COVID-19 password 'hygiene' gains importance as workers access systems from home
It's not that workers are clueless about cybersecurity -- they just know they will forget their passwords.
Workers have been dumped into a world of digital everything, without time to gradually wade in and get used to such novelties as working from home. In fact, the increase in people working from home has created a new wave of cyber crime attempts, including a 350% increase in phishing attacks by fake COVID-19 websites. And it has focused attention on employee password “hygiene.” This is one area where a non-techie HR person or manager can help to educate employees.
“While many employees are set up to work securely by their employers, they continue to seek simplicity, even if that means insecure password practices and higher risk. As organizations continue to support employees working from home, it’s clear that they need to ramp up cybersecurity training and technology,” said James LaPalme, Vice President & General Manager of Authentication Solutions at Entrust Datacard.
Password best practices are critical for remote workers to protect against online hackers and members of their own households, the company says. Despite this, a survey by Entrust Datacard found that 42 percent of employees surveyed still physically write passwords down, 34 percent digitally capture them on their smartphones and 27 percent digitally capture them on their computers.
Some people are still using the same password, or a variation of it, for their office systems and for personal accounts such as their 401(k) account, health insurance and more.
Interestingly, the chances are more likely it’s men, not women, who are doing this. That’s according to a survey by NordPass. The survey revealed that women are more concerned about the potential harm of their personal online accounts being hacked, which could explain greater vigilance in cyber best practices.
NordPass found that 43% of women always use a unique password for online store accounts, 57% for banks and other financial institutions, 50% for personal email, and 38% for communication apps. In comparison, NordPass says, only 36% of men use unique passwords for online stores, 50% for banks and other financial accounts, 42% for personal email, and 31% for communication apps.
The same survey also discovered that younger people tend to be less careful when it comes to securing their accounts. The company says 18-24 year-olds are the least worried about password security and the harm caused by hacking, whereas 25-35 year-olds are the most concerned about the possible damage. However, their usage of unique passwords does not differ from other age groups.
It’s not that we’re clueless about cybersecurity — 91% of people surveyed know they shouldn’t use the same password or a variation of it, for their various accounts, according to a LastPass survey. But 66% of people do it anyway. The justification, at least among 41% of people, is “my accounts are too small for anyone to want to hack into.” But added to millions of other accounts, it can be a big profit for a cyberthief.
The accepted solution among many security professionals, and traditional in many workplaces, has been to force password changes every month or quarter or more, where the user is blocked when they try to log in and must create a new password on the spot to access what they wanted.
However, NordPass research also revealed that, overall, most people find password management troublesome. In fact, more than 30% of people think that resetting and coping with passwords is hugely stressful.
Usually, the user is put on the spot while trying to access an account, and rather than create a new password they think they will forget, they create a variation of one that they already know. That’s a weakness. And a hacker with a cracking tool that uses a powerful computer to run millions of combinations of letters and words can eventually figure it out.
Which is why many security professionals and researchers have decided the forced password change is not the answer. In fact, according to Lorrie Cranor, chief technologist for the FTC, way back in 2016, “Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)”
Instead, Cranor says organizations should consider other solutions that don’t rely so much on the user, such as limiting login attempts and requiring more complex passwords, and, if the organization deals with sensitive information, using multifactor authentication.
One version of an authentication method is that annoying technique your bank might use when you want to access your account — making you provide one type of information and then sending a code to your phone so that you have to provide additional information that varies each time.
So you have a dedicated IT team and security team. It’s out of your hands. But it doesn’t hurt to have a manager, an HR department, even the CEO reminding people of the effectiveness of the one small thing they can do, which is not to re-use or vary one password across multiple tools.