>> lastpass
I insisted our department improve security. Strong password, no repeated passwords, no Word docs with passwords. The solution is so easy... Lastpass. Many people hated it. One person told me, "Lastpass has ruined my life."
Meanwhile, I have also forced numerous clients onto something (Lastpass by default). I built an e-comm site for one of them that has taken in millions of dollars. He once told me, somewhat apologetically, that he thought the best thing I had ever done for him was get him on Lastpass.
That's the range of reactions. People who are modestly tech savvy and at all concerned with security think a password manager is the one of the great innovations ever. The rest either don't see the point or actively hate it.
Other comments:
"I have a really good password. Nobody will ever guess it." (note the use of the singular - her entire life is protected by a single password).
"I don't care if someone reads my email. There's nothing incriminating in there."
"Do you have access to your bank through the web?"
"Yeah, sure."
"And if you forget your password and need to do a reset, where does your bank send your password reset?"
"To my email account."
"In other words, if someone has access to your email account, they also own your bank account. Are you sure you still don't care who gets into your email?"
"Oh."
The simple fact is that even the most basic security issues are beyond a large, large percentage of the population. My advice to people like my dad is simple: If you do not have strong passwords, two-factor auth and a basic understanding of what happens when you click on a link, then do not even create an online account with your bank, the IRS, the Social Security Administration, your pension fund or anything you wouldn't want any random stranger on the street to access."
But then the article gets to the next aspect - social media accounts, giving info away to get a deal, and so forth.
And finally, one of the ones that I have been hammering at people for years - using an employer-provided email address for anything other than work communication. I've seen a huge improvement in this behavior over the years. Partly that is because early on lots of email accounts were at universities and so many faculty assume they will be there until they die. But I would see it in private industry. Then people get laid off without notice and they realize that the aforementioned bank account password reset goes to the work email they don't have anymore. So I think people are mostly learning that one.