Jul 14, 2014

6 Mistakes Employees Are Making with Passwords

There’s nothing like a data breach to get a company’s name in the news these days, though likely not the press a brand would prefer. The upward trend in consumer database breaches requires everyone to revisit bad password practices, and get better ones in place, especially in the workplace where businesses stand to lose not only money but also critical assets and consumer trust. Corporate systems are only as secure as their weakest passwords.

Here are 6 mistakes we see employees making with company passwords. If you and your team are avoiding these mistakes, you’re already leagues ahead in protecting your company’s sensitive information.

1. Not systematically recording passwords.


While the proliferation of tools and services has been an immense boon for productivity in the workplace, it’s a nightmare when it comes to tracking logins. Without a system to track accounts and who has access to what, employees will inevitably be interrupting others’ workdays to try to track down that information or call the IT service desk to have passwords reset. Once they start to track passwords, employees are often surprised to discover just how many accounts they actually have. Without a system, neither employees nor the company even know who has access to what or what they should have access to, let alone quantify how many accounts are in use.

2. Storing passwords where they’re easily accessed.


Once employees do start using a system, be it a paper document, a digital document, a password manager - they have to be able to control who has access to it. Sticky notes posted on monitors or under keyboards, WiFi passwords scribbled across whiteboards that are then televised for the world to see, notebooks left out on desks - all are a potential invitation for someone to tamper with that information. Even browser password managers don’t prompt you to login by default, leaving any stored passwords exposed and usable. All passwords and accounts should be recorded in one safe place that can be controlled and locked down.

3. Sharing passwords too liberally.


In the spirit of cooperation and collaboration employees may not think twice about sharing a login, whether it be an account managed by the team or just “temporarily” so that a team member can look into something. But once shared, that password is in the wild. Should a disgruntled employee go rogue, or leave the company and still have access to those accounts, there’s a potential for damage to be done either to the brand or to customer data.

4. Not separating work passwords from personal ones.


Password reuse continues to be a problem, as employees struggle to keep track of dozens of passwords and create a system that makes them easier to remember. But by using the same password on a personal account as they do on a work account, an “insignificant breach” like that of an online retail account could lead to a very significant breach of a work account. By using a unique password for all sites, whether work or personal, employees would be able to eliminate this risk.

5. Logging in to corporate accounts on unsecured networks or devices.


Did you know that some 70% of employees access corporate data from a personal smartphone or tablet? Work and personal is more integrated than ever, and as the number of devices used in the workplace and at home proliferates, employees want to access to their services, where they want to, when they need to. There’s less distinction now between “company-only” and “personal-only”. Given that reality, employees may be exposing corporate accounts to risk by utilizing poor password hygiene across their accounts and devices.

6. Meeting the bare minimum password requirements.


It’s well known that password length and password complexity (the combination of several different character types into random sequences) are the most important factors in creating “uncrackable” passwords. Because most password requirements are onerous and employees are primarily concerned with just remembering them, they will default to the absolute bare minimum of the requirements in order to make it easiest on themselves. We don’t fault the employees - without tools to help employees create better, stronger passwords, and then remember those passwords for them, they’ll be stuck in the same old pattern.

What’s a company to do?


Half the battle in correcting these behaviors is providing tools and systems that not only encourage the behavior you want to see, but also make it easy on employees. Only by deploying company-wide password management that empowers the employee to take action will they be able to stop making the mistakes above.

Interested in learning more about a solution for your team? Check out LastPass Enterprise: https://LastPass.com/Enterprise