On any given workday, in addition to personal accounts, an average employee might log in to dozens of accounts, resources and applications to undertake their role. In our last blog post we give some advice on how to avoid password fatigue.
Why we can all suffer with password fatigue
Hopefully your employees are following some strong password recommendations: each password should be unique, a password can’t match the username, it must be of a certain length, and contain a variety of characters, must use a mix of upper/lowercase letters, numbers, special characters, can’t have been used before, must be changed every 30 days, and so on… Added complexity is brought about by the advice to not reuse a password across accounts, to not write passwords down, to not store on shared devices, and to not use easily identifiable data such as child’s/pet’s names.
It’s not surprising that the average person is thought to have 100 passwords (source: Nordpass), and this will have increased further as a result of home working and digital collaboration driven by the pandemic, potentially as high as 191 passwords (source: LastPass)
And when you consider all the offline activity such as pin and security codes that need to be remembered, it’s easy to see why so many people get in a pickle with their passwords.
Individuals are experiencing password fatigue, they simply don’t have the bandwidth to create, manage, remember and maintain strong passwords for so many accounts, apps, devices and uses.
And how many of us go on our holidays, and come back refreshed, but with a totally blank mind about our logins. We’ve all been there right?!
Research states that individuals spend on average just over 12 minutes every week entering/resetting passports, that’s nearly 11 hours a year (source: Yubico/Ponemon Institute). Add in the cost of IT support and system administrators in helping users regain access to locked accounts and it all adds up.
To combat password fatigue individuals don’t always follow all of the strong password rules; they naturally find workarounds to combat password exhaustion: typically reuse passwords across multiple work/personal accounts, share passwords with team members, write them down and so on.
However in doing so they are increasing the risk of a cyber breach. What’s astonishing is that nearly 60% of people who have already been scammed in phishing attacks still haven’t changed their passwords (source: First Contact).
So how can organisations help their employees in dealing with password fatigue whilst ensuring good password hygiene?
Tools to boost password security and beat password fatigue
There are a number of tools and strategies that we advise to boost the password security within your organisation:
Make staff aware – With over 90% of security incidents caused by lack of staff awareness, it’s essential that you provide ongoing cyber awareness training to all staff to improve their password behaviour and change habits. Our behaviour-driven security awareness training platform enables you to deliver frequent and targeted cyber security awareness training and testing based on the specific behaviours of each individual employee, so you can continually improve the effectiveness of your human firewall. Get in touch if you would like to sign up for a free trial.
Use multi factor authentication – You might think this is adding more complexity and friction for team members, however MFA can be as simple as pushing notifications to an employees phone requesting they accept or deny. What’s more, with two-factor authentication, any password previously leaked in a breach can’t be used by an attacker to access an account without that second form of authentication.
Use three random words – The National Cyber Security Centre (NCSC) suggests using a three-word system to create passwords that are easy to remember. Whilst it’s not 100% safe, since people might use predictable word combinations, a major advantage of the system is its usability “because security that’s not usable doesn’t work”. Test it out on password strength tools for peace of mind, and where possible layer up with MFA to counter the risk of hackers guessing the 3 words.
Check if your password has been involved in a data breach – Use sites such https://haveibeenpwned.com/ to see if your email and password credentials have been involved in a breach, and if they have change them straight away.
Use tools to check password strength – Test out your password on tools such as https://www.passwordmonster.com/. And use https://random-ize.com/how-long-to-hack-pass/ to see how long it would take to hack your password. Of course these tools have limitations as they don’t know if the password has been used elsewhere and they can’t identify if you are using easily gainable personal information, such as your favourite football team.
Sign up to password management tools – Alleviate the pain of creating and remembering numerous passwords by using a Password Manager so staff can generate and store strong passwords securely and synchronise use across different accounts and devices.
Be ready for passwordless authentication solutions – Biometric scans of fingerprints and facial ID are becoming more frequent as login and unlock methods, however they do come with vulnerabilities and cyber criminals work quickly to exploit any weaknesses. Using biometrics alongside MFA strengthens the layers of authentication and security.
Not sure where to start?
Expert support is available from Infosec Partners. We can work with you to strengthen your cyber security defences. Our cyber security team have extensive knowledge, experience and specialist solutions to help your organisation be as secure as it can be.
We utilise enterprise password management platforms and privileged access management systems to manage all passwords across an organisation. We also perform searches of the deep and dark web to identify leaked or breached credentials.
Please contact us if you would like a demo of our solutions or to know more about the cyber security services we offer.
