When did you last change your work password? Was it when the system prompted you? When you were first hired? Or maybe the answer doesn’t matter. When it comes to password safety, old adages don’t always apply anymore. Let’s take a look at what today’s business password management really needs by focusing on the valuable data behind the password.
What Causes the Persistent Password Problem?
At least part of the issue with passwords is that user hygiene hasn’t gotten any better in recent years. In fact, some evidence suggests it’s gotten worse. A 2020 study from LastPass found that more than half of users hadn’t changed their passwords in the past year. Some elected to keep their passwords the same even after a data breach hit their web accounts.
Instances of password reuse have become more widespread in recent years. Indeed, two-thirds of people in the same survey indicated that they “always” or “mostly” use the same password and/or slight variants on it across multiple web accounts. That’s up from 8% observed two years earlier. It’s also despite the fact that 91% of users knew beforehand that reusing a password is a risk.
How Bad Password Safety Habits End up Hurting Business
Many users take their password security for granted — even when they have reason not to and when they know better. They don’t just end up hurting themselves in doing so. They also end up costing the business big in terms of legal fees, compliance penalties and other damages associated with cleaning up a breach.
Poor password hygiene threatens a business in more ways than opening up a common attack vector, however. The act of simply managing passwords comes with its own costs. And that price tag is increasing. IT personnel are managing passwords while they could be strengthening their employer’s digital security in other, more meaningful ways.
Why Is Business Password Management Failing?
No one wants to spend their valuable work time managing passwords. But in a way, organizations are locking themselves into this fate. That’s because of the types of password safety rules they’re choosing for their workforce. To be specific, they need to go beyond password policies with an eye towards security only. They want to prevent account takeover fraud and related data breaches, so they hold their employees to measures such as frequent password changes and special characters.
It’s a good effort, to be sure. But it misses everything we’ve already discussed above. Employees are already reusing essentially the same password across multiple accounts. That’s in part because of these policies. Indeed, requiring users to come up with passwords containing special characters on a regular basis ignores their needs as users. Employees want to do their work with as few complications as possible, so they might be inclined to create passwords with minimal variation so that they can remember their passwords and not cause their duties to take longer than they need to.
This conflict between security needs and user needs has not gone unnoticed. In the past few years, the National Institute of Standards and Technology (NIST) recognized how certain password security guidelines were inadvertently contributing to the password reuse problem. That’s why NIST updated its specifications to avoid those ‘traditional’ security suggestions.
Balancing User Needs with Password Safety Needs
The way forward is for organizations to balance the needs of their users with the demands of their security requirements. To do that, employers need to simplify their business password management processes. Doing so will discourage users from attempting to find a workaround from policies that complicate their workdays.
The bottom line is, the password doesn’t matter. It’s not the password you need to protect; it’s what’s on the other side of the password that’s worth defending. That could be a critical business account, network access or sensitive data.
With this view, organizations can direct their attention away from the password and towards security measures that are designed to protect what’s really worth defending. Those measures include multi-factor authentication (MFA) and other security best practices.
MFA works well as part of a broader effort to achieve zero trust, a type of architecture where security teams must continually validate connection attempts from accounts and devices. Employers can also require employees to set up MFA with their password managers so that they don’t have to remember all their work credentials going forward.
Organizations can also make login simpler for employees by using single sign-on. This means they don’t need a distinct set of credentials for each of their access needs. Instead, it lets them access everything with a single username and password, thus helping to streamline their workdays.
The Growing Irrelevance of the Password
All the recommendations discussed above capture the irony of modern business password safety — it’s no longer about the password. The sooner organizations can understand this, the sooner they can begin making authentication simpler and upholding their security against an ever-evolving threat landscape.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...