The number of online accounts compromised by hackers is now in the trillions — enough, perhaps, to make even technophobes think hard about the security of their passwords. Indeed, many are — especially older Americans, a new survey shows.
Start with the now-familiar advice to avoid reusing the same password across important accounts such as email, banking and social media. A new poll from The Associated Press-NORC Center for Public Affairs Research finds that 41 percent of Americans say they use unique passwords for most or all online services. Just a third of adults under age 45 do so, however, compared to about half their elders.
Anyone who reuses a password increases their chances of falling victim to data theft — a serious risk given such major breaches as the hacks that compromised three billion Yahoo accounts in 2013. Hackers often test big batches of passwords stolen in one breach against other potentially sensitive accounts, a practice called "credential stuffing."
Older Americans are also more likely to commit their passwords to paper, the poll found. Fifty-six percent of people aged 60 and older do so, compared to 20 percent of the under-30 crowd. If kept away from prying eyes, written passwords are generally considered a good idea.
"I don't use the same password for any two sites," said Stephanie Harris, a 61-year-old retired warehouse manager in Sacramento, California. She shops and banks on the internet and chooses her passwords from "things I like to do, things I like to eat. Never anybody's name because I'm not into that. If I see something really cool, then I'll make it a password."
Harris said she changes her passwords often and uses from eight to 12 characters, sometimes including numbers and symbols.
The AP-NORC poll found 32 percent of 1,047 respondents use a single password most of the time. That was a bit less than the 39 percent who told the Pew Research Center last year that most of their passwords were the same or similar.
Inadequate attention to password security has helped fuel an epidemic of cybercrime. A Verizon report published last year on hacking-related data breaches said 81 percent involved weak, reused or stolen credentials — up from 63 percent the previous year.
It doesn't help that the experts themselves haven't been consistent with their advice.
The National Institute of Standards and Technology revised its best password practices last year. The new guidelines run counter to the information-security gospel that persists in much of the corporate world — namely, that that passwords should change frequently and must contain both uppercase and lowercase letters with required symbols and numbers.
NIST said such requirements often yield less secure passwords. The author of the original recommendations now regrets them.
Password managers — programs that can store your passwords securely, generate new random passwords and often even fill them in on login pages — are also gradually becoming more popular. Thirteen percent of respondents to the AP-NORC poll said they use them.
Mike Rodriguez of Port St. Lucie, Florida, is not one of them.
"I don't trust them," said the 50-year-old maintenance engineer, who says he only has four online accounts he uses regularly, including Facebook and banking. Rodriguez said he never saves credit card or other financial information to any online business.
Rodriguez was one of 18 percent of respondents who said they use unique passwords for all their online accounts. He uses a simple method for creating them, which he didn't appear to mind sharing with a reporter.
Suffice to say it involves demographic details of various people he's known.
The AP-NORC poll was conducted April 11-16 using a sample drawn from NORC's probability-based AmeriSpeak Panel, which is designed to be representative of the U.S. population. The margin of sampling error for all respondents is plus or minus 4 percentage points