When did you last change your work password? Was it when the system prompted you? When you were first hired? Or maybe the answer doesn’t matter. When it comes to password safety, old adages don’t always apply anymore. Let’s take a look at what today’s business password management really needs by focusing on the valuable data behind the password. 

What Causes the Persistent Password Problem?

At least part of the issue with passwords is that user hygiene hasn’t gotten any better in recent years. In fact, some evidence suggests it’s gotten worse. A 2020 study from LastPass found that more than half of users hadn’t changed their passwords in the past year. Some elected to keep their passwords the same even after a data breach hit their web accounts.

Instances of password reuse have become more widespread in recent years. Indeed, two-thirds of people in the same survey indicated that they “always” or “mostly” use the same password and/or slight variants on it across multiple web accounts. That’s up from 8% observed two years earlier. It’s also despite the fact that 91% of users knew beforehand that reusing a password is a risk.

How Bad Password Safety Habits End up Hurting Business

Many users take their password security for granted — even when they have reason not to and when they know better. They don’t just end up hurting themselves in doing so. They also end up costing the business big in terms of legal fees, compliance penalties and other damages associated with cleaning up a breach.

Poor password hygiene threatens a business in more ways than opening up a common attack vector, however. The act of simply managing passwords comes with its own costs. And that price tag is increasing. IT personnel are managing passwords while they could be strengthening their employer’s digital security in other, more meaningful ways.

Why Is Business Password Management Failing?

No one wants to spend their valuable work time managing passwords. But in a way, organizations are locking themselves into this fate. That’s because of the types of password safety rules they’re choosing for their workforce. To be specific, they need to go beyond password policies with an eye towards security only. They want to prevent account takeover fraud and related data breaches, so they hold their employees to measures such as frequent password changes and special characters.

It’s a good effort, to be sure. But it misses everything we’ve already discussed above. Employees are already reusing essentially the same password across multiple accounts. That’s in part because of these policies. Indeed, requiring users to come up with passwords containing special characters on a regular basis ignores their needs as users. Employees want to do their work with as few complications as possible, so they might be inclined to create passwords with minimal variation so that they can remember their passwords and not cause their duties to take longer than they need to.

This conflict between security needs and user needs has not gone unnoticed. In the past few years, the National Institute of Standards and Technology (NIST) recognized how certain password security guidelines were inadvertently contributing to the password reuse problem. That’s why NIST updated its specifications to avoid those ‘traditional’ security suggestions.

Balancing User Needs with Password Safety Needs

The way forward is for organizations to balance the needs of their users with the demands of their security requirements. To do that, employers need to simplify their business password management processes. Doing so will discourage users from attempting to find a workaround from policies that complicate their workdays.

The bottom line is, the password doesn’t matter. It’s not the password you need to protect; it’s what’s on the other side of the password that’s worth defending. That could be a critical business account, network access or sensitive data.

With this view, organizations can direct their attention away from the password and towards security measures that are designed to protect what’s really worth defending. Those measures include multi-factor authentication (MFA) and other security best practices.

MFA works well as part of a broader effort to achieve zero trust, a type of architecture where security teams must continually validate connection attempts from accounts and devices. Employers can also require employees to set up MFA with their password managers so that they don’t have to remember all their work credentials going forward.

Organizations can also make login simpler for employees by using single sign-on. This means they don’t need a distinct set of credentials for each of their access needs. Instead, it lets them access everything with a single username and password, thus helping to streamline their workdays.

The Growing Irrelevance of the Password

All the recommendations discussed above capture the irony of modern business password safety — it’s no longer about the password. The sooner organizations can understand this, the sooner they can begin making authentication simpler and upholding their security against an ever-evolving threat landscape.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…