Consumers today have seen their email, retail shopping, and online banking providers go through high-profile security breaches. As a result, the vast majority of Americans (87%) are at least somewhat concerned that their personal data will be compromised online. Unfortunately for CIOs, many people may not understand the risk, or best ways to protect their data—especially when it comes to managing passwords at work.
In a recent survey of 1,507 U.S. adults, SurveyMonkey found that one third (34%) said they share passwords or accounts with their coworkers. That means upwards of 30 million of the 95 million American knowledge workers may be sharing passwords. Almost a quarter (22%) of the people we surveyed also admitted to reusing the same password on multiple work accounts. And just 12% say they use password managers like Dashlane or LastPass, the technology most security professionals recommend for safely managing multiple passwords. In fact, many security professionals don’t even know their passwords and heavily rely on their password managers to auto-generate and store them.
Password-sharing at work carries huge risk for our organizations. Eight in ten (81%) hacking-related breaches are achieved with stolen or weak passwords, and if hackers gain entry to your system, shared passwords make it easier to access other parts of your network. A hacker discovering a document full of shared passwords in one employee’s Google account can turn a single security incident into a full-blown breach, potentially opening your organization to legal issues if customers’ privacy rights are violated.
- Here's our list of the best password generators around
- We've featured the best password recovery solutions here
- Check out our list of the best password management software
Security implications of password sharing
Even without having malicious intentions, users could open the company up to compromise simply by sharing login credentials with people who are using insecure hardware. CIOs and CISOs work hard to secure our employees’ systems, but we don’t always know the security posture of a system being used by another person—it could be compromised, which could lead to further proliferation of account details and potentially unwanted programs (e.g., malware).
It’s also harder to establish exactly who is doing what when employees share passwords. Under normal circumstances, if an individual altered sensitive company data or made unapproved charges using stored payment methods, we could identify the user through their account credentials and take steps to correct the problem. If a dozen people are sharing a single login, that process becomes unnecessarily complicated.
Even worse, employees who have left the company could still have access to shared login credentials for everything from your customer database to the company Twitter account. They could log in after being terminated and change the password for a business-critical account, leaving their former teammates locked out.
So why do employees share passwords when it’s so risky for their organizations? Four out of ten workers say they do it to more easily collaborate with their teammates, and about the same amount (38%) said they share passwords because it’s the company policy. This shows that CIOs can intervene, provide a better way for employees to collaborate, and potentially save ourselves a lot of headaches down the road. Here’s how:
Update your password policies
I was surprised to see that almost 40% of people who share passwords at work did so in accordance with company policy. If your company encourages folks to share passwords, it’s time to stop. Make sure your password policy includes these industry best-practices:
- Choose solutions that allow for single sign-on (SSO) whenever possible. People are less likely to share a password that's also linked to their email account.
- Enable multi-factor authentication where you can.
- Encourage long passwords over complex ones. The National Institute for Standards and Technology (NIST) and Microsoft recently debunked the idea that passwords that use composition requirements (e.g., uppercase, lowercase, alphanumeric, and non-alphanumeric characters) were stronger. It turns out length matters more than complexity, and we should get rid of composition and reset mandates.
- Urge employees to avoid using the same password for multiple products or services.
- Promote the use of password technology like Dashlane or LastPass.
Reevaluate your SaaS licenses
Our survey found that more than 40% of employees who share passwords do so to more easily collaborate with colleagues. To me, this indicates that either the tools they’re using lack necessary collaboration features, or employees don’t have the seats they need.
At SurveyMonkey, we discovered that customers were sharing account credentials because they didn't have the ability to collaborate how they wanted. In the interest of protecting our customers, we invested heavily in stronger collaboration features in our Teams accounts that would equip users to work together while using discrete logins. Invest in tools with strong collaboration features to ensure employees can work together with little friction. And to address the other side of the coin, CIOs should take a hard look at the number of SaaS licenses they’re using. Instead of squeezing users who want to work together into shared accounts, the smarter (and safer) long-term solution is to make sure everyone who needs one has a seat.
Educate employees about the risks of password-sharing
At home, 71% of people are fine sharing passwords with a spouse or partner, and maybe that’s OK. But we need to educate our employees on the difference between sharing a Netflix login and work account credentials. In your onboarding sessions and regular security trainings, make it clear that password-sharing puts the company at risk for security breaches and legal liability.
It’s also important to highlight the downsides for employees personally—sharing passwords means they risk losing access to business-critical software if someone else changes the login information. What’s more, if employees use the same password for multiple accounts, someone could try that same password to gain access to their personal bank account, social media accounts, and more.
Right now, password-sharing seems like the path of least resistance. Employees are doing it as a quick fix, but it’s our job to make sure they have the tools they need to work together safely and advance our company’s objectives. With a few common-sense fixes, we can make password-sharing at work a thing of the past. What people do with their Netflix passwords is another issue entirely.
This SurveyMonkey Audience poll was conducted online from January 23 - 25, 2019 among a total sample of 1,507 adults age 18 and over living in the United States. Respondents for these surveys were selected from SurveyMonkey Audience, SurveyMonkey’s online survey panel. The modeled error estimate for the full sample is plus or minus 3.5 percentage points. Data have been weighted for age, race, sex, education, and geography using the Census Bureau’s American Community Survey to reflect the demographic composition of the United States age 18 and over.
Brent Williams, Chief Information Security Officer at SurveyMonkey