Password Reuse is Rife and Security Awareness Training Has Little Effect

An overwhelming majority of employees are aware what constitutes a strong password, but 53% of employees do not always set a strong password to protect their accounts. When it comes to setting unique passwords for all accounts, even fewer employees adhere to the best practice, according to a survey recently conducted by My1login on 1,000 employees and 1,000 business leaders. 62% of employees said they reuse personal passwords for their business accounts or vice versa.

Healthcare employees were the worst when it comes to password reuse, with 94% of surveyed healthcare employees admitting to reusing passwords across multiple accounts, with similarly high numbers of employees in education (91%) and the public sector (83%) reusing passwords. These three verticals also rated the highest for use of personal passwords for business applications, with education coming top (75%) followed by healthcare (68%) and the public sector (61%). Across all industry sectors, 87% of employees said they reused passwords across business applications.

Password reuse is a security risk. If a password is used for multiple accounts and one of those accounts is compromised, an attacker could use the same password to access all other user accounts that share the same password. The risk increases further when there is password reuse across personal and business accounts. Security teams have no visibility into personal accounts and they tend to be less well protected than business accounts, so there is greater potential for those passwords to be compromised.

The survey suggests security awareness training has little effect when it comes to password security. Prior to receiving training, 91% of employees said they reused passwords across multiple accounts, but the percentage only dropped to 85% after receiving training. The practice was reduced further when employees had a lot of cybersecurity training, but not to a large degree with the number of employees engaging in password reuse only falling to 78%.

One of the main reasons why password reuse occurs is because it is difficult for people to create and remember strong passwords, especially since so many passwords now need to be created. 84% of surveyed employees said they were frustrated with their organization’s password requirements, so it is no surprise that security shortcuts are taken.

There are two solutions that can solve the problem and improve security. My1login offers a solution that takes employees out of the equation as far as is possible. The Single Sign-on solution means employees do not have to enter a password every time then need to use a business application. They only need to remember one password, such as their Active Directory password.

An alternative is to provide employees with a password manager. A password manager can be used to automatically generate strong, unique passwords for all accounts, which are stored securely in the user’s password vault and never need to be remembered. Employees only need to set and remember one password: The one for their password vault.

That password needs to be unique and complex, but the complexity requirements do not mean the password is difficult to remember. A long passphrase is memorable yet sufficiently complex to resist brute force attempts by hackers. Alternatively, the latest password recommendation of the UK’S National Cyber Security Centre is to create a password using three random words. That too can provide the necessary complexity while improving usability.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.