Bad Passwords Are Not the Employee’s Fault

Every time another website is hacked, or another company suffers from a data breach, the same advice crops up in the media and in corporate blogs. Over and over again experts offer lists of all the things companies should do to protect themselves, especially when it comes to employees and their passwords.

After a data breach, we inevitably see advice on how employees should create better passwords, with lists that look like this:

  • Don’t use the same password everywhere.
  • Don’t share password with others.
  • Don’t use names, pet’s names, birthdays, and other personal information.
  • Use letters, numbers, and symbols.
  • Have a different password for every account.
  • Store passwords in a safe place away from the computer.
  • Change passwords often (every 30, 60, 90 days).
  • Make passwords 12, 14, 16 or more characters long.

But the standard advice for fixing passwords is impossible to follow.

This is the standard advice, but it’s ineffective because it’s impossible for an employee to follow it without a tool to do the work for them. And if a company doesn’t have a system for measuring compliance, it’s inevitable that employees will fail to follow the standard password security advice.

Companies are relying on their employees to make their own passwords and to follow best password practices on their own. As long as companies continue with this model, we will continue to see them suffer from massive breaches that severely endanger the personal identities of their customers and employees, and even put the company’s own survival at risk.

Companies are adding to the burden of passwords rather than relieving it.

Statistically, people create very weak passwords. Employees will only do the bare minimum required to create a password. It’s not their fault, it’s the result of an overtaxed memory and an effort to make passwords as usable as possible. This means employees will create passwords that are memorable, shorter, with easy patterns, and likely to be reused between work accounts and personal accounts. They’ll store account information around their desk or the office, they’ll use unsecured Word or Excel documents to store logins, and they’ll leave default passwords like “admin” and “password” in place on critical systems.

In short, employees will never have good password hygiene if a company doesn’t make it easier for them by providing better tools.

Employees need the right password management tools.

By recognizing that the majority of people cannot cope with the requirements of creating passwords that are strong enough, companies can start recognizing that the password problem is a toolset problem, not the employee’s problem.

Think of it this way. Would a company require an employee to build their own lock to secure their office door? Would the company ask an employee to build their own antivirus software to protect their computer from malware? Would the company ask the employee to create their own identity card to securely access the building?

A password is just as essential in protecting valuable information. Because passwords are so commonplace, though, and password fatigue has crept up slowly over the years, many companies have overlooked how critical they are to their security. As a result, they’ve failed to get the right toolset in place to protect their organization, employees, and customers.

The dialog changes when we view passwords from the same angle as we would a lock on a door or antivirus software. Only then can companies recognize that employees need a strong toolkit to build and track passwords for them. A password management system allows an organization to gain control of employee password behavior at all levels. Improved password practices both at work and at home help employees keep all of their accounts and computers better protected overall.

Start helping employees solve the password problem.

So let’s agree to stop blaming employees for their bad password practices, and recognize that the best solution comes with a better toolset. That toolset is a password management system that helps employees effectively create, manage, share and use passwords.

When employees have the right toolset, they can comply with company policy and help the IT team in their security efforts. And by enlisting every employee in the strategy to keep a company’s data safe, companies can better mitigate risk at all levels.

If you want to learn more about how you can be proactive in solving the password problem for your company, consider starting a trial for LastPass Enterprise or attending our introductory webinar to learn how we help organizations manage employee access, optimize day-to-day tasks, and protect critical assets.


  • Phil H says:

    My employer, in order to implement sso across many systems, some being mainframes with 8 position password length restrictions, actually forced a weakest link situation across all systems rather than just the old legacy systems.

  • Anonymous says:

    Amber, thanks for posting this. My employer has blocked all extensions and cookies from Google Chrome, which makes it very difficult to use LastPass to retrieve my passwords. As a result, I have been slowly changing my work related passwords to be easier to remember, less secure ones. They claim blocking Google Chrome extensions is more secure, but given that most hacks seems to be password related, and cause me to use less secure passwords, I think they are making us less secure.

    • Amber Gott says:

      Thanks! Though I’m sure they have their reasons, this seems especially counterproductive if they’re not providing in-house solutions to address the password problem. Companies should be empowering employees to use the strongest passwords possible. Hopefully there may be an opportunity for you to suggest a solution – or at least share this post!

    • Ben says:

      Your IT Dept should at least refer to an extensions whitelist in group policy. Fine if they don’t want to allow every extension, but they could easily allow for important ones like LastPass.

    • Anonymous says:

      I tried to address this issue in my companie nearly a year ago. We are a huge international companie with a few thousand internal user accounts. We are using fire fox with blocked extensions, we have an internal app store with special prepared installations of whitelisted software and stuff like that. When I suggested using LastPass Enterprise it went a long way through our workflow and it got decided to not allow it, because we (the company) don’t want to trust an other company with our passwords (because of security for our passwords we do not want to support our users with switching their really bad passwords, somehow ironic, right?). But because I already suggested a far less comfortable alternative solution which runs locally and can sync the password databases of every user to his private network drive we are now using this one. Sadly it never was really promoted or enforced so not everybody uses it, but the people who use it are happy with it because they feel much more comfortable using passwords. Because even with the easy ones they often were afraid to forget them.

      So, if this kind of “promotion” for alternative software is totally not allowed here a moderator/admin can delete this part of the comment: We now are using KeePass. It is not as handy as LastPass, lacks many comfort functions and has a few other problems compared to LastPass, but the passwords are secure and the tool does its job. I’d suggest any company that has no “trust issues” or has no “we need to safe money everywhere we can even if it would pay off” attitude to use LastPass or ideally LastPass Enterprise. But if your company has them you can suggest KeePass.