By Rich Heidorn Jr.

Despite nearly daily news of cyber breaches, most computer users practice poor password security, and many people working in information technology and security would not recognize a phishing attempt if they saw one. Those are some of the disturbing takeaways from a survey of 5,000 people released last week by antivirus provider PC Matic.

“Passwords are one of the weakest links when it comes to cybersecurity, yet the importance of proper password management continues to be minimized,” PC Matic said.

More than 80% of the respondents indicated they use passwords they have memorized (55%) or written down (26%), with only 19% reporting use of a password manager. About half said they change their passwords only when they are forced to do so, a vulnerability when users continue using passwords that have been compromised through data breaches.

“Over 55% of businesses require employees to change their passwords fewer than two times annually,” the company said. “Even more alarming, over 20% of government employee respondents reported never changing their passwords.”

In addition, 20% of respondents said they use the same passwords for work and personal accounts. “Therefore, if these individuals fall victim to a data breach, the risk spills onto their employers, as the passwords those employees are using are now on the dark web,” PC Matic said. “The majority of respondents who reported using the same passwords for both personal and work purposes were 18-29 years old, nearly doubling the percentages of other age groups.”

Almost half of those surveyed said they access their personal email accounts through corporate networks. “This may not be an issue if the personal email accounts are completely secure and the employee does not click on any malicious links or open a malicious email while connected to the company’s network,” PC Matic said. “However, how likely is that to occur?”

The survey found 69% of respondents have seen a phishing email, but that more than 16% were unaware of this threat. One-quarter of respondents who were unaware of phishing reported their employment was directly related to IT and security. “Alarming?” asked PC Matic. “Very.”

More than 64% of respondents reported using two-factor authentication at work, home or both, while 14% said they were unaware of the concept.

PC Matic said companies should enable two-factor authentication and use virtual private networks, which use encryption to provide secure access to remote computers over the internet. It said companies should require employees to update their passwords every six weeks, prohibit recycling of passwords, require a predetermined password strength and offer them a password vault.

Users changing their passwords regularly will have some protection even if their vault is hacked, the company said. “It takes time for hackers to sell data on the dark web. Therefore, by the time it is actually sold, the passwords will be useless because users would have already updated them.”