I have argued for years that the reason people still do this is that there are certain accounts or resources, that they just don’t care enough about. Look, the statistics bear this out:
LastPass found that while 92% of 3,750 people surveyed know that using the same password is a risk, 65% re-use passwords across accounts. It also found that 45% of respondents didn’t change their passwords in the last year – even after they were affected by the data breach. And attitudes towards passwords vary by application; while 68% of respondents would create stronger passwords for financial accounts, only 32% said they would create strong passwords for work-related accounts.
Most people do the right thing with passwords for financial accounts, but all the websites that make them create an account just to read an article? Who really cares if that account gets hacked? Why not just use the same password for all of them? What’s the hacker going to do, read USA Today as them? Who cares?
That is all just normal, human, behavior. The thing that should scare the hell out of security professionals is how many people view their work access the same way. They don’t care. It’s not their data, it’s just the place where they happen to work, for now. This shows in the low number of people creating a strong password for their work accounts. (It also shows how making them change it every few months really just backfires.)
Those are the people you should be seriously concerned about, the ones who’ve been taught over and over again about the importance of being secure with their work information and still don’t care any more than they do with their fantasy football league sign-in. (Maybe even less.)