Americans and Cybersecurity
2. Password management and mobile security
Individuals play a critical role in their own digital security. The weak link in many personal data breaches can be traced back to an overly simple password, an out-of-date smartphone app with missing security patches or the use of an unfamiliar Wi-Fi network. Cybersecurity experts generally recommend a number of steps for users to take in order to reduce their exposure to data theft, such as using a different, complex password for each account; not sharing passwords with others; using some sort of security feature on their smartphones; and always updating their smartphones’ apps and operating system to ensure that they have the latest security updates. Although many Americans are utilizing at least some of these steps, this survey finds that less-than-optimum cybersecurity habits are widespread.
Most Americans use memorization or pen and paper as their primary method of keeping track of their online passwords
For average users, creating and storing passwords to their various online accounts is their primary interaction with the world of cybersecurity. Passwords are the first line of defense against unauthorized access to user data, and people’s password habits – such as how they manage their passwords, or whether they use passwords that are simple or complex – directly impact their overall security. Many security professionals recommend password management software as the best way to create and store complex passwords. But this survey finds that the vast majority of Americans keep track of their passwords using much more traditional methods – specifically, by memorizing them or by writing them down on a piece of paper.
When asked about different ways they might keep track of their online passwords, fully 86% of internet users report that they keep track of them in their heads. Indeed, 65% report that memorization is the method they rely on the most (or is the only method they use) to keep track of their passwords. Around half of online adults (49%) say they keep the passwords to at least some of their online accounts written down on a piece of paper – with 18% saying that this is the method they rely on most heavily. In total, just over eight-in-ten online adults (84%) say that they primarily keep track of their passwords by either memorizing them or writing them down.
Other approaches to password management are far less common. Roughly one-quarter (24%) of online adults keep track of their passwords in a digital note or document on one of their devices (6% say this is the approach they rely on most), while 18% say that they save them using the built-in password saving feature available in most modern browsers (with 2% saying they rely on this technique the most). Most experts agree that saving passwords in browsers is OK if the passwords are unique to each site, however they also agree that password management software outside the browser is preferable. Meanwhile, just 12% of online adults say that they ever use password management software to keep track of their passwords – and only 3% rely on this technique as their primary method for storing passwords.
There are relatively few demographic differences when it comes to how internet users keep track of their passwords. Within every major demographic group, a majority says that memorization is the password management technique they rely on the most – and the differences that do exist on this subject tend to be relatively modest. For instance, those under the age of 50 are more likely than those ages 50 and older to primarily memorize their online passwords (72% vs. 55%), while older users are more likely to say they primarily write their passwords down on a piece of paper (27% vs. 13%). But otherwise, users of all ages manage their online passwords using largely similar approaches.
In addition, the approach to managing password that is most recommended by security professionals – password management software – is used relatively rarely across a wide range of demographic groups. College graduates tend to rely more heavily on these programs than most, but even among this “high usage” group, only 17% use these programs at all – and just 7% indicate that they use them as the sole or primary method for managing their passwords.
Interestingly, users’ personal experiences with data theft are not highly correlated with the steps they take to manage and track their online passwords. Among those who have experienced some type of personal data theft or breach, nearly two-thirds (63%) say that they primarily keep track of their passwords in their head. And although 15% of these users indicate that they use password management software for some of their passwords, just 4% say this is the technique they rely on the most.
52% of online adults have used two-factor authentication on their online accounts – but a substantial minority use similar passwords across many sites or share passwords with others
Beyond using password management software, cybersecurity experts recommend a number of other “best practices” to users. These include not using the same passwords across multiple accounts, as well as refraining from sharing passwords with others. When asked about their own behaviors in this regard, a majority of online adults (57%) report that they vary their passwords across their online accounts. However, a substantial minority (39%) indicate that most of their passwords are the same or very similar to one another. In addition, a sizeable minority of online adults (41%) have shared the password to one of their online accounts with friends or family members.
Those under the age of 50 are especially likely to indicate that their online passwords are very similar to one another: 45% of internet users ages 18 to 49 say this, compared with 32% of those ages 50 and older. And younger adults are especially likely to share their passwords with others: 56% of 18- to 29-year-old internet users have done so.
Many sites rely on individuals to choose strong passwords as the first line of defense for their online accounts, but there are other technologies that aim to improve – or in some cases replace –the password itself. The first of these techniques is known as “multifactor” or “two-factor” authentication. The “factors” are typically something the user knows (such as a password) plus something the user possesses (like a code sent to their smartphone). Nearly half of internet users (52%) say that they use this type of multifactor authentication on at least one of their online accounts.
The second of these techniques involves using one’s credentials from another site – often a social media platform such as Facebook – to log in to a third party site. Some 39% of social media users say they have logged into another website using the credentials from their social media accounts. Among social media users ages 18 to 29, more than half (56%) have done so.
A substantial minority of online Americans find password management to be a challenge and source of worry
For a relatively substantial minority of online Americans, password management can be a stressful and uncertain process. The survey asked several questions about people’s attitudes and concerns about passwords and found that 30% of online adults worry about the overall security of their online passwords, while 25% sometimes use passwords that are less secure than they’d like because remembering more complex passwords is too difficult. For the most part, these behaviors are relatively consistent across different demographic groups.
