Poor Consumer Password Hygiene Affects the Workplace

Sue Marquette Poremba
Slide Show

Seven Data and Information Security Mistakes Even Smart Companies Make

One of the studies to be released during RSA was LogRhythm’s survey about consumer password hygiene. It isn’t good.

A mere 21 percent of respondents claimed to have a unique password for each online account. I admit that I’m surprised that the number is that high. In a couple of the sessions I sat in on at the conference, passwords were a popular topic, and speakers asked how many had unique passwords for each account and, while I’m not good with numbers, at no time did the raised hands come close to a fifth of the audience.

The reasons are clear why using a single password across accounts is a bad idea, and the LogRhythm’s infographic clearly spells them out: One password could open the door to plenty of other accounts (and what isn’t mentioned here, but magnifies the problem is the re-use of user names or emails with that single password), overlapping passwords between home and work accounts put personal and professional information at risk, and you open yourself up to phishing or other targeted attacks.

Yes, this survey focuses on consumer passwords, but as we all know, there are no real boundaries between work and home anymore—that goes for passwords, as well as devices. The survey found that 54 percent use the same passwords for personal and professional accounts. What the survey didn’t appear to discuss was the use of passwords for BYOD. Consider this nightmare: You lose your smartphone, and most of your passwords for your applications are the same. Even if you are logged off the application (and again, how many people regularly practice logging off when they are done using a favorite app?), if the criminal is able to figure out one password, there is a good chance of gaining access to just about everything on the phone. And from there, it could lead to getting access to your work files, and down the slippery slope we go.

Password management is a lot more complicated than we want it to be, but as I mentioned in a previous post, no one seems to be clamoring for a better authentication system right now, so we really need to do a better job thinking about overall password hygiene. The reason is clear. The bad guys know exactly how vulnerable our password management is, and they aren’t hesitating to take advantage of it. As Chris Petersen, senior vice president of products, CTO and co-founder at LogRhythm, said in a statement:

Cyber threats are growing in volume and sophistication, and company employees are often the weak link within company defenses. User accounts and passwords are being harvested on the black market in support of active and future attacks.


Yes, unique passwords are a real bother. I don’t like them any more than you do, especially since it seems like I’m creating a new online account once or twice a week. Options are available to help with password management (one of the other things the survey found was that the vast majority of us keep our password records in unsecure locations), but the security of those options is still up for debate. If someone has a workable idea on how to improve passwords and password management and keep it all secure, I’d love to hear it.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.

Add Comment      Leave a comment on this blog post
May 1, 2015 8:22 AM Bril Bril  says:
One of the problems is websites that require a password that don't need them and never should of had a password. Often if you just want to get a news article, you have to sign up which includes a password. I always use the same password for junk accounts because I got tired of thinking up new ones. Reply
May 1, 2015 10:03 PM Hitoshi Anatomi Hitoshi Anatomi  says:
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. And, ID federations (single-sign-on services and password managers) create a single point of failure. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.