{"id":33174,"date":"2021-06-01T09:00:00","date_gmt":"2021-06-01T13:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=33174"},"modified":"2024-07-22T18:05:09","modified_gmt":"2024-07-22T22:05:09","slug":"password-fatigue","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/password-fatigue","title":{"rendered":"What is Password Fatigue?"},"content":{"rendered":"\n
Did you know the average employee spends over 10 hours in their work year<\/a> simply inputting passwords? Although 10 hours doesn\u2019t seem like much in the grand scheme of things, these hours amount to a cost of around $5.2M annually for organizations<\/a> in lost time.<\/p>\n\n\n\n This is detrimental to both business productivity and employee wellbeing, not to mention the grave security risks that passwords cause. <\/p>\n\n\n\n Let\u2019s face it. People are tired of passwords. So much so that the term \u201cpassword fatigue\u201d has been developed to describe modern attitudes towards the login process. But what is password fatigue, exactly? This article will explore both the password problem and potential solutions.<\/p>\n\n\n\n In the modern era of IT, advancements into the cloud and the rise of \u201cas-a-Service<\/a>\u201d offerings have given organizations incredible capabilities in regards to speed, work location flexibility, and collaboration, among other things. Unfortunately, friction has come alongside these enhancements as well.<\/p>\n\n\n\n On any given workday, in addition to personal accounts, an average employee might log in to dozens of disparate applications or other resources that are critical to their success. There is generally a commonality between each of these logins: a username and password.<\/p>\n\n\n\n A username is fairly easy to remember; it might be an email address, first initial\/last name, employee ID number, etc. For most (if not all), there is no such thing as \u201cusername fatigue\u201d. Most organizations and individuals know that logging into an IT service is a two-step process and the first step is not required to be unique. It is easy to have a common username that is used virtually everywhere.<\/p>\n\n\n\n Passwords, on the other hand, are more complicated. Common password requirements enforce that a password can\u2019t match the username, must be of a certain length, and contain a variety of characters, including upper\/lowercase letters, numbers, special characters, and more. <\/p>\n\n\n\n An additional security measure implemented in some organizations is password rotation<\/a>, which requires employees to change their passwords at set time intervals, such as every 90 days. Security professionals also recommend against password reuse.<\/p>\n\n\n\n With all of these requirements and restrictions, it can be difficult to come up with safe, secure passwords for every IT service and then remember them all.<\/p>\n\n\n\n In an ideal world then, on any given workday, the average employee is expected to remember maybe two or three usernames, and dozens of unique and complex passwords that can be required to change regularly. <\/p>\n\n\n\n In reality, the struggle to keep all of these passwords straight turns into password fatigue, which ultimately leads to password simplification and reuse. It is estimated that the average business employee keeps track of 191 passwords<\/a>.<\/p>\n\n\n\n This is a burden. Employees become tired of having to remember a host of passwords, so they start repeating passwords and reducing complexity in an effort to relieve the mental burden of logging in. <\/p>\n\n\n\n The fear of forgetting a password outweighs the fear of a potential data breach. 91% of people<\/a> understand the risk of reusing passwords, yet 59% admit to doing it anyway<\/a>. <\/p>\n\n\n\n This is a sobering reality, especially when you consider the fact that 61% of data breaches<\/a> involve credentials. In short, passwords are the gateway to confidential data, electronic financial transactions, and more, yet we don\u2019t treat them as the most critical security risk an organization faces. Password fatigue, then, not only affects employees but organizational security as well. <\/p>\n\n\n\n The enterprise is more at risk if its employees are struggling with password fatigue. <\/p>\n\n\n\n According to a survey conducted by the Ponemon Institute, 51% of people<\/a> rotate the same five passwords across their work and personal accounts.<\/p>\n\n\n\n In addition to sharing passwords among their own accounts, employees often share passwords with each other; 69% of people<\/a> admit to sharing credentials for work account access. In fact, there are tools that encourage \u201csecure\u201d password sharing!<\/p>\n\n\n\n Another potential security risk related to password fatigue is susceptibility to phishing<\/a> since most password reset requests are delivered by email. Phishing is the most common attack vector and present in 36%<\/a> of data breaches. <\/p>\n\n\n\n If an employee experiencing password fatigue was successfully phished, and if they had five passwords in rotation that were shared with another employee, the situation could easily escalate into a serious data breach. Many of the world\u2019s worst corporate data breaches originated through password breaches – think Sony, Target, and more.<\/p>\n\n\n\n Password fatigue is a serious condition in the modern workplace and more widespread than we\u2019d like to think. To avoid the negative impacts of password fatigue in your organization, here are a few solutions to consider.<\/span><\/p>\n\n\n\n Using an SSO password manager<\/a> is a great way to alleviate password fatigue. Password managers allow employees to create a repository of their various passwords and automatically present them at login windows. <\/p>\n\n\n\n Since employees no longer need to remember every single password, password managers open up a greater possibility for increased length and higher password complexity<\/a>.<\/p>\n\n\n\n Instead of keeping track of the differences between \u201cR0cketMan72\u201d or \u201crocKetm4n&@\u201d, employees can simply use a computer-generated string of random characters for their password.<\/p>\n\n\n\n The chances of developing password fatigue decrease significantly. On top of that, with a complex, randomly-generated password, the probability of general password compromise also decreases.<\/p>\n\n\n\n In the context of password fatigue, multi-factor authentication<\/a> (MFA) might seem counterintuitive. Wouldn\u2019t adding an additional step to the login process just make things worse?<\/p>\n\n\n\n Contrary to popular belief, the implementation of a second authentication factor doesn\u2019t need to be complicated. It can be as simple as a push notification<\/a> sent to the employee\u2019s phone that asks them to \u2018Accept\u2019 or \u2018Deny\u2019 a log-in request.<\/p>\n\n\n\n\nDiagnosing the Problem<\/span><\/h2>\n\n\n\n
The Password Problem<\/span><\/h3>\n\n\n\n
Password Fatigue<\/span><\/h3>\n\n\n\n
What You Can Do About Password Fatigue<\/span><\/h2>\n\n\n\n
1. Password Managers <\/h3>\n\n\n\n
2. Multi-factor Authentication <\/h3>\n\n\n\n