In addition, 39% of internet users report that they simply find it challenging to keep up with all of the passwords to their various online accounts. This is relatively common among those in their early 30s through mid-60s: 44% of online adults ages 30 to 64 say they have a hard time keeping track of their passwords, compared with 33% of those ages 18 to 29 and 30% of those 65 and older.
This 39% of the online population that has a hard time keeping track of passwords also expresses concerns about password management in other concrete ways. Compared with the 60% of online adults who do not express difficulties keeping up with their passwords, this “password challenged” group is more likely to …
- Use the same or similar passwords across many different sites (45% vs. 36%)
- Worry about the security of their passwords (44% vs. 22%)
- Use simple passwords rather than complex ones (41% vs. 14%)
These “password challenged” individuals are also more likely to keep track of their passwords by writing them down on a piece of paper (56% vs. 44%), saving them in a digital note (31% vs. 20%), or by saving them in their internet browser (25% vs. 13%).
More than one-quarter of smartphone owners do not use a screen lock, and many fail to regularly update the apps or operating system on their phones
As smartphones have become increasingly prevalent – and as users engage in a wide range of sensitive behaviors on their phones – these devices have become the latest front in the battle over digital security. In general, smartphones can be compromised in two ways. The first is by gaining possession of the physical phone itself, and security experts recommend the use of a screen lock feature to prevent someone from accessing the contents of a smartphone that falls into the wrong hands. When smartphone owners were asked if they use some form of screen lock on their phones, around one-quarter (28%) reported that they do not.
Those smartphone owners who do utilize a screen lock take a wide range of approaches, with numeric PIN codes (used by 25% of smartphone owners) and thumbprint scanners (23%) being the most common. A smaller share uses passwords containing letters, numbers, or symbols (9%), or a connecting pattern of dots (9%).
An especially large share of smartphone owners ages 65 and older (39%) say their devices do not have a lock screen, but it is not uncommon for younger smartphone owners to skip this security step either. Some 28% of smartphone owners ages 18 to 29, 24% of those ages 30 to 49, and 30% of those ages 50 to 64 indicate that their phones do not have any type of screen lock.
Those with lower levels of educational attainment are also relatively likely to forego using a screen lock on their smartphones. Some 80% of smartphone owners with college degrees indicate that they use a screen lock on their phones, but that share falls to 66% among those who have high school diplomas or less.
A second way that smartphones can be compromised is through software security flaws – either those that exist in the apps on users’ phones or in the smartphone operating system itself. To prevent this, security experts encourage users to regularly and promptly install updates for their apps and operating system, since these updates often contain important security patches.
But these survey findings indicate that many smartphone owners are slow to update their phones and the apps that come with them – and that in some cases, users are skipping these steps entirely. When it comes to the apps on their mobile devices, around half of smartphone owners indicate that they set them to update automatically (32%) or that they update them manually as soon as a new version is available (16%). However, a comparable share reports that they only update their apps when it happens to be convenient for them (38%) or that they never update the apps on their phones (10%).
Smartphone owners are similarly divided when it comes to updating the actual operating system on their devices. Some 42% of smartphone owners say that they typically update their operating system as soon as a new version is available, but more than half say that they only update their operating system when it is convenient (42%) or that they never update their phones (14%).
As was the case with screen locks, older smartphone owners tend to update their phones much less consistently than younger users. Some 21% of smartphone owners ages 65 and older say they never update their smartphone apps, while 23% say they never update their operating system. By contrast, just 6% of 18- to 29-year-old smartphone owners never update their apps – indeed, 48% of younger users say they set them to update automatically as they are available – and 13% of these younger users never update their operating system.
Anti-virus software is commonplace on desktop and laptop computers, and the same type of software can be installed on smartphones: 32% of smartphone owners report installing some sort of anti-virus software on their devices.
Just over half of internet users utilize public Wi-Fi networks, including for tasks like online banking or e-commerce
Along with users’ passwords and the physical devices they carry, the networks their devices are connected to offer an additional avenue for potential cyberattacks. Public Wi-Fi networks (such as those in cafes, libraries or other public spaces) are an especially common target for hackers. The mechanics behind these attacks vary2, and not all public networks are inherently insecure. But in general, security experts recommend that users refrain from performing sensitive activities (such as banking or financial transactions) on public or otherwise unfamiliar Wi-Fi networks.
When asked about their use of public Wi-Fi networks, just over half of internet users (54%) report that they do access Wi-Fi networks in public places. Younger adults are especially likely to do this: 69% of internet users ages 18 to 29 use public Wi-Fi, compared with 54% of those ages 30 to 49, 51% of those ages 50 to 64 and 33% of those 65 and older.
And when asked about some online activities they might engage in while connected to public Wi-Fi networks, most of these users indicate that they have gone online to access their social media accounts (66% of public Wi-Fi users have done this) or to check email (71%). However, around one-in-five of these users have used public Wi-Fi for more sensitive transactions such as online shopping (21%) or banking or other financial transactions (20%).
- One approach involves hackers reading all of the information being transmitted on an unsecured Wi-Fi network. In a second approach, hackers can create malicious Wi-Fi networks that appear legitimate to unsuspecting users. ↩