Many employees at all kinds of businesses can suffer from password fatigue. It is a very real problem, which can be a struggle to deal with, and often it goes unnoticed.
In this article, we will aim to provide a comprehensive analysis of what it is, as well as steps that you can take as a business to avoid it altogether. This will ultimately help to keep your employees safer, happier, and less exhausted, and hopefully, it is one step on the journey of eliminating password fatigue.
What is Password Fatigue?
Password fatigue – sometimes called password chaos – is the overwhelming feeling of stress and mental exhaustion due to trying to remember too many passwords. This is often associated with the fact that employees of all sorts must have numerous different passwords for a plethora of other sites and software programs.
This is often not helped by the fact that people also have numerous other passwords to remember in their personal lives – such as for different social media accounts, online banking, and accounts for water, gas and electric bill accounts, for instance.
What Causes Password Fatigue?
Numerous factors can be attributed to password fatigue, and we will list some of these below.
Unexpected Password Resets
This is one of the leading causes of password fatigue. Sometimes, a user has just remembered a password and is prompted to change it.
The reasons behind this change can vary from programme to programme, but the reason behind it is to ensure that their users have strong passwords and are at less risk of data breaches.
However, this can be confusing for the user – having to create another secure yet memorable password can be difficult, which is why many people use variations of the same password across numerous sites.
Not only can this be dangerous regarding cybersecurity, but sharing passwords across numerous sites makes it far easier for your accounts to be hacked.
Password Demands
How often have you created a new password, only for you to then be prompted to add a
number, special characters or case-sensitive lettering into the combination?
This can also make it even more difficult to remember various passwords. For instance, adding just one particular character into a commonly used password can be challenging. Where did you put the unique character? Was it at the beginning or the end? Did you even put a character in the password for this site, or was it for a different one?
On top of all of these questions that run through a user’s head when questioning themselves about their correct password, sometimes some sites only let the user enter a password three times before locking them out for a time as a security measure.
Again, this can cause stress and anxiety to the user, who may need to access their account instantly to pay a bill, for instance.
Typing the Password Twice
Despite most of us just expecting this as the norm when creating a new password, being forced to re-type a password that you have just created can also be a leading cause of password fatigue.
For instance, if a user has recently just created a new password – perhaps one that they have never used before, or even a variation of it – they can struggle to remember it for a second time instantly.
In addition to this, when a user is prompted to enter a password for a second time, it needs to match the exact password the user typed initially.
This means that if a particular character is missing somewhere, a capital letter is in the wrong place, or an incorrect number has been entered, the password will be deemed invalid, and the user will have to try again until they get it right.
Similar to the password demands iscussed above, the user can then be logged out of their account, prompting them to wait for a set period oefore they can enter the password again.
Random Password Prompts
Unexpected or random password prompts can also be a leading cause of password fatigue. This is most common in a company or business when a user is using the company or business’s intranet service.
While browsing different areas of an organisation’s intranet, users can sometimes be randomly prompted to re-enter their password.
This can be difficult for several reasons.
Firstly, they may not have typed in their intranet password for quite some time, especially if the browser has been opened on their work computer for an extended period of time.
In addition, they likely have a different password for their intranet rather than their organisation’s simple login or user account.
These are two different passwords that they need to remember. This can typically be challenging when randomly prompted, especially if they are halfway through an important project or job or really in the zone while concentrating on some hard work.
In addition, this can be off-putting if they cannot remember the password or have to contact the IT department for assistance.
Not only does this waste the employee’s time, but the IT department also has to create a new password for the user, who has a different, brand new, and probably unrelated password that they now have to try and remember.
Naturally, they will be instantly prompted to change this password! Therefore, from the one issue of mistyping or forgetting a password, they then have to spend their time sending a ticket to the IT department, who will reset their password, only for the user to have to change it and then try and remember that – all while they are meant to be undertaking their day job.
Blind Typing
Muscle memory can sometimes play a part in causing password fatigue.
Many people who learn to type from a young age at school are taught to look at the screen while they type so that they can see the content being typed on the screen and make any necessary amendments, rather than looking at the keys.
