This article is part of our Essential Guide: How to deal with Identity and access management systems

The problem with passwords: how to make it easier for employees to stay secure

An organisation’s IT security can be compromised if staff do not follow a strict policy of using strong passwords to access internal systems

Password security has long been considered the most fundamental way of keeping company data safe. But recent research revealing the world’s most popular passwords – including “123456” and “password” – reminds us of what we already knew: that most people still don’t understand the most basic principles about secure passwords. 

Companies should be concerned about whether their sensitive information is safe from hackers if their employees’ passwords are so blindingly obvious.

Beyond easy-to-guess passwords are two worse risks. First, people will often use passwords with an emotional meaning to them. Although this helps reduce the risk of obvious passwords, it means people are far less likely to change their password regularly, which is vital to reducing the threat of security breaches.

Second, employees re-use these same passwords across sites, so when one site is compromised, it reveals that individual’s password across all the other sites where it has been used.

So why do employees pick such bad passwords? As we all know, choosing, remembering and changing passwords can be inconvenient. But IT teams can help employees act more securely, without increasing the burden on individuals.

Although complex passwords – a mixture of numbers, upper and lower case letters and symbols – are often considered a foundational element to security, only 29% of organisations feel that complex passwords alone help to reduce security risks. In part, this is because employees often write down or electronically record their more complex, hard-to-remember passwords, which can easily be lost or stolen.

So what can companies do to improve passwords and reduce the risk of data breaches?

  • Implement password complexity checking. It is easy in most systems to force employees to use a minimum number of characters, which today should be set to at least 10 mixed character types, and screen passwords against a dictionary of common passwords. The most popular password, 123456, violates all three of these basic rules, showing that many organisations are not forcing good password selection. CEB data shows that most organisations are successfully doing this, but there is still room for improvement in the industry.
  • Employ multifactor identification. Multifactor identification involves employees authenticating themselves with several pieces of evidence, typically a static password plus a one-time code from token, app or SMS message. Because of cost and burden on employees, many companies only use this for employees with access to more sensitive data, or for riskier situations, such as remote access. Interestingly, only 43% of organisations require multifactor authentication before allowing remote connections to the organisation’s information systems.
  • Provide password vaults. Password vaults are software applications that help users store and organise passwords. These password managers usually store encrypted passwords, requiring the user to create a master password – a single, ideally very strong password, which grants the user access to their password database. This counters the need for users to remember, or keep hard copies of, their passwords, and makes it just as easy to use a 30-character complex password as it is to use “123456”.


Many companies are already taking steps in this direction to both reduce the burden on employees and improve password security. Almost one in hree (31%) of organisations have deployed password vaults, 29% have increased password length and/or complexity but reduced the frequency of password changes, and 16% have adopted multi-factor authentication.

While it is crucial for companies to select a policy that protects them as much as possible, they need to factor in the various aspects of the situation by evaluating each approach against risk mitigation capability, employee usability and defensibility.


Jeremy Bergsman is IT practice leader at CEB. ...............................................................................................................

Read more on Security policy and user awareness