A new month is upon us, which means two things. First, your 30-day password may have just expired, and you’ll need to come up with a new one so you can get back on your company network. Before you change that last digit from “3” to “4” and move on, hear us out. Because second, October happens to be Cybersecurity Awareness Month — a month-long effort to raise awareness about the importance of strong cybersecurity practices — and the perfect time to rethink that password.
As digital citizens, we each have a responsibility to protect our corner of cyber space. And especially as the lines between work and home have long since blurred, how we prove we are who we say we are is an important part of that.
In most cases, we “verify” our identities with a password, whether it’s to check a bank account balance, shop online or access work-related applications and systems. But often, these passwords get used in multiple places (after all, you can’t forget your Netflix password if you use the same one to check your work email). But, of course, this is a big problem. Cyber criminals know these dirty little password secrets and target weak passwords as an easy way to steal information and even get rich quick.
Instead of just resetting that password in front of you, here are seven reasons why it may be time for your company to lose it altogether:
1. Most people are terrible at selecting strong passwords. Each of us has an average of 85 passwords between work and personal accounts, and honestly, who has the time to remember all that!? So when it comes time to reset an expiring password, most people simply replace one digit with another, completely negating the intended purpose of the mandatory reset (NIST advises against regular mandatory password resets for this very reason). And while most security teams go out of their way to recommend tips and tricks for complex and unique passwords, many employees fail to follow this advice. Even when people do follow best practices, risky habits like saving credentials in browsers, resorting to Excel sheets or post-it notes or re-using passwords at work and home are as common as you’d think.
2. Password and credential theft happen all the time. It’s easy for attackers to steal or crack credentials — so they keep doing it, using common methods like phishing and impersonation. There’s a whole body of research on the mathematics of password cracking, and the odds are definitely not in your favor. In fact, the 2021 Verizon Breach Investigations Report found that a whopping 80% of hacking-related breaches can be linked to stolen or brute-forced credentials.
3. Password issues are a productivity suck for you and your company’s IT help desk team. Every time you get locked out of an account or can’t access a work resource, you lose valuable time. You must call your IT help desk team, who likely has to reset the password or help you get the access you need to do your job. Our team made some simple calculations to come up with a dollar amount for the lost time spent resolving password issues: an enterprise of 1,000 employees spends about $495,000 annually. Instead of focusing on important business tasks, employee productivity plummets while IT help desk managers pull longer shifts to address access issues and deal with (understandably) frustrated end-users.
4. Password managers are only a first line of defense. Having dedicated password managers can be a helpful way to protect your personal passwords by eliminating the need to memorize credentials or store them in a browser. But they’re not foolproof, especially if you’re re-using the same passwords for home and work. They also don’t provide adequate coverage in corporate environments, where many different users need many different levels of system access. Password managers can’t manage who gets access to what sensitive resources and for how long. Meanwhile, IT teams have limited visibility into access-related events, creating security gaps and risk exposure.
5. Comfort and confidence in passwordless authentication methods are growing. Getting prompted repeatedly to reauthenticate your password gets old quickly. This “security fatigue” leads many people to look for ways of bypassing or ignoring authentication systems. It’s also why 86% of senior security executives say user experience optimization is “important” or “very important” when it comes to authentication. The good news is people are open to trying out new passwordless methods to protect both their personal accounts and their companies’ sensitive data. Specifically, the 2021 Experian Global Identity & Fraud Report found that consumers have an increasing level of comfort and preference for physical biometric authentication methods (e.g., facial recognition and fingerprints) as well as behavior-based authentication methods (e.g., passively observed signals that require no effort from the user).
6. Technology has come a long way. Innovations like machine learning are helping to minimize common passwords annoyances by eliminating excess login requests. Meanwhile, adaptive Single Sign-On (SSO) tools are helping employers overcome security challenges associated with traditional passwords and automate manual access granting processes that can bog down IT help desk teams. With this approach, they can analyze user and device context to determine whether the access request is “normal.” The system should know, for instance, if the user is attempting to access a database not usually accessed as part of their day-to-day activities or if a device is in a different city than usual. If the context is abnormal, the system adapts controls such as requesting reauthentication or adjusting the level of access. Analytics can help minimize friction by putting up gates only when necessary, based on a risk score.
7. Most people are ready to make a change. According to Ponemon Institute research, a majority of IT security practitioners and business users (55%) would prefer a method of account protection that doesn’t involve passwords. And lots of individuals and employers alike are getting on board: Microsoft data shows that 150 million people are already using passwordless logins each month.
To learn more about how passwordless authentication can help protect your own digital identity while helping your company secure critical assets and boost its bottom line, explore our infographic below. And check back soon for week two of Cybersecurity Awareness Month, when we’ll dig into some simple ways to “fight the phish.”