Privacy Advisor

How To Change Employees’ Poor Password Habits

January 28, 2014

By Joe Ross

Password reuse across multiple websites and company logins is a major weak link in a company’s security system. In a survey CSID conducted in 2012 on password habits, we found that 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. For example, an employee password compromised in another company’s data breach can open up vulnerabilities on your site. Data thieves today have technology that can easily determine which sites employees reuse credentials on, putting your company at risk if an employee reuses a work password on a site that has been breached. A breach today can affect more than just the initial company—it can affect your business and many others.

While poor passwords are a root cause for some data breaches, the habit itself can be attributed to negligence, not malicious intent. Employees are typically unaware of the risks associated with using the same password across multiple sites or a password that can be easily guessed by hackers. These risky behaviors can impact a company’s security. In its 2013 Cost of Data Breach Study, the Ponemon Institute research team found that 35 percent of data breaches are caused by negligent employee or contractor behavior. 

So what can your business do to change employees’ poor password habits, reduce data breach risk and mitigate the impact when other sites are breached? Here are some best practices to consider using at your business:

1. Educate employees. Employees are likely unaware that their password habits could put their company at risk. In fact, 89 percent of the people we surveyed felt secure with their current password management and use habits, despite infrequent password updates and using passwords across multiple websites. Educate employees on why and how poor password practices can lead to identity theft and data breaches. Let employees know that they should not use their work passwords for personal websites and encourage them not to store password information on an unsecure document on their computer.

2. Require complicated passwords. The longer, more complicated an employee’s password is, the harder it is for hackers to crack. LifeHacker shared a table demonstrating how long it takes to hack a password depending on its length and variety of characters. It takes less than three days for a hacker to figure out a password with eight lowercase characters but more than two centuries for a hacker to crack a password with 8 varied characters. Require employees to create long passwords with varied characters, including uppercase letters, numbers and symbols.

3. Notify employees of other company breaches. When the Adobe breach occurred in late 2013, other companies notified customers to change their passwords. Eventbrite, for example, crosschecked the e-mail addresses of their users with those that were compromised in Adobe’s breach. The company then sent an e-mail to those users and encouraged them to update their passwords. Businesses should take note and inform employees of a major breach that could potentially affect the security of their company. Ask employees to change their passwords after a major data breach, in case an employee has reused a password on that company’s site. This practice can also help employees connect the dots on why they should not reuse passwords across multiple sites.

4. Monitor employee credentials. By using a monitoring service, employees can receive an alert if their personal information has been compromised. This gives employees a chance to update their passwords or login information before the information can be used for data theft. Monitoring credentials also includes employees in the security monitoring process, therefore giving them the responsibility to protect their personal data and also watch for other compromised data and suspicious activity.

5. Implement two-factor authentication. Consider implementing two-factor authentication techniques for online accounts. Two-factor authentication uses two of these three key pieces of information to verify one’s identity: something an employee knows (a password or personal question); something an employee has (a mobile device), and something an employee is (a biometric voice or fingerprint). It’s much more involved for data thieves to get their hands on a tangible mobile device or an employee’s finger or voiceprint, making two-factor authentication ideal for securing company data.  

Employees can practice safer password habits if they’re aware of the steps they should take. Most employees have the best intentions to remain secure, though their poor password habits may prove otherwise. Help employees change their bad password habits through education, strongly implemented security policies and detailed data monitoring. New habits will begin to replace the old and, in turn, better secure your employees’ credentials and company data. 

Joe Ross is the president and co-founder of CSID.