Not Even Being Hacked Can Get Americans to Change Their Crappy Passwords

Between hacking, phishing and the internet of things, cyberattacks are a growing threat—and most Americans seem to know that. They just can’t be bothered to do anything about it.

According to a survey of 1,040 U.S. adults by the Pew Research Center, a majority of Americans have experienced some sort of data breach, with credit card fraud being the most common. More than a third have had sensitive information—financial, health, or other personal data—compromised, and 15 percent have had their Social Security number compromised.

Americans are also feeling the anxiety caused by a slew of massive hacks and cyberattacks. Distributed denial-of-service attacks, like the one that temporarily took down Twitter and Spotify in October, grew 30-fold between 2011 and 2014. Pew’s survey found nearly half of Americans believe their personal information is less secure now than it was five years ago.

Americans don’t put much stock in the public or private sector’s capacity to prevent hacks, either. Some 28 percent expressed a lack of confidence in the federal government’s ability to keep their personal information safe; 24 percent said the same about social media; 15 percent about credit card companies, cell service providers and companies they do business with; and 13 percent about cellphone manufacturers and email providers.

And yet, a majority of Americans continue to engage in digital practices that make it easier for hackers to gain access to their info. More than half use (insecure) public Wi-Fi networks on their phones. Forty-one percent share online passwords with friends and family members, 39 percent use similar passwords across multiple accounts, and 25 perecent use simple easy-to-guess passwords.

“[Sixty-nine percent] of online adults say they do not worry about how secure their online passwords are—more than double the share (30 percent) that admits to having worries about their personal password security,” Pew found. (One bright spot: More than half of online adults said they use two-step authentication on at least some of their online accounts.)

Pew’s survey backs up other findings on Americans’ cybersecurity habits. A data-dump of user passwords from music-streaming platform Last.fm found “123456” and “password” are still among the commonly used.

While the administration being ushered in President Donald Trump has yet to outline plans for dealing with cybersecurity, there have been some worrying signs. Trump has allegedly refused to give up his own personal (non-secure) Android phone, and the head of Trump’s cybersecurity group—former New York City Mayor Rudy Giuliani—has a company website laden with security pitfalls. Trump’s cabinet has also emphasized the threat of terrorism far more than threats perpetrated by “cyber superpowers” like Russia and China.

“Fully 70 percent of Americans expect that the United States will definitely (18 percent) or probably (51percent) experience a significant cyberattack on its public infrastructure (such as air traffic control systems or power grids),” Pew found. Similar proportions of the public shared concern about breaches in the banking and financial sectors.

So Americans are worried… just not enough to protect themselves. Maybe Trump—a devoted adherent of printouts, PDFs and courier service—has it right after all.