Why security and awareness training won’t fix bad password habits

Organizations know their end users represent a cybersecurity risk. They make mistakes, they’re targeted by hackers, and sometimes they’ll even act maliciously against their employer. Security and awareness training is an attempt to reduce this risk by creating a cybersecurity-conscious culture, but it has its limitations: training can be time-consuming, disrupts productivity, and is often forgotten by end users. 

People don’t always take good advice, even when it’s in their best interest to do so. As IT Security teams know, this is definitely true when it comes to passwords. Organizations have been training people for a long time and it hasn’t stopped bad habits such as password reuse. Bitwarden found 68% of internet users manage passwords for over 10 websites – and 84% of these people admit to reusing these passwords.  

There’s certainly some value in training end users on best practices for password security, however organizations need to know when to step in and enforce strong access security with help from technology. 

Why doesn’t training work? 

Most end users don’t set out to bring risk to their employers. And in 2024, many will be aware of bad password habits to avoid. So why do they still create weak passwords and reuse them across multiple sites and applications? For the majority, they simply want to get on with their jobs without remembering several different long and complex passwords. Reusing weak passwords is just a means to getting their job done faster and with minimal hassle. Many are guilty of having an ‘it won’t be me’ attitude to cybersecurity – it will be another unlucky person who ends up being the breach victim. 

There is value in training in that it helps create a culture of cybersecurity – it shows upper management take cybersecurity seriously and some of it will sink into the workforce. The harsh truth though, is end users will always deliberately cut corners and make accidental mistakes, no matter how good your training is. An average end user is unlikely to share the same attitude to password security as a CISO, even if they’ve been educated on why it matters.  

LastPass research found that 79% of people who’d received cybersecurity training found it to be helpful. However, people clearly aren’t putting what they learned into practice. Out of the same group of people, only 31% said they’d stopped reusing passwords. This is a prime example of training alone failing to stop a serious security risk. 

Password reuse – an overlooked and risky habit 

Despite years of training, reusing passwords is widespread. In pursuit of convenience, people often choose the path of least resistance. Many individuals mistakenly believe that if their work password is robust, it’s equally suitable for personal devices and applications. This behaviour is driven by annoyance from password resets and the fear of being locked out, which can disrupt their productivity. 

While workplaces may enforce strong passwords, end users are free to reuse these passwords on personal applications and devices with weaker security measures or on unsecured networks. According to a survey by TechRepublic, 53% of people use the same password on multiple accounts, providing hackers with a golden opportunity.  

A hacker who gains unauthorized access to an online store could obtain a complete password database. Even if the passwords are hashed, the attacker can spend time trying to crack them. Once successful, they can identify the individuals behind those passwords and determine where they work. If any of these passwords are reused within the organization, it becomes a straightforward pathway for the attacker to infiltrate the employee’s workplace. 

However, it’s important to avoid placing the blame of bad password habits solely on end users. The increasing adoption of software-as-a-service (SaaS) means people have more passwords to remember than ever. According to LastPass research, the average employee types out their credentials to log in to websites and apps 154 times per month. The same research found an average-sized company with 250 employees now manages an estimated 47,750 passwords, creating numerous opportunities for compromise. 

SaaS adoption is unlikely to slow any time soon. So, on top of training, what can organizations do to counter end user’s bad password habits?  

How to enforce strong password security 

There’s value in training people to understand the importance of strong passwords. But when it comes to enforcing a strong password policy, it’s better to get some help from technology rather than relying on end users to remember and apply best practice. 

Block weak passwords 

Stopping people from creating weak passwords is key to preventing brute force attacks, which rely on using software to rapidly guess common passwords. A good policy shouldn’t just block very short passwords, but all iterations of common passwords, keyboard walks such as ‘qwerty’, and passwords found in previous breaches. Organizations should also set up custom dictionaries, to block words specific to their own business and industry.  

Regular scans for compromised passwords  

As we’ve outlined, password reuse is a serious problem that can lead to strong work passwords becoming compromised. Scanning for compromised passwords in your Active Directory should therefore be a regular task. It’s important organizations have tools in place to scan for end users using breached passwords – but the best solutions will scan on a continuous basis and alert end users if they’re found to be using a breached password. 

Consider user experience 

When cybersecurity takes end user experience into account, people are going to be more on-board with their organization’s security measures. Here are three ways to give your end users a better password security experience:  

  • Customizable notifications: It can be frustrating to have work interrupted by an enforced password reset. Customizing notifications can give better explanations about why a reset is needed.  
  • Length-based ageing: You can encourage end users to create stronger passwords by ‘rewarding’ them with longer times to reset when they create long, strong passwords. 
  • Dynamic feedback: It can also be frustrating when a new password is created and a generic ‘password doesn’t match your organization’s criteria’ error message pops up. Dynamic feedback at the password change screen helps guide end users towards creating a strong, memorable password in real time.  
Example of dynamic end user feedback in Specops Password Policy
Example of dynamic end user feedback in Specops Password Policy

Solve password reuse for good – try Specops Password Policy 

Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your Active Directory. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.   

Our new continuous scan feature checks all Active Directory passwords against the Breached Password Protection API for compromise once a day. The API is updated daily with newly discovered compromised passwords from our password honeypot system in addition to newly discovered password leaks when they occur. Administrators can review results of the latest continuous scan in the Domain Administration Tools. 

Automated password security doesn’t just have to benefit IT teams. You can also give end users a better experience with length-based ageing, dynamic password change feedback, and customizable end user notifications. Find out how Specops Password Policy could fit in with your organization.  

(Last updated on September 30, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • [New research] How tough is bcrypt to crack? And can it keep passwords safe?

    Earlier this year, the Specops research team published data on how long it takes attackers to brute force MD5 hashed user passwords with the help of newer hardware. Now we’ll be putting the bcrypt hashing algorithm to the test, to see how long its hashed passwords take to crack with the same computational power. This…

    Read More
  • Password reuse: A hidden danger you can’t ignore

    Reusing passwords is common, despite years of warnings to end users. It’s a problem that’s difficult for IT teams to get a handle on, especially if people are reusing work passwords at home. This means a breach elsewhere can bring cybersecurity problems to an organization’s doorstep, even if their own Active Directory password policy is…

    Read More
  • [New research] Do longer passwords protect you from compromise?

    The Specops Breached Password Protection Database Now Tops Over 4 Billion Unique Compromised Passwords We’re sharing some new findings from the Specops research team about password length and how it can still be circumvented by attackers. These findings coincide with the latest addition of 10.2 million passwords to the Specops Breached Password Protection service, which now…

    Read More