Improving staff password habits – a resolution worth sticking with

As we move into February, many of our New Year’s resolutions are already a distant memory: the diet will start again next Monday; you’ll try the exercise regime again in summer. There’s no denying that old habits are hard to break, and password habits are rarely top of the list when it comes to the things we would like to change – but they should be.

Data protection is a growing concern for many organisations, and customers and clients today understandably expect diligence from those responsible for ensuring that their personal details remain private. However, despite a great deal of investment in recent years into improving GDPR and data security policies at the top, the reality remains that it is often simple password practices that are the chink in the armour of many large organisations.

Several of the high-profile data leaks in recent years have been traced back to members’ poor password choices – at the height of the first lockdown, with millions of people turning to remote working, 500,000 Zoom login credentials were found to be up for sale on the dark web due to hackers successfully obtaining weak passwords. ¹Also in April 2020, over 300,000 Nintendo customers with weak or reused passwords were subject to a data breach that enabled hackers to access their gaming accounts as well as any linked PayPal accounts.² Ultimately, the security of these multi-national organisations was only as strong as their members’ passwords.

Why do passwords pose problems?

You might think that the days of people using ‘password’ as their password are long gone – but unfortunately it seems not. NordPass’ 2022 review of the most commonly used passwords³ had ‘password’ at the top spot (up three places from the NCSC’s 2019 survey⁴ ), while ‘123456’ was close behind in second place. Football teams also feature prominently (Liverpool is the favourite, in case you were wondering), as do fictional characters (Superman is currently winning in that category). With hundreds of thousands of people all using these common password phrases or features, they can often be easily guessed by hacking software.

That said, using overly complex passwords can also be problematic. Many organisations now insist on a password of at least eight characters, including letters (upper and lower case), numbers, and special characters. A random combination of letters, numbers, and special characters may be difficult for hackers to guess, but is equally difficult for staff to remember. They are therefore more likely to resort to writing down or storing passwords externally, which risks login details being viewed or stolen by individuals outside of the organisation. Alternatively, rather than learning multiple complex passwords, staff repeat passwords across different systems, and adapt variations of old passwords to fit the new complexity criteria. For someone who has managed to access your old personal email account from 2012 using the password ‘Superman1’, it isn’t a huge leap to guess that your current work email is ‘Superman3!’, or something similar.

It is easy to see how staff that work in busy environments, with multiple logins for personal and professional devices, simply become overwhelmed with passwords to remember. This then leads to poor password choices. In the cases of Zoom and Nintendo, companies were left vulnerable, and customers left out of pocket. If these breaches were to occur in large organisations that hold more sensitive personal data, such as in the healthcare or education sectors, the repercussions and reputational damage could be even greater.

What makes a strong password strong?

The NCSC advises the use of the ‘three random words’ technique when creating new passwords.⁵ Using three random words enables staff to meet minimum password length requirements and makes the resulting phrase easy to remember whilst also difficult to guess. An infinite combination of words is possible, yet the use of words – rather than a random string of letters and numbers – is more memorable.⁶

Passwords should also be completely unique for each login, and staff should be encouraged not to reuse passwords for difference apps or accounts. The ‘three random words’ technique also helps with this – passwords are easily generated and staff are not left struggling to come up with unique password ideas.

The use of password managers can also be of great benefit to users struggling to memorise dozens of passwords, regardless of their complexity. Most modern web browsers come with a basic level of this functionality, but more specialised and fully-featured standalone options are available at a range of price points. Just remember that, if the manager offers cloud storage for your passwords, a data breach on the part of the password manager could leave all of your passwords vulnerable, as users of LastPass discovered last year.⁷

How to change staff password habits for good

Old habits are hard to change, but changing password habits doesn’t have to be. As with all resolutions, the best results are achieved through education and support.

Educating staff is key. Help staff to understand the pitfalls of their old password habits, but also give them the tools they need to improve them. The ‘three random words’ technique is a simple process that all staff can follow, and encouraging them to use it will ensure that passwords strike the right balance between memorable and random. If staff understand what makes a better password, they will be more likely to make better choices.

Encourage staff to review passwords regularly. Security software can prompt regular password changes, and password management software can ensure that the same passwords are not being repeated, or that staff are not falling back into using predictable patterns.

Even when we know what we need to do, long-term changes require support. ITGL helps organisations across the UK to ensure that their cybersecurity is as rigorous as it can be. If you have any questions about how to implement better password practices among your staff, or would like advice on how to strengthen your cybersecurity across your organisation, then talk to us at security@itgl.com