We regularly encourage readers to implement password policies that ensure users use strong passwords and change them regularly. While great for cyber-security, this policy can result in password fatigue and cause other problems down the road.
After all, who actually remembers their strong passwords? Especially when they change every 90 days?
If you were to survey your employees (including yourself), how many “cleverly” hidden sticky notes do you think you would find with passwords written on them? How many not so cleverly hidden notes? While it is true that a person cannot hack a sticky note, prying eyes can still find them.
The primary form of password fatigue is just keeping track of them all. We already understand the flaw with the sticky note method of password storage, the text file named PASSWORDS on your desktop is not any better.
In 2020, Keeper Security – makers of password management and security software – commissioned a study of 1000 full-time employees in the United States. The overall results were concerning:
- 60% of respondents said their organizations experienced a cyberattack in the past 12 months.
- Over 50% of these attacks involved stolen credentials.
- The theft of IT assets caused $5 million or more in damages for 25% of businesses.
The report shares four general findings:
People store and track their passwords insecurely.
- Over half the respondents admitted to using sticky notes, and two-thirds of those admitted to losing the note.
- Almost two-thirds of respondents save their passwords in a notebook that over 80% keep near their computer.
- Respondents using digital methods of storage use insecure files on the cloud, on their desktop, or on their phone.
People use weak, easily guessed passwords.
Names and birthdays do not belong in a password!
People share passwords with unauthorized parties.
While a small percentage of respondents admitted to sharing work passwords with spouses and family members, that it was a notable amount is concerning because some industries have regulations around who views specific data. Even without a data breach, a company could find itself severely penalized.
Employers do not do enough to protect passwords.
- Almost half of respondents reported that their company shares passwords for accounts with multiple users.
- Roughly a third of those surveyed allowed as how they shared passwords with team members, managers, or their executive team.
- Sharing passwords within the workspace frequently occurs by text or email – both of which hackers can intercept.
- Roughly one-third of respondents admitted to accessing accounts belonging to a former employer – indicating that employers are not disabling accounts of former employees.
The best action employers could take is to create login credentials for every employee for every application. As this can become a complex management issue rather quickly, an enterprise-level password manager may be necessary. These applications allow for safe generation and dispersion of passwords to authorized users only.
While password-less technology is out there, it is not the mainstream solution. So, what’s a business to do?
Password managers are a way to generate, store, and apply passwords. They are significantly more secure than your sticky note or PASSWORD text file. They do not, however, reduce the need for the security of passwords. To do that, you need to apply additional measures:
A single sign-on allows access to multiple (related) applications with a single password. This technology reduces the number of passwords a person must remember as well as how many different applications require a unique login.
Biometric solutions are becoming more common, and not just for phones. (Has your kid ever asked for your face while pointing your phone at you?) While you are more likely to find a fingerprint scanner on a laptop, they are available for desktops.
Two-factor authentication does not reduce the number of passwords in a person’s life; however, it does give increased strength to passwords – those not so strong ones need all the help they can get. Although two-factor and two-step authentications are slightly different, both require users to provide extra input to access an account.
What We Like
Cantrell’s IT advocates multi-factor authentication (MFA) for the highest security. This type of security requires users to know something presumably only they know (a password) and have something only they have external to where they are logging in, such as their phone or a security fob.
We like MFA because the people who really know, like it. Microsoft found that multi-factor authentication halted 99.9% of automated attacks. Google did a year-long study on the topic with similar results.
There are multiple applications and multiple combinations that can help ease password fatigue, to learn what would work best for your organization, give us a call.