Did you know the average employee spends over 10 hours in their work year simply inputting passwords? Although 10 hours doesn’t seem like much in the grand scheme of things, these hours amount to a cost of around $52M annually for organizations in lost time. This is detrimental to both business productivity and employee wellbeing, not to mention the grave security risks that passwords cause.
Let’s face it. People are tired of passwords. So much so that the term “password fatigue” has been developed to describe modern attitudes towards the login process. But what is password fatigue, exactly? This article will explore both the password problem and potential solutions.
Diagnosing the Problem
In the modern era of IT, advancements into the cloud and the rise of “as-a-Service” offerings have given organizations incredible capabilities in regards to speed, work location flexibility, and collaboration, among other things. Unfortunately, friction has come alongside these enhancements as well.
On any given workday, in addition to personal accounts, an average employee might log in to dozens of disparate applications or other resources that are critical to their success. There is generally a commonality between each of these logins: a username and password.
A username is fairly easy to remember; it might be an email address, first initial/last name, employee ID number, etc. For most (if not all), there is no such thing as “username fatigue”. Most organizations and individuals know that logging into an IT service is a two-step process and the first step is not required to be unique. It is easy to have a common username that is used virtually everywhere.
The Password Problem
Passwords, on the other hand, are more complicated. Common password requirements enforce that a password can’t match the username, must be of a certain length, and contain a variety of characters, including upper/lowercase letters, numbers, special characters, and more. An additional security measure implemented in some organizations is password rotation, which requires employees to change their passwords at set time intervals, such as every 90 days. Security professionals also recommend against password reuse. With all of these requirements and restrictions, it can be difficult to come up with safe, secure passwords for every IT service and then remember them all.
In an ideal world then, on any given workday, the average employee is expected to remember maybe two or three usernames, and dozens of unique and complex passwords that can be required to change regularly.
In reality, the struggle to keep all of these passwords straight turns into password fatigue, which ultimately leads to password simplification and reuse. It is estimated that the average business employee keeps track of 191 passwords. This is a burden. Employees become tired of having to remember a host of passwords, so they start repeating passwords and reducing complexity in an effort to relieve the mental burden of logging in. The fear of forgetting a password outweighs the fear of a potential data breach. 91% of people understand the risk of reusing passwords, yet 59% admit to doing it anyway.
This is a sobering reality, especially when you consider the fact that 61% of data breaches involve credentials. In short, passwords are the gateway to confidential data, electronic financial transactions, and more, yet we don’t treat them as the most critical security risk an organization faces. Password fatigue, then, not only affects employees but organizational security as well.
The enterprise is more at risk if its employees are struggling with password fatigue. According to a survey conducted by the Ponemon Institute, 51% of people rotate the same five passwords across their work and personal accounts. In addition to sharing passwords among their own accounts, employees often share passwords with each other; 69% of people admit to sharing credentials for work account access. In fact, there are tools that encourage “secure” password sharing!
Another potential security risk related to password fatigue is susceptibility to phishing since most password reset requests are delivered by email. Phishing is the most common attack vector and present in 36% of data breaches. If an employee experiencing password fatigue was successfully phished, and if they had five passwords in rotation that were shared with another employee, the situation could easily escalate into a serious data breach. Many of the world’s worst corporate data breaches originated through password breaches – think Sony, Target, and more.
What You Can Do About Password Fatigue
Password fatigue is a serious condition in the modern workplace and more widespread than we’d like to think. To avoid the negative impacts of password fatigue in your organization, here are a few solutions to consider.
1. Password Managers
Using a password manager is a great way to alleviate password fatigue. Password managers allow employees to create a repository of their various passwords and automatically present them at login windows. Since employees no longer need to remember every single password, password managers open up a greater possibility for higher password complexity.
Instead of keeping track of the differences between “R0cketMan72” or “rocKetm4n&@”, employees can simply use a computer-generated string of random characters for their password. The chances of developing password fatigue decrease significantly. On top of that, with a complex, randomly-generated password, the probability of general password compromise also decreases.
2. Multi-factor Authentication
In the context of password fatigue, multi-factor authentication (MFA) might seem counterintuitive. Wouldn’t adding an additional step to the login process just make things worse? Contrary to popular belief, the implementation of a second authentication factor doesn’t need to be complicated. It can be as simple as a push notification sent to the employee’s phone that asks them to ‘Accept’ or ‘Deny’ a log-in request.
When it comes to identity security, adding a time-sensitive step on top of a username and password creates a major hurdle for bad actors and significantly reduces the consequences of password reuse. Even if password fatigue has compromised an employee’s credentials, the hacker involved would also need to obtain the employee’s phone or associated MFA token creator at the time they are using the compromised credentials. Implementing MFA can be an easy and cost-effective way to protect against the repercussions of password fatigue.
3. True Single Sign-On™
With the rise of SaaS web apps, some vendors in the Identity-as-a-Service (IDaaS) space created tools that could bridge a user’s password stored in an on-prem directory service to the cloud. Dubbed single sign-on (SSO) solutions, these tools soon became some of the most sought-after identity management products. Although they’re powerful at connecting identities to web applications, these SSO tools do not propagate passwords to systems, networks, servers, on-prem applications… pretty much any IT resource that isn’t a web application.
There is, however, a next generation IDaaS solution, available from the cloud, that does just that. As a modern cloud directory service, this solution takes a single set of user credentials and applies it to virtually all of an employee’s IT resources, regardless of platform, protocol, provider, or location.
This concept of True Single Sign-On (True SSO) is completely changing the way IT admins manage their organizations and actively fighting password fatigue on the front lines. Instead of dozens of passwords, employees simply use one secure identity along with optional MFA for all resources. The cloud directory service then uses a hyper-secure TLS connection with hashing and salting to extend that password and other forms of identity to log in to the IT resource.
Password Fatigue vs. JumpCloud®
This True SSO cloud directory service is the JumpCloud Directory Platform. With JumpCloud, IT admins can tightly manage their users and access to their IT resources from a single admin console in the cloud. When it comes to fighting password fatigue, in addition to True SSO, admins can also enable and enforce MFA and conditional access policies with JumpCloud to tighten up their organization’s security.
If you’re interested in seeing what a cloud directory service can do for you, why not sign up for JumpCloud Free and try it yourself? There’s no credit card required, and every JumpCloud account includes 10 users and 10 devices for as long as you need until you scale. You’ll also get 10 days of 24×7 Premium in-app chat support.
Fight back against password fatigue in your organization with JumpCloud Directory-as-a-Service.