Image: Getty Images/iStockphoto

Cybercriminals use a few key tactics to try to breach an organization’s internal network. One always popular method is to obtain the account credentials of employees. And that endeavor is made easier when employees fail to practice good password hygiene. A report published Tuesday by security provider Keeper Security looks at the pitfalls of mismanaged passwords and offers tips on how to improve the password habits of your employees.

SEE: Identity theft protection policy (TechRepublic Premium)

For its “Workplace Password Malpractice Report,” Keeper Security surveyed 1,000 full-time workers in the U.S. about their password habits. Completed in February, the survey elicited responses only from people who used passwords to log into work-related online accounts.

Bad password storage habits

More than half of the respondents said they write their online passwords on sticky notes, but almost two-thirds of them admitted to losing these notes. This practice puts sensitive data at risk and results in more calls to the help desk from users who need their passwords reset.

Some 62% of those surveyed said they store their account credentials in a notebook or journal, which many keep next to or close to their work devices. But this means these notebooks can be viewed by anyone in the workplace, or anyone at home if the employee is working remotely. In fact, a majority of workers said they’re more likely to write down business-related passwords at home than in the office.

Even those who rely on digital methods to house their passwords can do so in a risky manner. Some 49% of the respondents said they save work-related passwords in a document stored in the cloud, 51% save them in a document stored on their computer, and 55% save them on their phone. In each case, storing passwords in an unencrypted and unsecure document is risky as a cybercriminal who gains access to that file can effortlessly see all of the employee’s passwords.

Weak password habits

Many employees still create weak and simple passwords. A strong password should contain uppercase and lowercase letters, numbers, and special characters. But a number of those surveyed fail to follow those guidelines. Many said they’ve used their employer’s name or the name or birthday of a significant other in a work password. Others have used their child’s name or birthday.

Password reuse is also a clear problem. Some 44% of the respondents said they reuse passwords across personal and work-related accounts, while 53% keep password-protected personal accounts on their work devices. Any hacker who obtains a password for one account can easily check and compromise other accounts that use the same password.

Poor password sharing habits

Many employees also share work-related passwords with unauthorized parties, putting organizations at risk if a password winds up with someone who is careless or has malicious intentions. Among those surveyed, 14% said they’ve shared work-related passwords with their spouse or significant other and 11% have shared such passwords with another family member.

Passwords are also commonly shared in the workplace. Almost half of the respondents (46%) said their company shares passwords for accounts used by multiple people. Some 34% have shared work-related passwords with colleagues on the same team, 32% have shared such passwords with their managers, and 19% have shared them with their executive team.

Further, many organizations are failing to clamp down on the sharing of passwords. The majority of those surveyed (62%) said they’ve shared passwords via text message or email. Almost one-third (32%) said they’ve accessed an online account that belonged to a previous employer, an indication that accounts are not being disabled or even reset when someone leaves the company.


To help organizations exercise more control of their password habits, Keeper co-founder and CEO Darren Guccione cited a few different tools and technologies.

Single Sign On. Single Sign On solutions are helpful for authenticating access to SAML-compliant, cloud-based applications. But they fail to provide the necessary flexibility and security for native applications and metadata. This is where a comprehensive password security and management platform becomes critical.

Password management platform. This type of platform automatically generates unique, high-strength, random passwords for all your sites and apps and stores them in a personal, encrypted digital vault that you can access from any device, running any operating system. The best products integrate with SSO to provide a comprehensive solution for the enterprise across cloud and native applications.

Dark Web monitoring. In addition to password management, a dark web monitoring service should be utilized. Billions of usernames and passwords have been stolen from public data breaches and placed on the Dark Web. It’s important to know if any employee credentials are being traded by cybercriminals on the Dark Web and subsequently targeted against the organization’s online accounts and assets.