What Is Password Fatigue?

By Zach DeMeyer Posted June 7, 2019

Did you know that the average employee spends over 10 hours in their work year just inputting passwords? While it may not seem like much, it chocks up to a cost of around $52M annually for their organizations in lost time. That sure seems bad for business, but what’s worse is the effect those 10 hours have on employees.

Let’s face it. People are tired of passwords. So much so that the term “password fatigue” has been developed to describe modern attitudes towards the login process. But what is password fatigue, exactly? Let’s explore it together.

Diagnosing the Problem

In the modern era of IT, advancements into the cloud and the rise of “as-a-Service” offerings have given organizations incredible capabilities in regards to speed and collaboration, to name a couple. Unfortunately, with these enhancements have come friction.

On any given workday, an average employee might log in to literally dozens of disparate applications (not to mention their personal accounts) or other resources that are critical to their success. With each of those logins comes a commonality: a username and password.

Generally, a username is fairly easy to remember; it might be an email address, first initial/last name, employee ID number, etc. For most (if not all), there is no such thing as “username fatigue”.

The Password Problem

Passwords, on the other hand, are more nuanced. Common password requirements enforce that a password can’t match the username, must be of a certain (8+ character) length, and contain a variety of characters, including upper/lowercase letters, numbers, special characters, and more.

Many security professionals also say you shouldn’t reuse passwords across logins. Heeding that advice, on any given workday, the average employee needs to remember maybe two or three usernames, and literally dozens of passwords, all (hopefully) unique and complex.

Password Fatigue

The struggle posed by these passwords is what, in turn, creates password fatigue. Employees become tired of having to remember a host of passwords, each varied in their own bizarre way. While some people combat this with tools like password managers, others take a more “grassroots” approach, leaving all of their passwords on an unsecured document on their workstation, or worse, on a sticky note attached to their monitors.

Much like driving while tired, logging in while fatigued by passwords is very dangerous. Employees who experience password fatigue might be more inclined to use repeat passwords; according to Ponemon, 51% of people asked rotated the same five passwords across their work and personal accounts. What’s more, while they may be sharing passwords between their own accounts, employees often share passwords with each other; 69% asked by Ponemon admitting to doing as much for work account access.

Also, since most password reset requests are delivered by email, password fatigue can also lead to a susceptibility to phishing. In fact, Ponemon reported 44% of those studied experienced phishing at work. Now, if one of them were successfully phished from those attempts, and if they had 5 passwords in rotation that were shared with another employee, their password fatigue could potentially mean catastrophe.

What You Can Do About Password Fatigue

Password fatigue is obviously a serious condition in the modern workplace, and, unfortunately, is more widespread than one might realize. If you are worried about password fatigue in your organization, here are a few tricks to consider for alleviating, protecting against, and avoiding password fatigue.

1. Password Managers

Like we mentioned earlier, using a password manager is a great way to alleviate password fatigue. Password managers allow employees to create a repository of their various passwords and automatically present them at login windows. As such, employees need not remember their passwords, which opens up a greater possibility for higher password complexity.

After all, when an employee no longer has to remember whether their password was “R0cketMan72” or “rocKetm4n&@”, and can simply use a computer-generated string of random characters for their password, the chance they will develop password fatigue decreases significantly. On top of that, with a complex, randomly-generated password, the chance of general password compromise is decreased, too.

2. Multi-factor Authentication

In regards to password fatigue, multi-factor authentication (MFA) might seem counterintuitive. After all, adding an additional step to a login process that is already bogging down employees seems to just exacerbate the issue. When it comes to identity security, however, adding a time-sensitive step outside of the traditional login process creates a major hurdle for bad actors.

Even if password fatigue has compromised an employee’s credentials through phishing or some other similar attack, the hacker involved would need to also obtain the employee’s phone or associated MFA token creator at the time of their credential breach. Ultimately, while it may not help get rid of password fatigue, MFA most certainly protects against its repercussions.

3. True Single Sign-On™

With the rise of SaaS apps, some vendors in the Identity-as-a-Service (IDaaS) space created tools that could bridge a user’s password stored in an on-prem directory service to the cloud. Dubbed single sign-on (SSO) solutions, these tools soon became some of the most sought-after identity management products. Although they’re powerful at connecting identities to applications, these SSO tools do not propagate passwords to systems, networks, servers… pretty much any IT resource that isn’t a web application.

There is, however, a next generation IDaaS solution, available from the cloud, that does just that. As a cloud directory service, this solution takes a single set of user credentials and applies it to virtually all of an employee’s IT resources, regardless of platform, protocol, provider, or location.

This concept of True Single Sign-On (True SSO) is completely changing the way IT admins manage their organizations, and on top of that, is actively fighting password fatigue on the front lines. Instead of dozens of passwords, employees simply use one secure password for all resources. The cloud directory service then uses a hyper-secure TLS connection with hashing and salting to extend that password, instead of simply applying the same password to log in.

Password Fatigue vs. JumpCloud®

This True SSO cloud directory service is JumpCloud Directory-as-a-Service®. With JumpCloud, IT admins can tightly manage their users and their access to their IT resources from a single admin console in the cloud. When it comes to fighting password fatigue, besides True SSO, admins can also enable and enforce MFA Policies with JumpCloud to tighten up their organization’s security.

If you’re interested in seeing what a cloud directory service can do for you, why not sign up for JumpCloud and try it yourself for free? There’s no credit card required, and every JumpCloud account includes ten users in the product for free forever.

Fight back against password fatigue in your organization with JumpCloud Directory-as-a-Service. If you would like to learn more, please contact us. We’d be happy to help you.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts