When did you last change your work password? Was it when the system prompted you? When you were first hired? Or maybe the answer doesn’t matter. When it comes to password safety, old adages don’t always apply anymore. Let’s take a look at what today’s business password management really needs by focusing on the valuable data behind the password. 

What Causes the Persistent Password Problem?

At least part of the issue with passwords is that user hygiene hasn’t gotten any better in recent years. In fact, some evidence suggests it’s gotten worse. A 2020 study from LastPass found that more than half of users hadn’t changed their passwords in the past year. Some elected to keep their passwords the same even after a data breach hit their web accounts.

Instances of password reuse have become more widespread in recent years. Indeed, two-thirds of people in the same survey indicated that they “always” or “mostly” use the same password and/or slight variants on it across multiple web accounts. That’s up from 8% observed two years earlier. It’s also despite the fact that 91% of users knew beforehand that reusing a password is a risk.

How Bad Password Safety Habits End up Hurting Business

Many users take their password security for granted — even when they have reason not to and when they know better. They don’t just end up hurting themselves in doing so. They also end up costing the business big in terms of legal fees, compliance penalties and other damages associated with cleaning up a breach.

Poor password hygiene threatens a business in more ways than opening up a common attack vector, however. The act of simply managing passwords comes with its own costs. And that price tag is increasing. IT personnel are managing passwords while they could be strengthening their employer’s digital security in other, more meaningful ways.

Why Is Business Password Management Failing?

No one wants to spend their valuable work time managing passwords. But in a way, organizations are locking themselves into this fate. That’s because of the types of password safety rules they’re choosing for their workforce. To be specific, they need to go beyond password policies with an eye towards security only. They want to prevent account takeover fraud and related data breaches, so they hold their employees to measures such as frequent password changes and special characters.

It’s a good effort, to be sure. But it misses everything we’ve already discussed above. Employees are already reusing essentially the same password across multiple accounts. That’s in part because of these policies. Indeed, requiring users to come up with passwords containing special characters on a regular basis ignores their needs as users. Employees want to do their work with as few complications as possible, so they might be inclined to create passwords with minimal variation so that they can remember their passwords and not cause their duties to take longer than they need to.

This conflict between security needs and user needs has not gone unnoticed. In the past few years, the National Institute of Standards and Technology (NIST) recognized how certain password security guidelines were inadvertently contributing to the password reuse problem. That’s why NIST updated its specifications to avoid those ‘traditional’ security suggestions.

Balancing User Needs with Password Safety Needs

The way forward is for organizations to balance the needs of their users with the demands of their security requirements. To do that, employers need to simplify their business password management processes. Doing so will discourage users from attempting to find a workaround from policies that complicate their workdays.

The bottom line is, the password doesn’t matter. It’s not the password you need to protect; it’s what’s on the other side of the password that’s worth defending. That could be a critical business account, network access or sensitive data.

With this view, organizations can direct their attention away from the password and towards security measures that are designed to protect what’s really worth defending. Those measures include multi-factor authentication (MFA) and other security best practices.

MFA works well as part of a broader effort to achieve zero trust, a type of architecture where security teams must continually validate connection attempts from accounts and devices. Employers can also require employees to set up MFA with their password managers so that they don’t have to remember all their work credentials going forward.

Organizations can also make login simpler for employees by using single sign-on. This means they don’t need a distinct set of credentials for each of their access needs. Instead, it lets them access everything with a single username and password, thus helping to streamline their workdays.

The Growing Irrelevance of the Password

All the recommendations discussed above capture the irony of modern business password safety — it’s no longer about the password. The sooner organizations can understand this, the sooner they can begin making authentication simpler and upholding their security against an ever-evolving threat landscape.

More from Fraud Protection

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

What Are the Biggest Phishing Trends Today?

According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That's a 33% increase from 2021. One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…

NFT Security Risks: Old Scams and New Tricks

The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021. To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account. As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as…