67 Percent of Internet Users Haven’t Changed Passwords After HeartbleedApril 29, 2014 by Daniel Humphries
When news of the Heartbleed security bug broke in early April, it seemed as though the Internet security apocalypse had arrived. Esteemed IT security guru Bruce Schneier declared the bug “catastrophic” before channeling Spinal Tap with the statement, “On the scale of 1 to 10, this is an 11.”
The New York Times reported that “up to two thirds” of websites could be affected, including widely used and trafficked sites like Gmail, Facebook, Yahoo and Tumblr. Suddenly the Internet was full of experts and journalists dispensing advice and analysis.
Here at Software Advice, we wanted to know: after all all the news coverage, are people actually taking Heartbleed seriously? How many have done as the experts advised and changed their passwords? What have businesses done to educate their employees? We surveyed 3,000 people in the U.S. to learn the answers to these questions and more. The survey included six questions, each of which was seen by at least 500 unique respondents. Here’s what we found.
- Only half of all respondents know what Heartbleed is, with the 18-24 age group being the least informed of all.
- Two thirds of respondents haven’t changed a single password to protect any of their accounts.
- Many employers are indifferent and/or uninformed—over 75 percent of respondents say they’ve received no advice about Heartbleed in the workplace.
Catastrophe? What Catastrophe?
So, what percentage of the public is actually aware that we’re in the midst of an Internet security crisis? To begin, we asked respondents to identify what Heartbleed is by picking from a range of five options (none of which were too difficult).
And yet, even though the survey was conducted online—meaning everybody who answered has Internet access, and was thus likely confronted with news headlines about the bug on numerous occasions—the degree of ignorance revealed in the results was startling: only 53 percent of respondents made the right choice.
“Heartbleed” has been in the news a lot lately. It is:
When we dug deeper into the data, we found that the worst informed group was also the youngest—and allegedly most tech-savvy. Only 37 percent of 18- to 24-year-olds picked the correct answer:
*Denotes an option offered in the survey, but not selected by any respondents.
By contrast, respondents in the 65+ age group (many of whom were already middle aged when Tim Berners-Lee invented the World Wide Web) were better informed, with 39 percent selecting the correct answer.
Of course, this may reflect not so much a lack of technical awareness but rather a lack of interest in the news in the younger age group, many of whom are presumably too busy posting selfies on social media to worry about an Internet catastrophe. Regardless, it’s startling that a generation raised on the Internet is the least informed about its safety.
A Significant Majority Didn’t Change a Single Password
Next, we asked about the specific actions respondents took in the aftermath of Heartbleed to protect their personal data from exposure. Most of the advice in the media focused on password security and website vulnerability scanning tools, so we designed our questions with those security steps in mind.
We first asked respondents which passwords they had changed on various types of websites, from email to e-commerce. Given the high degree of ignorance about the Heartbleed vulnerability exposed in question one, it wasn’t surprising to discover that 67 percent of people surveyed had done precisely nothing to secure any of their accounts.
After the Heartbleed Internet bug was exposed, did you change your password(s) for any of the following types of accounts?
It was alarming to see that only 19 percent of respondents had changed their email passwords, even though popular providers such as Gmail and Yahoo were affected by the bug.
On the other hand, many banks and large retailers such as WalMart and eBay stated publicly that their systems were not affected by Heartbleed, and so the fact that only 18 percent of respondents said they had changed the passwords on their financial accounts may be less of a cause for concern.
That said, given the limited level of Heartbleed awareness revealed by the first question, it seems likely that the banking and shopping percentages are as low as they are due to indifference and ignorance of the problem, rather than a sudden outburst of enthusiastic research into the state of the American banking system.
And of course, if customers are reusing passwords (as many do) from affected accounts on unaffected accounts, they’re still at risk.
Website Scanning Tools Were Largely Neglected
People use passwords all time, but most aren’t accustomed to scanning the websites they visit for vulnerabilities. As such, it was less surprising to learn that the various online website scanning tools provided by Google, McAfee and others completely passed 77 percent of respondents by.
After the Heartbleed bug was exposed, scanning tools were offered online to check website vulnerability. Did you use them?
Meanwhile, 10 percent of respondents said they checked “important” sites, while a hardcore 6 percent checked every site they visited. In short, approximately 16 percent of respondents made effective use of these tools—a figure close to the 19 percent who changed the passwords on their email accounts.
So, does this 16 percent figure represent the percentage of people who take their online security seriously? Perhaps. We next asked about the adoption of specific enhanced security measures, such as password managers or enabling two factor authentication (both steps recommended by experts and journalists in multiple articles relating to Heartbleed).
We found that the number of people taking proactive steps to enhance their security mapped closely to the 16 percent who had used scanning tools. Presented with a range of enhanced security measures, 15 percent replied with, “I already used at least one of these.”
On the other end, 71 percent of respondents didn’t use any of these measures—which at this point comes as little surprise.
After hearing about the Heartbleed bug, which of the following security tools did you start using?
Employers Are Complacent, Putting Data at Risk
Perhaps the most alarming results of our survey were those we received when we asked respondents which passwords their employers had asked them to change. Even for such a heavily used service as email, only 13 percent replied that their employers had advised them to make changes, while 77 percent said they had received no advice about any of the accounts we listed:
After the Heartbleed bug was exposed, which of the following types of accounts did your employer advise you to change?
Of course, while some of the account types listed above are more relevant for work than others, there’s no reason for employers to be complacent. That is, unless they believe employees never do personal things on work computers, in which case they have more serious issues than Heartbleed worry about.
This employer complacency—or perhaps ignorance—is all the more unfortunate because, when asked what they would do if their employer asked them to change passwords, 50 percent of respondents said they would do as requested.
If your employer asked you to change any passwords after hearing about the Heartbleed security bug, would you?
Given that half of respondents don’t even know what Heartbleed is, it’s plausible to assume that at least a portion of the 31 percent who answered “I’m not sure” did so because they’re similarly uninformed. With more information, and perhaps better education from their employers, the 50 percent willing to change their passwords upon request may well have been higher.
So, what have we learned? There’s a shockingly mediocre level of public awareness about Heartbleed, and the widespread apathy (and/or ignorance) about how to protect personal data is leaving the majority of computer users exposed to risk.
Even a huge news story apparently cannot make people change their habits: we launched this survey soon after Healthcare.gov went public with its recommendation that account holders change their passwords.
Most alarming, however, is the degree of complacency among employers, especially in light of the fact that 50 percent of respondents would change their passwords if asked. Of course, given the high degree of ignorance about Heartbleed exposed by our first question, it’s possible that some of our respondents were given advice at the workplace but weren’t really paying attention.
Either way, employers face a major challenge when it comes to improving security awareness in the workplace. (And while they’re at it, they should probably avoid hiring 18-to-24-year-olds to manage their security.)