Preventing Password Fatigue & Stress
Stress alert! The biggest password problem might be the fatigue and stress. Password stress happens when users must memorize and type a large number of passwords on a consistent basis. Nobody wants to remember and type a long and complex password. The problem is that good security means unique usernames and passwords that are both long and complex (high entropy). But the amount of stress involved in memorizing and typing these long passwords takes a strong toll on the users.
What causes password stress?
Compliance mandates and security protocols are increasingly demanding more rigorous (and laborious) means of protecting passwords and the data they hold access to. Trying to comply with the password policies is the actual reason for much of the password-related fatigue ongoing with users that lead to less happy employees and productivity.
First, having to retype username and password repeatedly.
Constantly forgetting passwords (especially ones that are not used often).
Mistyping passwords (wastes time).
Mixing up username and password combinations.
Having to retype passwords repeatedly.
Having to reset passwords and memorize new ones.
Continuously changing passwords due to compliance.
Having too many passwords to remember (impossible task for most of us).
Being forced to create, remember, and type complex passwords for each account.
Being responsible for password security by policy.
Locked out of a website or computer.
Downtime waiting for helpdesk to recover access.
Forgetting to lock computer/log out of a website.
News of other data breaches.
Without the proper tools, users are constantly forced to choose between high stress with high security or low stress with low security (not a good tradeoff).
How people get stressed over passwords
Every new website is a new and unique username and password (and OTP for 2FA) combination to memorize. Adding more credentials for users to manage will only stress them out more. The problem becomes users resorting to poor password hygiene to avoid all the password-related stresses:
Writing passwords on paper, Post-Its, or spreadsheets
Creating weak passwords that are susceptible to brute-force attacks
Creating low-entropy passwords (easily guessed)
Reusing the same password for multiple accounts (high risk)
Sharing passwords with others via insecure methods (e.g. SMS text, email, messenger, paper)
Huge increase in cybersecurity incident probability from overall poor security habits
People used to hide their car keys in their cars and now more people are hiding passwords written on paper under workstations. Some employees even report writing the codes to doors on paper and taping them onto the door. Read more about how technology not only hurts cybersecurity, but also users’ health.
Risks of weak passwords
The effects of password stress on users transcends to the C-suite with one credential exposed potentially causing millions of dollars worth of damage in theft and reputation. A department can spend a great deal of investment into their tools, training, and awareness, but if a single user is breached, the investment could have been for naught. Train users sufficiently to be aware of cyber risks and how to best use their tools.
The fact that cybercriminals employ bots should be a glaring indicator to the scale of the attacks unknowingly happening every moment. Reusing passwords make those account vulnerable to cracking since one compromised credential and compromise the rest.
The more that vital services go digital (banking, records, healthcare, etc.), the more important our passwords and usernames become, and criminals are following the trend. We have fewer keys, but now, too many passwords to manage and too many thieves to ward off at the same time. Criminal activity online is sky-rocketing at an unprecedented pace.
Tips on avoiding password stress (while being secure)
Automation and initiative are the keys to best avoiding password problems. Use tools to help manage the memorization and typing of passwords. Admins will also have to take a proactive approach to ensuring users get compliant, then keeping them compliant should be easier.
Prevent wasted time by carefully mapping out latency points. First, focus on reducing password resets. The cost of constantly changing passwords and informing respective users is immense because it takes so much time. Moreover, consider using a tool that allows for faster and more automated password changing and sharing. Train smart and aware users and arm them with powerful tools.
Use passphrases rather than passwords (longer and more easily memorized).
Use a password manager to avoid having to memorize and type so many credentials.
Portability: Consider using a passwordless authenticator rather than a master password such as a token or a fingerprint.
Deploy a password solution that best fits your user’s needs based on their workflows.