The vast majority of us are reusing passwords in the workplace, despite receiving security training; according to the results of a survey by My1login, published in August 2021.
The survey showed that 87% of employees use the same password across business applications.
In the education sector, this figure rises to 91%, with the use of personal passwords for business applications or vice versa at 75%!
The risks of reusing passwords are clear. When the same password is used across multiple accounts, the damage a cyber-attack could inflict increases as criminals can access multiple accounts when just one is breached.
When an employee reuses their passwords across personal and business accounts, an organisation’s vulnerability to cyber-attacks increases further.
This must be especially true if our personal passwords fall into one of the categories revealed in another survey published earlier this year by the UK’s National Cyber Security Centre (NCSC):
- 15% of us use our pet’s name
- 14% family members’ names
- 13% a significant date
- 6% our favourite sports team.
6% of those surveyed admitted using ‘password’ as all or part of their password!
The National Cyber Security Centre advises 3 actions we can take in relation to passwords which will improve our cyber security:
- Use a strong and separate password for email
- Create strong (and unique) passwords using three random words
- Save our passwords in our browser (a password manager will generate strong random passwords and store them securely).
They also advise turning on two factor authentication (2FA), updating devices and backing up data.
How often should we change our passwords?
Historically, we have been advised to change our passwords regularly. However, this approach is no longer advised by cyber security experts, which includes the National Institute of Standards and Technology (NIST). They say that this encourages us to fall into the trap of choosing weaker passwords rather than strengthening security. Such as:
Instead, security experts such as Graham Cluley, as well as NIST, recommend changing our passwords when we believe there’s a good reason to do so; e.g. if we think our password may have been breached, if we believe we may have chosen a weak password or if we have reused the same password in multiple places,
Given the results of the My1login survey, it sounds as though the vast majority of us in the education sector need to take some action.