Chris Ensor, deputy director for cyber skills and growth at the National Cyber Security Centre (NCSC), said the organisation is trying to change the “doctrine around passwords” and urging people and businesses to move away from making them “totally unmemorable”.
“It’s still going on, despite everyone saying ‘oh it’s a stupid thing to do’, but it kind of still goes on,” he explained at the Kent Cyber Security Forum, standing in front of a list of main offenders such as 123456 and qwerty.
“We’re trying to change how security is being done, but from an evidence-based perspective.
“We’re trying to bring some pragmatism to the whole approach to security, because if you enforce too many passwords on users, many just can’t do it.
“Use a password manager, because it does actually help, and it is better than trying to get people to remember lots of passwords.”
Mr Ensor also admitted to re-using passwords on websites he has “some confidence in”, despite caution of the risks.
“People re-use their passwords all over the place, on sites where, at the end of the day, you have no idea whether they’re going to look after the password or not,” he added.
The survey by NCSC – which is part of GCHQ – found that many British internet users did not know the best ways to protect themselves from cyber crime, with only 15% saying they knew “a great deal” about how to protect themselves from harmful activity online.
“Unfortunately, we are at the point with some security where people feel quite overwhelmed, there’s lots of rules, there’s lots of things they’re supposed to do, sometimes the advice is contradictory and one thing people really struggle with is security fatigue,” said Dr Jessica Barker, co-founder of cyber security firm Cygenta, who also spoke at the event held at the University of Kent in Canterbury.
“They feel like, ‘there are so many hacks out there, there’s so many things happening, I have so many accounts to secure, how am I supposed to manage it?’
“For me, this is one of the biggest arguments in favour of a password manager because when people have 20, 30 more online accounts to secure, trying to tell them to have a unique, secure password for each one, that’s just not humanly possible, whereas a password manager takes away that burden.
“But the attackers are really looking to take advantage of this, if we’re all using weak passwords and we’re re-using them everywhere, then our fatigue over that is an absolute gift.”