One password to rule them all.
An annoyed Steven comes by for help. His password was invalidated because of security reasons. He had to choose a new password: This is where most people acknowledge this information and leaves to reset their password, but not Steven. He starts questioning how the system knows his old password, how many previous passwords are stored and how he can trick this mechanism. I reassure him that it is for the sake of his own security. He gradually gets more distressed by every word I utter before I ask him if there was an issue, and he replied:
I use this password for absolutely every website I have. It’s a huge pain in the ass to have one odd password, just because some security measure. I don’t even have anything worthy of hacking!
I urged Steve to use a password manager. It doesn’t solve all the issues, but the small effort required yields a good increase in security. He probably changed the password enough to trick the system in the end.
What I’ve learned: There will always be users that cling to their own sense of security, ironically, hurting them self. This encounter scared me, forcing me to think about the non-technical aspects of security. More education on the importance of web-security might be useful to increase organizational security and lessen the ignorance.