When did you last change your work password? Was it when the system prompted you? When you were first hired? Or maybe the answer doesn’t matter. When it comes to password safety, old adages don’t always apply anymore. Let’s take a look at what today’s business password management really needs by focusing on the valuable data behind the password. 

What Causes the Persistent Password Problem?

At least part of the issue with passwords is that user hygiene hasn’t gotten any better in recent years. In fact, some evidence suggests it’s gotten worse. A 2020 study from LastPass found that more than half of users hadn’t changed their passwords in the past year. Some elected to keep their passwords the same even after a data breach hit their web accounts.

Instances of password reuse have become more widespread in recent years. Indeed, two-thirds of people in the same survey indicated that they “always” or “mostly” use the same password and/or slight variants on it across multiple web accounts. That’s up from 8% observed two years earlier. It’s also despite the fact that 91% of users knew beforehand that reusing a password is a risk.

How Bad Password Safety Habits End up Hurting Business

Many users take their password security for granted — even when they have reason not to and when they know better. They don’t just end up hurting themselves in doing so. They also end up costing the business big in terms of legal fees, compliance penalties and other damages associated with cleaning up a breach.

Poor password hygiene threatens a business in more ways than opening up a common attack vector, however. The act of simply managing passwords comes with its own costs. And that price tag is increasing. IT personnel are managing passwords while they could be strengthening their employer’s digital security in other, more meaningful ways.

Why Is Business Password Management Failing?

No one wants to spend their valuable work time managing passwords. But in a way, organizations are locking themselves into this fate. That’s because of the types of password safety rules they’re choosing for their workforce. To be specific, they need to go beyond password policies with an eye towards security only. They want to prevent account takeover fraud and related data breaches, so they hold their employees to measures such as frequent password changes and special characters.

It’s a good effort, to be sure. But it misses everything we’ve already discussed above. Employees are already reusing essentially the same password across multiple accounts. That’s in part because of these policies. Indeed, requiring users to come up with passwords containing special characters on a regular basis ignores their needs as users. Employees want to do their work with as few complications as possible, so they might be inclined to create passwords with minimal variation so that they can remember their passwords and not cause their duties to take longer than they need to.

This conflict between security needs and user needs has not gone unnoticed. In the past few years, the National Institute of Standards and Technology (NIST) recognized how certain password security guidelines were inadvertently contributing to the password reuse problem. That’s why NIST updated its specifications to avoid those ‘traditional’ security suggestions.

Balancing User Needs with Password Safety Needs

The way forward is for organizations to balance the needs of their users with the demands of their security requirements. To do that, employers need to simplify their business password management processes. Doing so will discourage users from attempting to find a workaround from policies that complicate their workdays.

The bottom line is, the password doesn’t matter. It’s not the password you need to protect; it’s what’s on the other side of the password that’s worth defending. That could be a critical business account, network access or sensitive data.

With this view, organizations can direct their attention away from the password and towards security measures that are designed to protect what’s really worth defending. Those measures include multi-factor authentication (MFA) and other security best practices.

MFA works well as part of a broader effort to achieve zero trust, a type of architecture where security teams must continually validate connection attempts from accounts and devices. Employers can also require employees to set up MFA with their password managers so that they don’t have to remember all their work credentials going forward.

Organizations can also make login simpler for employees by using single sign-on. This means they don’t need a distinct set of credentials for each of their access needs. Instead, it lets them access everything with a single username and password, thus helping to streamline their workdays.

The Growing Irrelevance of the Password

All the recommendations discussed above capture the irony of modern business password safety — it’s no longer about the password. The sooner organizations can understand this, the sooner they can begin making authentication simpler and upholding their security against an ever-evolving threat landscape.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today