Every time another website is hacked, or another company suffers from a data breach, the same advice crops up in the media and in corporate blogs. Over and over again experts offer lists of all the things companies should do to protect themselves, especially when it comes to employees and their passwords.
After a data breach, we inevitably see advice on how employees should create better passwords, with lists that look like this:
- Don’t use the same password everywhere.
- Don’t share password with others.
- Don’t use names, pet’s names, birthdays, and other personal information.
- Use letters, numbers, and symbols.
- Have a different password for every account.
- Store passwords in a safe place away from the computer.
- Change passwords often (every 30, 60, 90 days).
- Make passwords 12, 14, 16 or more characters long.
But the standard advice for fixing passwords is impossible to follow.
This is the standard advice, but it’s ineffective because it’s impossible for an employee to follow it without a tool to do the work for them. And if a company doesn’t have a system for measuring compliance, it’s inevitable that employees will fail to follow the standard password security advice.
Companies are relying on their employees to make their own passwords and to follow best password practices on their own. As long as companies continue with this model, we will continue to see them suffer from massive breaches that severely endanger the personal identities of their customers and employees, and even put the company’s own survival at risk.
Companies are adding to the burden of passwords rather than relieving it.
Statistically, people create very weak passwords. Employees will only do the bare minimum required to create a password. It’s not their fault, it’s the result of an overtaxed memory and an effort to make passwords as usable as possible. This means employees will create passwords that are memorable, shorter, with easy patterns, and likely to be reused between work accounts and personal accounts. They’ll store account information around their desk or the office, they’ll use unsecured Word or Excel documents to store logins, and they’ll leave default passwords like “admin” and “password” in place on critical systems.
In short, employees will never have good password hygiene if a company doesn’t make it easier for them by providing better tools.
Employees need the right password management tools.
By recognizing that the majority of people cannot cope with the requirements of creating passwords that are strong enough, companies can start recognizing that the password problem is a toolset problem, not the employee’s problem.
Think of it this way. Would a company require an employee to build their own lock to secure their office door? Would the company ask an employee to build their own antivirus software to protect their computer from malware? Would the company ask the employee to create their own identity card to securely access the building?
A password is just as essential in protecting valuable information. Because passwords are so commonplace, though, and password fatigue has crept up slowly over the years, many companies have overlooked how critical they are to their security. As a result, they’ve failed to get the right toolset in place to protect their organization, employees, and customers.
The dialog changes when we view passwords from the same angle as we would a lock on a door or antivirus software. Only then can companies recognize that employees need a strong toolkit to build and track passwords for them. A password management system allows an organization to gain control of employee password behavior at all levels. Improved password practices both at work and at home help employees keep all of their accounts and computers better protected overall.
Start helping employees solve the password problem.
So let’s agree to stop blaming employees for their bad password practices, and recognize that the best solution comes with a better toolset. That toolset is a password management system that helps employees effectively create, manage, share and use passwords.
When employees have the right toolset, they can comply with company policy and help the IT team in their security efforts. And by enlisting every employee in the strategy to keep a company’s data safe, companies can better mitigate risk at all levels.
If you want to learn more about how you can be proactive in solving the password problem for your company, consider starting a trial for LastPass Enterprise or attending our introductory webinar to learn how we help organizations manage employee access, optimize day-to-day tasks, and protect critical assets.