6 Mistakes Employees Are Making with Passwords

There’s nothing like a data breach to get a company’s name in the news these days, though likely not the press a brand would prefer. The upward trend in consumer database breaches requires everyone to revisit bad password practices, and get better ones in place, especially in the workplace where businesses stand to lose not only money but also critical assets and consumer trust. Corporate systems are only as secure as their weakest passwords.

Here are 6 mistakes we see employees making with company passwords. If you and your team are avoiding these mistakes, you’re already leagues ahead in protecting your company’s sensitive information.

1. Not systematically recording passwords.

While the proliferation of tools and services has been an immense boon for productivity in the workplace, it’s a nightmare when it comes to tracking logins. Without a system to track accounts and who has access to what, employees will inevitably be interrupting others’ workdays to try to track down that information or call the IT service desk to have passwords reset. Once they start to track passwords, employees are often surprised to discover just how many accounts they actually have. Without a system, neither employees nor the company even know who has access to what or what they should have access to, let alone quantify how many accounts are in use.

2. Storing passwords where they’re easily accessed.

Once employees do start using a system, be it a paper document, a digital document, a password manager – they have to be able to control who has access to it. Sticky notes posted on monitors or under keyboards, WiFi passwords scribbled across whiteboards that are then televised for the world to see, notebooks left out on desks – all are a potential invitation for someone to tamper with that information. Even browser password managers don’t prompt you to login by default, leaving any stored passwords exposed and usable. All passwords and accounts should be recorded in one safe place that can be controlled and locked down.

3. Sharing passwords too liberally.

In the spirit of cooperation and collaboration employees may not think twice about sharing a login, whether it be an account managed by the team or just “temporarily” so that a team member can look into something. But once shared, that password is in the wild. Should a disgruntled employee go rogue, or leave the company and still have access to those accounts, there’s a potential for damage to be done either to the brand or to customer data.

4. Not separating work passwords from personal ones.

Password reuse continues to be a problem, as employees struggle to keep track of dozens of passwords and create a system that makes them easier to remember. But by using the same password on a personal account as they do on a work account, an “insignificant breach” like that of an online retail account could lead to a very significant breach of a work account. By using a unique password for all sites, whether work or personal, employees would be able to eliminate this risk.

5. Logging in to corporate accounts on unsecured networks or devices.

Did you know that some 70% of employees access corporate data from a personal smartphone or tablet? Work and personal is more integrated than ever, and as the number of devices used in the workplace and at home proliferates, employees want to access to their services, where they want to, when they need to. There’s less distinction now between “company-only” and “personal-only”. Given that reality, employees may be exposing corporate accounts to risk by utilizing poor password hygiene across their accounts and devices.

6. Meeting the bare minimum password requirements.

It’s well known that password length and password complexity (the combination of several different character types into random sequences) are the most important factors in creating “uncrackable” passwords. Because most password requirements are onerous and employees are primarily concerned with just remembering them, they will default to the absolute bare minimum of the requirements in order to make it easiest on themselves. We don’t fault the employees – without tools to help employees create better, stronger passwords, and then remember those passwords for them, they’ll be stuck in the same old pattern.

What’s a company to do?

Half the battle in correcting these behaviors is providing tools and systems that not only encourage the behavior you want to see, but also make it easy on employees. Only by deploying company-wide password management that empowers the employee to take action will they be able to stop making the mistakes above.

Interested in learning more about a solution for your team? Check out LastPass Enterprise: https://LastPass.com/Enterprise


  • Anonymous says:

    This may lead to something else, but because at berkeley “they” have found also Lastpass – not secure…
    “Usenix Security Symposiumissa San Diego” – is for who govern the LastPass-software. I hope this threat is noted, at the moment I am not sure about being safe anymore.

    • Anonymous says:

      I’m not dumping Lastpass that’s for sure. This whole issue that was fixed already, 9 months ago? was discussed on GRC’s Security Now! podcast #464 on Youtube/TwitTV and GRC’s website. For those wondering about this or concerned, Next weeks podcast #465 on Tuesday July 22nd will be revisiting password managers and talking about Lastpass. Security Now is Live on TwitTV on Tuesdays, 1:00 p.m. Pacific, 4:00 p.m. Eastern time, 2000 UTC. Podcast is posted later in the day on their Youtube channel and on Grc.com’s website.

  • Kevin Tuttle says:

    Also, for companies that require passwords, especially banking websites, stop “limiting” passwords. There’s no design reason whatsoever to require a password to be *less than* 12 characters.

    • Anonymous says:

      Someone please tell Virgin Mobile that. Their website limits you to 6

    • Anonymous says:

      Oy. I have a bank account that limits you to 8. Which is scary for a bank. I even e-mailed them to explain why there was no reason for that limit and how 8 characters should be the MINIMUM. They’re response? “We make you change your password every 90 days, so 8 characters is plenty”. Yikes! Who are these people?!

  • And, people have multiple applications with multiple servers (for which there is no LastPass plugin) which has crazy stupid password restrictions which also force you to change your passwords monthly.

    LastPass is a saviour, but at time one cannot always easily use it…

  • Gryzor says:

    Password at boot, Windows password, VPN password, application passwords for the project. One laptop per project – you see where this is going. Result? Everyong keeping a post-it note with passwords underneath the laptop. There.

    • Anonymous says:

      And that is why you have LastPass to store all your passwords, except your boot and windows password of course. The biggest problem we have is people setting really easily guessable passwords to externally accessible sites (some are just the company’s name in lower case)