Cape Town – Online users must rethink their online password strategy – or they may expose themselves to cyber crime.
Only one in every five local computer users actually regularly changes their passwords, even though most are aware that they should do so. This is according to Professor Rika Butler, of the School of Accountancy at Stellenbosch University, and Martin Butler, of the University of Stellenbosch Business School, who analysed an online survey investigating South Africans’ password practices.
Rika told the Cape Times yesterday a questionnaire was distributed as part of a survey aimed at determining the practice of South African online users when it comes to password knowledge and security.
The survey was completed by more than 900 South African online users. It highlighted a marked difference between users’ perception, their actual knowledge about password safety and what happens in reality.
It showed that although 70 percent of South African computer users are aware that they should regularly change their passwords, alarmingly only 23 percent actually do so. In addition, local computer users rate convenience as being more important than actual online safety when choosing new passwords.
The survey is also the first to show that South African online consumers are generally overoptimistic about what they know about cybersecurity. “South Africans overestimate their ability to behave securely in an online environment,” say the Butlers.
Further findings:
* Sixty-five percent of users are not sure what a “strong” (and safe) password is.
* Only 11 percent of users can distinguish between more and less secure passwords.
* Even though 75 percent of users believe they employ safe password practices, only 50 percent in fact do so.
* Not hearing about security breaches, or being on the receiving end of one, results in a password change.
Users employ weak password practices such as:
* Using information that is meaningful or can be associated with the user.
* Not using a combination of upper- and lower-case alphabetical and numerical characters.
* Reusing passwords.
* Using a password for more than one purpose.
* Sharing passwords.
* Writing down passwords.
* Keeping passwords in electronic lists that are not password-protected.
“Failing to be password savvy could result in frustration, embarrassment and even financial losses,” says Rika.
It was also found that certain users lack security-related knowledge, while others often overestimate their password abilities or underestimate their vulnerability.
“Online users often apply unsafe practices because they suffer from ‘password overload’ stemming from the need to authenticate themselves online in so many spheres of their lives,” says Martin. “They then choose convenience above safety.”
The two academics are now preparing recommended guidelines that South Africans can use to ensure a safer online experience.
What to do:
* Vary the complexity of a password to match the purpose of the password. Choose more secure passwords for higher-risk sites, such as for internet banking.
* Use passphrases that are longer and easier to remember. A passphrase includes words (or phrases) and numbers, both upper- and lower-case letters and special characters (for example, Iamthe#1passwOrdcreatOr).
* Become more informed, vigilant and aware of the risks and vulnerabilities when interacting via the internet.
* Pay attention to security indicators and warnings posed by computer systems.
According to the research, the following three factors should influence users’ password behaviour:
* Knowledge about good password creation and management practices.
* The ability to adequately apply that knowledge when creating and using passwords.
* The motivation to use secure passwords, rather than apply convenience.