Despite years of warnings about the risks of using weak passwords and storing them in easily compromised locations, the majority of American workers still regularly scribble work-related passwords on sticky notes and most admit to having lost those notes at some point.

That’s according to a new survey of 1,000 U.S. employees commissioned by Keeper Security Inc., a maker of password management software. The Workplace Password Malpractice Report also found that 62% of U.S. employees said they routinely store logins and passwords in a written notebook, and 81% admitted to keeping those documents near work devices where they can easily be accessed or stolen by passersby.

Workers are even more likely to write passwords on paper when working from home, with 66% reporting that they do so regularly. That makes those credentials vulnerable to being swiped by service people or other visitors. Nearly 45% currently use the same password for both personal and work-related accounts.

The survey is the latest in a long string of research reports that document the scant attention that businesspeople pay to even the simplest security measures, such as creating strong passwords and storing them in secure locations, ideally in an encrypted digital wallet.

That’s despite the fact that human error is the most common culprit in security breaches. One 2019 analysis in the U.K. found that 90% of cyber data breaches that year were rooted in user errors, up from 61% two years earlier. Nordpass, a unit of virtual private network provider NordVPN S.A., last year analyzed more than 275 million passwords and found that the most-used were “123456,” “123456789,” “picture1,” “password” and “12345678.”

Keeper found that 37% of employees have used their company name in a password, 34% have used a significant other’s name or birthday and 31% have used their child’s name or birthday. Such practices are strongly discouraged by security experts, who note that cybercriminals can often harvest such information from social media sites and use it in brute-force crack attacks.

The risky behavior goes beyond sticky notes. The Keeper survey found that 62% of workers have shared a work-related password by text message or email, both of which can easily be intercepted. Nearly half save work-related passwords in a document in the cloud or on their computers, while 55% save them on phones. The risk there is that a cybercriminal who breaches cloud storage or the mobile device then has full access to all of the owner’s accounts.

Information technology organizations don’t get off scot-free in the report either: 46% of respondents said their company encourages people to share passwords for accounts used by multiple people and nearly one-third of respondents said they’ve logged into an account after they left the company.

Image: Pixabay