However, this can also cause difficulty when it comes to passwords, especially when a user can only see bullet point style dots on their screen while typing their password.
Many people who can remember their password type it out as usual, but if they make a ‘typo’ (typing error), accidentally press a wrong key, or press a key twice, for example, their password will be invalid, and they will be unable to access their account.
Sometimes, there is an option to “show password” while a user is typing out their password, which is ideal – this option should be selected if you think you might accidentally mistype your password.
The show password option is handy if there are limited opportunities for the user to enter their password before being locked out of their account.
Nevertheless, taking the extra time to type out a password slowly can be hugely beneficial in avoiding password fatigue.
Security Risks Associated with Password Fatigue
As is often the case when it comes to remembering passwords, there are many risks
associated with this, not just from a data breach perspective. We will discuss the main security risks in greater detail below.
Password Sharing
While it may seem like a convenient option when it comes to remembering passwords, especially if a user has numerous different passwords for a range of different accounts (both personal and work accounts), password sharing seems the logical thing to do, right? Unfortunately, it is also one of the most da
ngerous things to do.
Recent research stated that approximately 26% of users have shared their passwords. This is the average figure, although a staggering 63% of users aged 16-24 have reported sharing passwords – the main one being email login access. While sharing credentials to work accounts could come in useful, such as if you are on a period of extended leave or need work covering while you are on annual leave, or perhaps maternity leave, for example, there are better ways organisations can prepare for this rather than others having to gain access to your accounts.
For example, senior management delegating your workload to others is the first step which should be taken, and any appropriate files or documents should be emailed over. There should be no reason that anyone else needs to access your account at work, so there should be no need for password sharing.
Furthermore, there is no way to control or manage how many people or users the password has been shared with, leading to a higher risk of a security breach.
There is also no way to control how often the password has been used, reused or distributed among others – perhaps even those from outside your organisation.
Password Storage
Another issue which can lead to security problems is password storage. Many people often opt to store their passwords in a document such as a Word document, Excel sheet or in the Notes app on their smartphone.
Some people also sometimes write their passwords down physically, with pen on paper and store them in a drawer or unit at their home or perhaps on their desk at work.
The physical documents written down on paper or in diaries can easily get stolen from a home or a quick photograph taken of them; therefore, accounts can be compromised.
Concerning digitally stored documents, like those stored on Excel sheets Word documents, or even smartphone Notes apps, they can still be accessed (as often a password or passcode is not required to access them) and therefore stolen.
With the average person having up to 100 passwords to remember, if they are all stored in the same place, they are much easier to access and then steal – including personal and work accounts.
Reusing Passwords
Reusing passwords across different accounts is another way in which security can be compromised when it comes to remembering too many passwords.
A recent survey found that 70% of people reuse the same number of passwords for their accounts.
While it makes it easier to remember passwords across numerous sites, mainly if they are complex passwords to remember, it poses a considerable security risk.
If a password hacker accessed a document with all your passwords in it, even if they are different, they can still access your accounts.
This is similar – if a password hacker can access one of your accounts that uses the same password as 25 other accounts, a hacker now has access to a vast amount of your personal and private data.
This could also be used to extract money from an online banking account, or steal private company data.
However it is used, it is hugely important to avoid reusing passwords altogether and opt for unique passwords instead of commonly used ones, which will be discussed next.
Using Common Passwords
Some of the most common password options are clearly, some of the most easy to remember. This is why they are so widely used.
For example, some of these commonly uthatasswords – or combinations of them – are often ones such as ‘password123’, ‘qwerty’ and ‘1234,56’.
Many people often make variations of these passwords which tick all the boxes of memorable characters, capitalisations and numbers – a widespread option being ‘Password123!’ While it looks like it could be difficult to crack – it has a capital letter and includes both numbers and a unique character, it is one of the most obvious options to go for. The capital letter is at the beginning (the most logical place to put it), the numbers used are the first three numbers and also in a numerical sequence, and the special character is the first one available when they shift key is pressed on a computer keyboard.
