Skip to content
Naked Security Naked Security

Elders way better at password security than millennials

Now get off my lawn, you 2FA-disrespecting young'ns.

Stop making fun of Aunt Millie squinting at the screen: her password kicks your password’s butt, and she’s not the one reusing the same damn password for every site.

That’s according to a recent report [registration required] from Gigya, which has an API that businesses can use to let their customers log into websites using their social media accounts (and which, not surprisingly, titled its report “Death of the Password”).

According to survey results, Baby Boomers – people aged 51-69 – are the demographic most likely to use the security best practice of having a unique password for each and every online account: 65% of respondents said they have 5 or more passwords across their online accounts, compared with just 44% of millennials (ages 18-34).

The report didn’t give the figures on people ages 35-50, but it did say that only 16% of people follow best practices overall.

As we’ve explained, there’s a reason why the “don’t reuse passwords” mantra is, well, a mantra: even a long, strong, complicated password that looks devilishly hard to crack can become, effectively, a skeleton key to your whole online life if you’ve reused it. Once a crook’s got the login for one site, the door’s wide open to any other site where that login’s been used.

Password reuse isn’t the only way for attackers to get their hands on exact login names and passwords, of course. Logins can be captured in phishing attacks, keylogger malware can snatch them away, or security questions might be too easy to crack, to name a few.

The report found that people in their golden years also tend to shy away from using passwords that they know aren’t secure, like “password,” “1234,” or their birthdays. Out of the Baby Boomers surveyed, 53% claim that they never create easy-to-remember yet unsecure passwords, compared to 42% of Generation X respondents and 33% of millennials.

Is this because they’re writing their convoluted passwords on sticky notes and sticking them under their keyboards or onto their monitors, as snarked one Slashdot commenter? (probably some uppity stripling young’n!)

Somebody who’s probably a sage, silver-haired security savant snarked this back: “The day malware can lift your keyboard to look, the seniors are going to be in a lot of trouble.”

Great comeback! Still, don’t keep passwords on stickies. Even if we’re talking about your system at home, that still makes your login vulnerable to being snatched, right along with your computer, by a burglar, if not just by a passerby with roving eyes.

The survey also found that more than 25% of respondents said they don’t bother with creating gnarly passwords for sites associated with their financials, such as their bank accounts or ecommerce sites.

That’s not good. The way the Internal Revenue Service (IRS) has been grappling with identity theft should drive home how fraudsters are targeting our online financial assets.

Bank-related phishing is another danger, and one where the complexity of your password doesn’t even matter.

We’ve written many times about this sort of trickery, along with lots of advice to help you avoid it.

Of course, at least in theory, the older we get, the more money we should have to protect, given life savings, pensions and other assets: perhaps one reason why older, more jaded people are keener to protect it all.

One of the more surprising findings of the report was that older people are nearly twice as likely as millennials to set up two-factor authentication (2FA) when logging in to accounts.

2FA can help to ensure the validity of a user’s identity and minimizes the window of time in which phished credentials will work.

It’s one extra step when you’re logging in, but Baby Boomers apparently can spare the time. Particularly the Baby Boomer President Obama, who a few months ago said that passwords aren’t strong enough, so use 2FA!

Right or wrong, Gigya is suggesting that Millennials lack the “patience and dedication” of older generations when it comes to security best practices.

We don’t know if that’s right, but we do know the consequences of using bad passwords or reusing login credentials: they leave us more open to attack and can make the consequences of a successful attack worse.

Gigya’s survey claims that across all ages, more than 25% of respondents have had an online account compromised in the past 12 months. For Millennials, the number jumps to 35%. In contrast, this number drops to less than 20% for Baby Boomers.

Is that because Millennials are too impatient to use security best practices? Is it because they simply have far more online accounts than their elders do? Is it because some older people aren’t even aware that their accounts have been compromised?

Feel free to add your two cents below, be it elderly grousing or youthful yelps of indignation, but whatever you do, don’t dis Aunt Millie.


One thing I tell my older clientele, who do and have confessed they reuse the same password on multiple sites is create your own analogue password manager. Buy an address book, and start writing in your username and password under the letter of the alphabet corresponding to the online account. ie – TalkTalk account – under T; ProtonMail account under P et alia.
It’s not the best, but they get it. And they also get the analogy of “equate your passwords to house keys. If you have more than one house you want to reduce the risk of being broken into if you loose that one master key. When you use the same password on various websites if someone finds that key then all your houses are at risk.”
Another suggestion for the ever changing battlefield of password management.


I’m in the upper age range Millennial group. I keep unique passwords for my major online accounts (i.e. email, financials). But what about the 20 thousand websites that require a login to use? I’m sorry, but I’m not creative enough to make up and then remember passwords for each. Which means I either write them down or I let the browser remember my login, neither of which is very safe. Or I use one login on multiple sites, like a WordPress account. Or I can delete all my “non-essential” website accounts? Sometimes I just reset my password because I give up trying to guess it.

I like Rocas’ idea with the address book. But then I’d have to carry that book around with me in case I needed to access an account from not-home.

Seems like when you’re more immersed in the digital age, you’re damned if you do and damned if you don’t. Where’s the happy medium?


For websites that aren’t important, I use a general-purpose password for most of those places. Who cares if someone breaks in and reads the news? My important accounts have different passwords and I put the effort into them.


Problem is, how to decide whether a site is “important”. Many website passwords serve to let you post comments in your name, for example…all part of the online record on which people can judge you. Do you really want dozens of throwaway accounts where you could be made to look a fool (or worse) by someone who’s got a grudge – a smear you might not realise for weeks or months?

If you use a password manager you can avoid this situation by automatically having different, decent-quality passwords everywhere, and then you don’t need to decide how important an account is.

Maybe have a listen to this podcast:


The browser remembering passwords is fine (subject to it doing it right). It’s usually about as secure as your computer’s account, the only way to get more secure than that is to use hardware token or SMS login, or phone call.

The main increased risk is they could all be compromised at the same time, but at least you’ll know what needs changing. If say you find a key logger on your machine, unless you know exactly when it got installed you have the same problem of changing all your passwords, but the process is harder..


I carry a usb drive in the coin pocket in my jeans that has a password-protected Excel sheet with ~50 passwords I use with four different email accounts.


@Wild Corndog – Not a bad method, but if you lose your USB drive, someone finding it could use password-cracking tools to unlock your Excel file. Older versions of Excel have weak password security (see Newer versions of Excel have better password protection, but make sure to use a strong password that couldn’t be broken easily by a rainbow table attack or brute-force attack. It may be better to encrypt it with TrueCrypt or 7-zip, especially if you’re using an old version of Excel.


They are also more likely to forget them as well, our have them all written down in a note book. Ask any public librarian.


U.S. bank web site designers make it difficult to create decent passwords. A number of them expect only letters and numbers, and many either protest if you have more than (I said MORE THAN) 8 characters, or silently drop anything over 8.
And it is not just their web sites. U.S. banks have also been dragging their feet in using chip cards, many still relying on magnetic strips.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!