Light Dark
August 11, 2021 By David Bisson 3 min read
Fraud Protection
Identity & Access
Risk Management

When did you last change your work password? Was it when the system prompted you? When you were first hired? Or maybe the answer doesn’t matter. When it comes to password safety, old adages don’t always apply anymore. Let’s take a look at what today’s business password management really needs by focusing on the valuable data behind the password. 

What Causes the Persistent Password Problem?

At least part of the issue with passwords is that user hygiene hasn’t gotten any better in recent years. In fact, some evidence suggests it’s gotten worse. A 2020 study from LastPass found that more than half of users hadn’t changed their passwords in the past year. Some elected to keep their passwords the same even after a data breach hit their web accounts.

Instances of password reuse have become more widespread in recent years. Indeed, two-thirds of people in the same survey indicated that they “always” or “mostly” use the same password and/or slight variants on it across multiple web accounts. That’s up from 8% observed two years earlier. It’s also despite the fact that 91% of users knew beforehand that reusing a password is a risk.

How Bad Password Safety Habits End up Hurting Business

Many users take their password security for granted — even when they have reason not to and when they know better. They don’t just end up hurting themselves in doing so. They also end up costing the business big in terms of legal fees, compliance penalties and other damages associated with cleaning up a breach.

Poor password hygiene threatens a business in more ways than opening up a common attack vector, however. The act of simply managing passwords comes with its own costs. And that price tag is increasing. IT personnel are managing passwords while they could be strengthening their employer’s digital security in other, more meaningful ways.

Why Is Business Password Management Failing?

No one wants to spend their valuable work time managing passwords. But in a way, organizations are locking themselves into this fate. That’s because of the types of password safety rules they’re choosing for their workforce. To be specific, they need to go beyond password policies with an eye towards security only. They want to prevent account takeover fraud and related data breaches, so they hold their employees to measures such as frequent password changes and special characters.

It’s a good effort, to be sure. But it misses everything we’ve already discussed above. Employees are already reusing essentially the same password across multiple accounts. That’s in part because of these policies. Indeed, requiring users to come up with passwords containing special characters on a regular basis ignores their needs as users. Employees want to do their work with as few complications as possible, so they might be inclined to create passwords with minimal variation so that they can remember their passwords and not cause their duties to take longer than they need to.

This conflict between security needs and user needs has not gone unnoticed. In the past few years, the National Institute of Standards and Technology (NIST) recognized how certain password security guidelines were inadvertently contributing to the password reuse problem. That’s why NIST updated its specifications to avoid those ‘traditional’ security suggestions.

Balancing User Needs with Password Safety Needs

The way forward is for organizations to balance the needs of their users with the demands of their security requirements. To do that, employers need to simplify their business password management processes. Doing so will discourage users from attempting to find a workaround from policies that complicate their workdays.

The bottom line is, the password doesn’t matter. It’s not the password you need to protect; it’s what’s on the other side of the password that’s worth defending. That could be a critical business account, network access or sensitive data.

With this view, organizations can direct their attention away from the password and towards security measures that are designed to protect what’s really worth defending. Those measures include multi-factor authentication (MFA) and other security best practices.

MFA works well as part of a broader effort to achieve zero trust, a type of architecture where security teams must continually validate connection attempts from accounts and devices. Employers can also require employees to set up MFA with their password managers so that they don’t have to remember all their work credentials going forward.

Organizations can also make login simpler for employees by using single sign-on. This means they don’t need a distinct set of credentials for each of their access needs. Instead, it lets them access everything with a single username and password, thus helping to streamline their workdays.

The Growing Irrelevance of the Password

All the recommendations discussed above capture the irony of modern business password safety — it’s no longer about the password. The sooner organizations can understand this, the sooner they can begin making authentication simpler and upholding their security against an ever-evolving threat landscape.

 |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature