Poor password habits leave young at highest risk of identity theft

Almost a quarter of millennials use the same password for all accounts; credential sharing for online services like Netflix is rampant

Posted 7 October 2020 by

The younger generations have significantly riskier password habits than their parents, according to new research from Nomidio.

Almost a quarter (24 percent) of those aged between 24 and 38 (millennials) use the same password for all their accounts, compared to just two percent of baby boomers.

“It’s hugely concerning to see that password habits are getting worse rather than better. Young people are trading security for convenience, but that could come back to bite if their identity is compromised,” said Ben Todd, head of worldwide sales, Nomidio.

“The survey clearly shows we need modern and secure ways of logging-in. Easy to use biometric systems like Nomidio mean people can log-in wherever they like, using only their face or voice, which are more secure and impossible to misplace. It’s secure and convenient.”  

Fourteen percent of Gen-Zs (aged 16-23) and millennials says they have never changed their passwords and 80 percent of young people use a common substitution, such as D00RB3LL for DOORBELL.

Conversely, older people appear far more savvy, with most baby boomers using multiple different passwords and 62 percent changing them at least twice a year.

Credential sharing, where people provide usernames and passwords to friends for access to digital services like Netflix or Amazon, is rampant amongst the young. According to the research, 62 percent of Gen-Z and millennials share credentials with friends and family, increasing the attack surface by exchanging them in emails and messages. Moreover, one in five Millennials leave their passwords accessible to hackers in their contacts or notes pages on internet connected devices.

“Credentials sharing happens at home and in the workplace, it’s a major headache for internet companies and cyber security professionals. Biometrics is the only way to stop this practice because it’s much harder for someone else to log-in using your face, you’d actually have to be there with them,” said Philip Black, commercial director at Nomidio.


Elsewhere, Nomidio has secured the OpenID Connect certification, a simple identity layer on top of the popular OAuth 2.0 protocol, used by most cloud service providers and websites.

Certification means that website owners or cloud service providers can now allow users to swap passwords and two-factor authentication for a biometric log-on experience with Nomidio.