While using password combinations like this which are slightly more difficult to guess rather than just ‘password’ for example, hackers are likely to still be able to easily guess passwords like this without much extra effort.
Therefore, it is important to try and use a secure password which nobody can guess, as well as integrate special characters and numbers at the same time.
Yet password fatigue can also contribute to the reason why people choose easy-to-remember passwords such as this, and it is for that exact reason: they are easy to remember, and require little to no effort to type out.
We will discuss methods on how to tackle password fatigue later in this article.
Password Management Programmes
On the face of it, password management programmes can be a useful tool to use when it comes to remembering passwords.
After all, they are safe and secure and they do all the remembering for you, right? This is true, and they certainly can be very useful.
But what happens if – or when – you forget the master password in order to access the password management programme in the first place? You are therefore risking losing all of your passwords to all of your accounts by just forgetting one password.
In addition, if you rely on a password management programme and you opt to use a typically easy-to-remember password such as the ones listed in the subsection above this one, then you are risking losing all of your passwords – and therefore data – to a hacker.
How to Combat Password Fatigue
This might come as a shock to some readers, but going passwordless could be the safest option.
While passwords have been the main source of online security for the last 50 years, going for options such as passwordless authentication can help to combat password fatigue and keep your employees safer and happier at work, as well as eliminate any worries about forgetting passwords and the consequences associated with it.
We will discuss some of these passwordless options in greater detail below.
Passwordless Authentication
While you may not have heard of this as an option before, put simply, passwordless authentication is defined as an authentication method which allows a user to gain access to an IT system or online account without having to enter a password, passcode or any other form of knowledge-based secret.
Many people instantly recoil at the thought of being passwordless because they do not understand the meaning behind it – it does not mean that all of your accounts will be open for anyone to enter!
Instead of entering a password to access an account or programme, a user will enter a token code from their organisation instead. In addition, they could use technology such as facial
recognition technology (which is now implemented before a user is prompted to enter their passcode on the iPhone and many other smartphones).
A user could also be prompted to use fingerprint technology to access accounts instead. This is another security element which is completely unique to every single perso
n on Earth, as well as meaning that the user has to be present – so a hacker would therefore have to be present with the user, which is highly unlikely.
Multi-Factor Authentication
Multi-factor authentication, commonly abbreviated to MFA, is another passwordless option which can be utilised in order to combat password fatigue.
As the name suggests, MFA requires the user to provide two or more pieces of evidence to prove it is them who is trying to access their online account.
Unlike passwords, this information does not necessarily have to be text-based, and therefore hard to remember.
Examples of multi-factor authentication include biometrics for authentication in order to increase security, such as personalised questions.
These questions are often designed to be customisable so that that users will never forget them – such as the name of the street you grew up on, your mother’s maiden name, your father’s middle name, or the make of your first car for example.
It is also worth mentioning that it is important to keep this information as private as you can. Hackers on social media sites (typically Facebook) will often post questions designed to increase engagement to give away information like this, such as “do you remember your first car? What was it?”, which encourages users to comment underneath the post in response to it. This is a very easy way for hackers to gain information like this.
Being careful online and not falling for typical hacks like this can save you a lot of trouble later down the line.
Zero-Factor Authentication
Another alternative to using a password is zero-factor authentication, sometimes called 0FA.
It is a recent phenomenon which has been designed to increase the UX (user experience) and combat password fatigue because it does not require remembering any form of password. Instead, 0FA works by recognising sensor data, essentially working in the background.
Some of the signals that 0FA uses include using the network, location and device signals in order to recognise users.
This can be a very handy tool to adopt in any company, business or organisation because password fatigue can be completely eliminated.
Final Thoughts
Clearly, password fatigue is an issue which needs to be rectified in order to protect employees, and keep company and organisational (as well as private) data safe.
From using techniques such as avoiding common passwords, and avoiding password sharing to adopting a multi-factor authentication approach or even going for zero-factor authentication can all play their part in eliminating password fatigue.
The sooner that this problem can be rectified, the sooner your business can excel and be back on track – as well as saving your employees and IT department a lot of stress at work, enabling them to get on with the more important jobs of the day.