Password fatigue is a condition that occurs when trying to create, remember and use different complex passwords for each of our online accounts. This malady places undue stress not just on individual users but on organizations and security professionals striving to protect critical data and other assets. A recent report from passwordless security company Beyond Identity examines the problems and pitfalls of password fatigue.
SEE: Mobile device security policy (TechRepublic Premium)
For its study, “Measuring Password Fatigue: Usability and Cybersecurity Impacts,” Beyond Identity surveyed 1,047 Americans, including more than 600 full-time employees, to determine how password fatigue is affecting their daily lives. Among the respondents, 39% said they experience a high degree of password fatigue, specifically a sense of anxiety over having to remember passwords for all their accounts.
Password requirements, mandatory changes, security questions and other actions taken by organizations to secure their network accounts and data have created confusion and stress for people both personally and professionally. More than three-quarters of those surveyed said password fatigue impacts their productivity and mental energy.
The more accounts you have to create and juggle, the greater the degree of password fatigue. Among the respondents who reported high levels of fatigue, 56% need to create a new account at least once a week, 31% create one at least once a month and just 25% said they rarely have to create a new account. Looking at the activities that lead to password fatigue, reusing a password for multiple accounts and using a similar password for different accounts were high on the list, while using auto-generated passwords was low.
Among the full-time business users surveyed, 34% said they create new accounts with passwords at least once a week. On average, they spend slightly more than 12 minutes every time they have to create or recover a password for a new account. Further, some 80% admitted that they reuse passwords for some, many or all of their work accounts.
Beyond triggering security issues, password fatigue costs money. On average, organizations spent $480 per employee each year on time wasted time due to password issues. At organizations where employees acknowledged high password fatigue, that cost rose to $670 per employee.
Asked how they currently stored their passwords, 72% of the respondents said they save them online, 57% store them locally on their computer, 37% write them down and 11% try to memorize them. People naturally turn to different methods to store or manage their passwords. Some use Microsoft Office or the Google Workspace suite, meaning they save their passwords in clear text in a document or spreadsheet. Others rely on a password manager or a browser’s autosave function.
Some people turn to multiple ways to juggle their passwords. But that can lead to greater stress. The survey found that individuals with high password fatigue generally rely on numerous methods for storing and managing their passwords, while those with low password fatigue typically use a minimal number of methods.
How can individuals and organizations better handle not just passwords but their overall authentication processes? Here are a few tips.
Look into single sign-on. Single sign-on allows employees to use a single set of credentials to gain access to different but related applications and accounts. This technology is available for organizations to help reduce the number of passwords that employees need to remember and the number of times that they have to log in during the course of a day.
Consider biometric solutions. More operating systems, websites and apps are supporting facial or fingerprint scans to sign into a specific account. Using biometrics is more accessible on a mobile device than on a desktop since the technology is already built in. But even on a PC, you can use a biometric scan to sign into Windows, access supported websites and log into supported applications.
Require two-factor authentication. A weak password can easily be compromised in a data breach, leading to ransomware attacks and account takeovers. With the right type of two-factor authentication, any password leaked in a breach can’t be used by an attacker to access an account without that second form of authentication.
Turn to password managers. Passwordless methods of authentication are becoming more ubiquitous. The FIDO Alliance in conjunction with Google, Microsoft and Apple recently announced support for a new passwordless technology that would use passkeys stored on your smartphone to log you into nearby devices. For now, though, we’re still stuck with passwords, and so a password manager is still your best bet for creating, storing, and applying your credentials among all your accounts and applications. Most password managers offer a business or enterprise version that can be deployed and administered within an organization.