How to tackle employee password fatigue

Passwords are often the first line of defence when it comes to cybercrime and with the world increasingly going digital, we’re now faced with remembering more of them than ever before.

It’s estimated that the average worker now has to keep track of around 200 passwords. So, it’s no surprise that password fatigue can easily setting in, leading employees to opt for weak and easy to crack passwords. For example, ones based on personal information, a child’s or pet’s name, or a favourite sports team.

Millions of people are even still using Password and 123456!

Despite knowing the risks, 61% of people also admit to using the same (or similar) passwords everywhere, further adding to the risk of a successful hack.

For businesses, this can be a big problem, leaving a potential ‘way in’ for criminals. So, it’s vital to have a password policy in place and to take all steps necessary to help educate employees and mitigate the risk.


Some of the most commonly used and easily hacked passwords worldwide are:

Password – used by nearly 5 million people.

123456 – 1.5 million

123456789 – 413,000+

qwerty – 309,000+

12345678 – 284,000+

111111 – 229,000+

12345 – 188,000+

123123 – 127,000+


How are passwords discovered?

There are various techniques that an attacker might use to discover passwords. These include:

  • Tricking someone into revealing their password via social engineering, such as an email phishing scam
  • Using passwords leaked following a data breach to attack other systems where users may have used the same password
  • Password spraying using a small number of commonly used passwords
  • Brute-force attacks that use the automated guessing of large numbers of passwords until the correct one is found
  • Manual password guessing using personal information that has been obtained such as name, date of birth, or pet names
  • ‘Shoulder surfing’ (observing someone typing in their password)
  • Finding passwords which have been stored insecurely, such as sticky notes kept close to a device, or documents stored on devices
  • Intercepting a password (or password hash) when it is transmitted over a network
  • Installing a keylogger to intercept passwords when they are entered into a device


What can businesses do to enhance password security?

 Supporting employees to gain a greater understanding for the issue is a vital piece in the puzzle. Advising on best practice when it comes to the choice and use of passwords is a great first step.


Create a company password policy

Think about and document how your business is to use passwords. This policy should be shared with employees and reviewed regularly. It should cover issues such as:

  • Only using a password once
  • Not basing passwords on personal info, such as a pet’s name
  • Keeping passwords long and strong
  • Not sharing passwords with other people


Schedule team training

Research points to the fact that relying on employees’ own intuition and understanding of cyber security is not enough. You need to be proactive and to support them, as the consequences of a cyberattack could be extremely costly. Hold regular training sessions with employees and share news about the latest scams and what action to take, should someone come across something they’re not sure about.


Don’t change passwords too often

A strong password should only need to be changed around once a year. Certain software can now automatically issue a prompt for a password to be reset at a required interval. The password should be entirely changed, to avoid patterns like this happening, which are looked for by hackers…password1, password2, password3


Use random passwords

Generate and use random passwords using an online generator such as Last Pass. Make it compulsory for these types of passwords to be used. Again, some software will let you prevent people from setting passwords that are too easy, so they would be stopped even if they tried to.


Set up password blacklists

By this we mean make sure your users can’t choose any passwords commonly found within data breaches, like 12345 mentioned earlier. A helpful site for this is Have I Been Pawned? which can also be useful for checking to see if an email address has ever featured in any website data breaches and when.


Use a password manager

The more passwords there are to remember the more difficult it can be for an employee (and the more tempting for them to replicate or choose easy ones). One solution is to use a password manager. This type of tool remembers passwords for numerous sites, so all an employee needs to do is to remember the main login for the password manager software itself.


Implement two-factor authentication

This is where a one-time passcode may be sent to a phone linked to the particular account. The code must be entered before access is granted, acting as further verification.


Concerned about your business IT security or cyberattacks?

Here at Dragon IS, we work with small and medium sized businesses, helping them with a broad range of issues relating to their IT systems, processes and procedures.  From expert advice and guidance, to introducing systems that can effectively scaleup with a growing business, call us for an informal chat on 01908 613 080 or email