I am right now writing a primer on web security for a blog and doing my research on passwords I came across The Telegraph’s article Almost 16 million use same password for every website, study finds is actually full of cool figures and I was very tempted to use some quotes like:

The average internet user is asked for a password by 23 websites a month.

The research found 46 per cent of British internet users, 15.6 million, have the same password for most web-based accounts and five per cent, or 1.7 million, use the same password for every single website.

According to the Telegraph, the study was done by CPP:

This could lead to money being stolen from bank accounts, fraudulent purchases via online shops or identity theft, according to life assistance company CPP.

What puzzled me is that there is no link to be found on the CPP site. Their last press release is from November and a site search for password doesn’t yield any results.

The Telegraph does not list the source of the figures or where to see the original survey – actually this would mean the article would get deleted from Wikipedia!

It gets really interesting when you do a Google search for the same survery. You then find an article on based on data of chinaview.cn that reveals just how many people were asked in the survey:

More worrying was that of 1,661 Britons questioned, nearly 40 per cent of adults admitted that at least one other person knows their passwords, ranging from children, colleagues and friends. With phishing and smishing attacks, as well as malicious software attacks, on the rise, consumers and Internet users need to be more careful with their personal data.

I am all for scaling, but using 1661 people and multiplying that up to 16 million is a bit of stretch of the imagination, don’t you think? Seeing that the survey is from September also gives me the idea that there was a slow news day to cover. This is another annoyance as you cannot research what other news sites have said at that time as they delete content after 31 days. So much for “cool links never change”.

That said, I am happy that mainstream media is at least covering the topic of bad passwords. We can do a lot in security, but if end users still consider “password” or “letmein” a good idea as a password we are doomed.

I would love to see the CPP survey, and I’d also love to have a way to comment on The Telegraph. Alas…

Update As reported by marksteward on Twitter the Telegraph already reported about the survey in September – mentioning the 1661 number and there is a report on the CPP site talking about the survey in more detail – thanks!