When it Comes to Password Behavior, Cognitive Dissonance Prevails

By Amber Steel

Remote work is on the rise, with 74% of professionals expecting remote work to become standard after the pandemic. As a result, many businesses have shifted their cybersecurity strategy as IT faces more challenges protecting their information from cyberattacks and data breaches with a distributed workforce.

A recent study conducted by LastPass shows that people’s password hygiene isn’t just bad, it’s terrible. With employees using work devices on home Wi-Fi networks outside the office’s transitional perimeter, IT faces a tremendous hurdle in keeping their workforce secure in this work-from-anywhere world.

Employees know better but still use terrible passwords

In this global survey of 3,250 respondents, 66% always or mostly use the same password for all their accounts. Just because they’re using the same password everywhere doesn’t mean they don’t know better. Most respondents of those respondents (to the tune of 91%) say they know using the same password is a security risk, but they still do it anyway.

Why? Because users are more afraid of forgetting passwords than the consequences of using weak passwords. 42% say a password that’s easy to remember is more important than a very secure one.

Unfortunately, when people use strong passwords, it’s not usually to protect work accounts. When asked which accounts they create stronger passwords for, 69% said financial, 47% said email, 31% said medical records, and less than a third (29%) said work accounts.

This is not to say employees want to put their employer at risk, but password security at work just isn’t top of mind for most. They might not even realize that one lousy password is all it takes to cause a devastating data breach.

LastPass LogMein

Employees don’t think to add MFA to work accounts

Though weak passwords are a security hazard, multifactor authentication (MFA) can counteract some risks. MFA requires information beyond a password, like a fingerprint or temporary code, before granting access to an account. Encouragingly, many of the survey respondents were aware of and regularly used MFA to protect online accounts.

Fifty-four percent of respondents said they use MFA for personal accounts, but only 34% use it for work-related accounts. Of the accounts for which they have multifactor authentication enabled, the top two responses were financial accounts (62%) and email (45%).

Again, it seems that protecting their money and personal information comes first. Still, the high usage of MFA on personal devices suggests that businesses could require more employees to use MFA – and they would follow through and actually use it at work.

So, how do you fix bad password behavior?

When 80% of data breaches are caused by weak, default or stolen passwords (according to the Verizon Data Breach Investigations Report), people’s own password practices remain the weakest point in a company’s security. Strong passwords are not the default, so what can you do to not only fix the problem but also educate your employees?

To counteract employee apathy, you need to make it easy to create and use strong passwords. That means deploying a business password solution, like LastPass, that creates, remembers, and fills passwords for the employee, so they don’t have to worry about forgetting logins. A built-in password generator ensures every password is unique and random, making it easy to have a different strong password for every work account.

In this way, you can reduce friction for employees while increasing control and visibility when it comes to security. You can improve your company’s password hygiene without compromising ease of use and employee productivity.

Behavior can be changed. And, for most employees, they’ve passed the first hurdle: admitting they have a problem. Using a password manager can help take you and your business’ password security over the finish line.



About LogMeIn
LogMeIn, Inc. is a provider of software as a service and cloud-based remote work tools for collaboration, IT management and customer engagement, founded in 2003 and based in Boston, Massachusetts. The company's products give users and administrators access to remote computers