Three in five Singapore residents who access e-government services never change their passwords. And half also use the same one for everything from online banking to shopping.
This makes them easy targets for hackers, according to a study of 346 people in April last year.
The study was carried out by an Infocomm Development Authority (IDA) subsidiary called Assurity Trusted Solutions, which provides authentication technology and services to companies here.
Assurity found that more than half of those polled do not change their passwords when they use banking services or trade stocks online.
Assurity chief operating officer, Chai Chin Loon, said: "Based on anecdotal evidence, poor cyber hygiene practices are still prevalent today."
Passwords are the first line of defence, he said, so it is crucial that they are changed every three months.
Many cybersecurity experts have also warned against reusing the same password for every account.
The IT services centre at the Chinese University of Hong Kong recommends using different sets of passwords in different systems by mixing upper and lower case letters, or letters and numbers.
People should use passwords of at least eight characters - random letters, digits and punctuation - as longer, more complex passwords are harder to crack, it said.
A five character-long password composed of only lower-case letters takes less than two minutes to crack while one with lower-case letters and numbers takes 10 minutes, according to the university's website.
A second line of defence involves using one-time passwords, which are valid for only a single login. They are generated randomly on devices called tokens or sent by text message to customers by service providers such as banks.
This provides additional security or "two-factor authentication" (2FA).
"Adopting 2FA can help mitigate the risks of poor cyber hygiene practices and protect the user against identity theft and online fraud," said Mr Chai.
He urged users to activate 2FA for their personal e-mail and social networking accounts, too, for peace of mind whether for use in Singapore or travelling overseas.
Many online services, including Gmail and Facebook, have introduced 2FA.
Yahoo and Twitter are among the online service providers that offer 2FA only in certain markets such as the United States. Singapore users do not have this security layer.
RESISTANT TO CHANGE
But old habits seem to die hard.
Mr Paul Ducklin, a consultant at the security software firm Sophos, said: "Ironically, the sort of people who would probably be able to keep their passwords safe without 2FA are just the sort of people most likely to adopt 2FA." And those who would benefit most from 2FA because they do not maintain good cyber hygiene are likely to resist 2FA for being "too hard", he added.
"There are some people who will only take password hygiene seriously after they have suffered some sort of financial loss of their own," he said.
In Singapore so far, only banks have been required to put 2FA in place. Even government agencies have yet to do so.
But this may change.
In June, the IDA put out a tender for a 2FA system for online access to all sorts of e-government services. So citizens, for example, will need more than their identity card number and SingPass to access online details of their Central Provident Fund accounts or income tax records.
SingPass is a password that was set up for every citizen in 2003. But it often contains easy-to-guess numbers, such as birth dates, which hackers can readily find out. There are more than 2.8 million SingPass users.
This story was first published in The Straits Times on Nov 27, 2013.