Poor password habits are putting employers at risk and losing them hundreds of thousands of pounds in lost productivity, according to new research from Centrify. According to the survey of 1,000 UK workers, the average employee wastes £261 a year in company time on trying to manage multiple passwords, which for a company with 500 staff is a loss of more than £130,000 a year.
Barry Scott, EMEA CTO at Centrify comments to Help Net Security: “The problem doesn’t end with lost productivity. Employees are potentially putting companies at risk through poor password management practices. Our survey shows that nearly half of workers are using their own personal devices for work purposes, but more than one in three admit they do not use passwords on these devices, even though they are accessing confidential or sensitive information, including customer contact data, emails and budget information. Plus, they are committing the worst password habits, from reusing the same one to writing them down.”
Yet while around half (47 per cent) use their personal mobile devices for business purposes, one in three (34 per cent) admit they do not actually use passwords on these devices even though they keep office email, confidential documents, customer contact information and budget information on them.
High on many people’s list of “most annoying things’, passwords it seems are becoming the cause of major headaches today. The research reveals that forgetting a password for an online account is more annoying than misplacing your keys according to 39 per cent, a mobile phone battery dying (37 per cent) or getting spam email (31 per cent).
One in six (16 per cent) would rather sit next to someone talking loudly on their mobile phone, 13 per cent would rather spend an hour on a customer service line, and 12 per cent would prefer to sit next to a crying baby on a flight than have to manage all of their passwords.
The research also shows:
- More than one in three (38 per cent) have accounts they cannot get into any more because they cannot remember the password
- 28 per cent get locked out at least once a month due to multiple incorrect password entries
- One in five change their passwords at least once a month and 8 per cent change them every week
- Most have little faith in password security – just 15 per cent believe their passwords are “very secure’.
With nearly half (42 per cent) of respondents creating at least one new account profile every week – more than 50 a year – the problem with password management will get worse. In fact, 14 per cent believe they will have 100+ passwords to deal with in the next five years.
Despite this, it is believed that many already seriously underestimate the number of account profiles they have online, with nearly half (47 per cent) believing they have just five profiles – although a quarter admit they have 21 or more.
Andy Kellett at analyst firm, OVUM, added: “When it comes to providing safe access to what should be highly-secure business systems the password model is no longer fit for purpose. It remains the primary security tool for businesses in environments where other authentication options should be considered. We used to go to work and stay in one place. Now we are just as likely to be working from a remote office, on the train, or at home and simple passwords are neither robust nor secure enough to support secure, remote access. With today’s workforce also using social media and flexible remote tools and applications, we need to empower them to do this by allowing them to have more ownership of their identities and incorporate better, more balanced, security measures that also improve productivity.”
Top 5 bad password practices
- When asked what they do in order to remember their passwords, survey respondents said they:
- Always use the same password whenever possible
- Rotate through a variety of similar passwords
- Keep a written password in a master book of passwords
- Use personal information in a password)
- Avoid using complicated symbols or combining upper and lower case.
Top 5 password tips
- Educate staff about using passwords – make it a key part of your corporate security policy
- Make it easier for employees to work anywhere anytime by using technology that offers single sign-on capabilities – i.e. one click to access all of their work accounts and applications
- With some mobile phones now providing both identity and access management capabilities, incorporate them as part of your BYOD (bring your own device) policy
- Create one profile for any corporate log-ins, and then have privileges for individual employees within the one profile. Anyone who leaves the company can be removed automatically
- Think about replacing passwords with something much more intuitive like passphrases.
The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions.