Password Sharing at Work: Exploring Employees’ Habits Around Passwords in the Workplace
- Nearly 1 in 4 employees said they still had access to accounts from past jobs.
- 41.7% of employees admitted to having shared workplace passwords.
- 42.5% of employees felt that sharing work passwords should be a fireable offense.
- More than 1 in 5 employees said they used the same password for their personal bank accounts as they did for work-related accounts.
Passwords are designed to give a specific user access to a certain device, application, or website. Because they tend to protect sensitive information, passwords should be kept secret.
In the workplace, though, password sharing is common among employees. While it may allow for easier collaboration, there are other noteworthy consequences of passwords floating around the office. We surveyed over 1,000 current employees about their password habits and tendencies. How secure do they think their passwords are, and how do they keep track of them? Do they use the same password for multiple platforms or accounts? Does their company have any password-related policies? Read on to see what happens when workplace password confidentiality is not respected.
Most employees use passwords every day. The first goal of our survey was to understand their general practices and feelings about password security.
Most employees weren’t too worried about the safety of their passwords, as just over 45% believed they were very secure, and another 26.3% said they felt their passwords were extremely secure. Despite this, many employees admitted to remembering their “secure” passwords through not-so-secure methods.
Thirty-four percent of people opted for the old-fashioned system – jotting their passwords down in a notebook or on a scrap of paper. Recording them digitally was a popular option as well. Meanwhile, over a quarter of employees relied solely on their memory to keep track of passwords.
Over 38% of employees reported using a password manager, which is a software application that stores and manages online credentials. They’ve been touted as beneficial because they can auto-generate passwords, save time during login processes, and help protect people’s identities. However, they’re not unhackable, which means that if infiltrated, password managers give perpetrators a person’s entire collection of passwords at once.
Although there are multiple ways to ensure password protection, almost 1 in 4 people said they are still able to log in to accounts from previous jobs, granting them access to information that they don’t need and shouldn’t be able to see. Since a resentful ex-employee could use this privilege to wreak havoc, managers should be mindful of this when anyone leaves their company. The difficult task for large organizations is figuring out how to manage their operations both as efficiently and securely as possible to maximize productivity and to minimize risk.
Sharing Is Caring … or Is It?
Passwords can pose security problems, and those risks only increase as more people have access to them.
Almost 42% of employees admitted to sharing their workplace passwords with others, and employees at midsized companies (50–249 employees) were the most likely not to keep them a secret. Two-thirds of employees shared their passwords with co-workers, and many also gave their family members or significant other access to their work information. Sharing passwords via email, orally, and by text were the most common ways that people went about it.
While over half of respondents said that their workplace did not punish password sharing, nor believed that it should be a fireable offence, over 40% responded in the affirmative for both statements. While sharing passwords with co-workers might ease collaboration efforts, there are a lot of security implications that arise from the habit. Passwords floating around in insecure places gives potential hackers an easy way to access and obtain confidential information.
The Need to Diversify
Given that a large number of employees admitted to sharing their work passwords, we were curious as to what other problematic security practices people might be engaging in.
Some people find it easier to use a universal password, often resorting to the same one for both their work and personal logins. More than 1 in 5 employees said they use the same password for work as for their personal email account. Even riskier, 21.5% said they used their work password for their personal bank account.
Using the same password for multiple domains puts people at greater risk from malware or hackers. The more domains that use the same password, the more access is granted to people who obtain it. This can be especially disastrous for accounts with highly sensitive and personal information. Seeing as over a quarter of employees reported dealing with a data breach of their work accounts, removing passwords is critical in improving security.
When it comes to cybersecurity protocols in the workplace, they usually need to be clear and concrete to be effective.
Nearly 73% of employees thought that the password protocols and policies at their company were about right, as opposed to the 10.8% who thought they were too lenient and the 16.3% who thought they were too strict. Employees working at small businesses were the most likely to think their employer didn’t enforce strict enough security rules and were also the most likely to say they rarely or never changed their passwords (perhaps because they aren’t required to).
Over 80% of respondents said their company had policies about updating passwords and/or reminders in place to do so. One upside to rigid password changing policies is the restriction of access to former employees. However, a company may decide not to roll out this kind of policy due to expense or because it could discourage employees from using strong enough passwords in the first place.
When Everyone Knows
There are situations where a group of employees knows and uses the same password to access resources or information. As we’ve already discussed, sharing passwords among groups of people inherently makes them less secure. So we were interested to see how common group password access was in the workplace.
The majority of employees (56.7%) said that where they work, passwords weren’t shared among a large group of people. Of the 43.3% that did share passwords with many people, just over a third said group passwords were changed every few months.
A little less than half of employees believed that strict password policies were detrimental to their productivity. As mentioned, the trade-off is likely worth it for the overall well-being of the company, especially seeing as a hacker attack occurs every 39 seconds, and 66% of businesses that were victims of an attack weren’t confident they would recover.
Safe and Sound
Although most employees thought their passwords were secure that might not be the case. Many have admitted to sharing them with co-workers, and while that may speed up collaboration processes, things can quickly go awry if a password ends up in the hands of too many people. All it takes is one disgruntled employee with access to sensitive company information to do some serious damage or for it to be insecurely stored and a hacker to access it.
Additionally, some employees have put themselves in a compromising position by using the same passwords for work and personal accounts. If they were to be hacked, this has the potential to cause a lot more damage than if they had distinct passwords for different accounts. What if there was a way to render passwords obsolete while maintaining a high level of security? Thankfully, Beyond Identity has the forward-thinking solution that changes the security game. Their unique passwordless authentication system eliminates the headache of passwords and the security issues and inconveniences that come with them and helps you achieve zero trust security with phishing-resistant MFA. Go to BeyondIdentity.com to learn more about implementing the most efficient and effective protection for your company.
We surveyed 1,008 current employees about their password and security practices at work. Respondents were 57.6% men and 42% women. Four respondents were nonbinary. The average age of respondents was 37.9.
Data on the methods employees used to remember passwords; the people employees admitted sharing work passwords with; the methods used to share passwords; and the personal accounts people use work passwords for were gathered using check-all-that-apply questions. Therefore, percentages won’t add to 100.
The data we are presenting rely on self-report. There are many issues with self-reported data. These issues include, but are not limited to, the following: selective memory, telescoping, attribution, and exaggeration.
Fair Use Statement
In today’s digital world, cybersecurity is more important than ever. If someone you know would benefit from the information in this project, you may share for any noncommercial reuse. Please link back here so the entire project and its methodology can be reviewed. This also gives credit to the hardworking contributors involved.