous Access solution powered by AI
ForgeRock has officially introduced ForgeRock Autonomous Access, a new solution that uses AI to prevent identity-based cyber attacks and fraud.
Story image
SaaS
Absolute Software expands Secure Access product offering
Absolute Software is enhancing its Secure Access product portfolio, enabling minimised risk exposure and optimised user experiences in the hybrid working environment.
Darktrace
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
SaaS
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Story image
Cybersecurity
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
BeyondTrust
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Story image
Cybersecurity
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
Apricorn
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
SaaS
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Story image
Workato
Workato unveils enhancements to enterprise automation platform
"The extra layer of protection with EKM, zero-logging, and hourly key rotation gives customers a lot more visibility and control over more sensitive data."
Story image
Qualys
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Artificial Intelligence
AI-based email security platform Abnormal Security valued at $4B
"A new breed of cybersecurity solutions that leverage AI is required to change the game and stop the rising threat of sophisticated and targeted email attacks."
Story image
Tech job moves
Tech job moves - Datacom, Micro Focus, SnapLogic and VMware
We round up all job appointments from May 6-12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Remote Working
How zero trust and SD-WANs can support productive remote working
The way people connect with applications and data has changed, users are remotely accessing resources that could be stored anywhere from a corporate data center to the cloud.
Story image
Phishing
Google reveals new safety and security measures for users
Google's new measures include automatic two step verification, virtual cards and making it easier to remove contact information on Google Search results.
Story image
Cybersecurity
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
Ransomware
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware.