Stay ahead of the curve with the latest news, ideas and resources on all things Identity Assurance and Passwordless.
Six Ways to Combat Password Fatigue
HYPR Team
5 Min. Read | September 30, 2022
Password fatigue is the frustration people experience from using, remembering, or resetting passwords to access their accounts. This challenge is increasing with the number of logins required by various apps and services. However, user irritation is not the biggest concern. Password fatigue poses significant risks for both users and organizations.
Unfortunately, the necessity for account security means that passwords are a pervasive element of modern life, with one study from NordPass finding that the average user has over 100 passwords. In addition, over 40% of users keep professional passwords in their memory, leading to extensive strain and frustration when we can’t recall them.
User irritation isn’t the biggest issue, however. Password fatigue creates significant risk for users and organizations alike.
Password fatigue directly leads to poor password hygiene and insecure actions around passwords that create security flaws in identity and access management (IAM) processes. A survey by the Ponemon Institute found that 51% of people reuse the same five passwords across their work and personal accounts. Perhaps more shocking, 42% of IT professionals report their organization uses sticky notes for passwords and nearly a half of organizations keep password lists in a spreadsheet or Word doc.
These behaviors make it easier for attackers to gain access to people’s accounts, such as by trying lists of common passwords or passwords that have been compromised in previous data breaches.
Causes of Password Fatigue
In addition to the sheer volume of passwords that users need to track, a number of scenarios add to password fatigue:
- Obligatory resetting of passwords on a frequent basis
- Having to create a password when they didn’t expect to
- Requirements for long passwords
- Requirement for complex passwords that use varying combinations of uppercase letters, numbers or special characters, especially if they have to follow a certain pattern
- Use of unusual usernames
- Not being able to view passwords when typing, either at the setting stage or during login
With passwords and credentials the top vector for cyberattacks, password fatigue poses a significant challenge for organizational security. Here we’ll look at ways you can mitigate password fatigue and its security dangers.
1. Deploying Single Sign-On (SSO)
The main cause of password fatigue comes down to the sheer number of passwords and how often users must input them in order to access their networks, accounts and applications. SSO allows users to access a suite of services after one sign-on, reducing the time spent and the frustration of multiple logins. Some common SSO providers are Okta, Azure AD and Ping, with seamless integrations with other authentication processes creating the possibility for an even better and more secure user experience. It should be noted that SSO addresses the issue of password fatigue, it was never intended as an authentication security by itself. You can combat this issue with using a passwordless SSO solution.
2. Using Password Managers
Password managers are applications that store all of your passwords for your various accounts online. They can also be used to create extremely complex passwords for those accounts. One of the main problems with password managers is that they introduce new vulnerabilities. In fact they introduce new vulnerabilities. Passwords still function as the gateway to systems and applications, and therefore can be compromised. Moreover, the password manager itself can be hacked or breached, putting all connected accounts at risk.
3. Remembering Details on Browsers
Autofill information or remembered passwords on browsers can ease password fatigue by automatically inputting user credentials at login time. While this might improve the user experience, it also creates significant security risk as anyone else coming into possession of the device will then be able to access accounts without needing to know any of the user’s details. The storage of this data will also become a target for attackers looking to siphon credentials from a device.
4. Simplified Password Recovery
The recovery process after losing a password is one of the biggest contributors to password fatigue. Lengthy recovery, where you may be asked answers to secret questions you set years ago or have links sent to recovery accounts you no longer use, create significant user frustration. Simplifying these processes with easy-to-use recovery mechanisms, such as biometric identifiers, can ease these issues, but the rollout of updated mechanisms can require extra helpdesk resources.
5. Session Tokens
When a user has securely authenticated themselves, a session token allows them to stay logged in as they pass through the different elements of a site or application. While this makes the user experience more seamless and reduces the number of login requests, the hijacking of session tokens can also allow an attacker free access to a user’s account while it remains valid.
6. Remove Passwords Altogether
If password fatigue is creating major security challenges for your organization, the answer may just be as simple as eliminating passwords during authentication. By deploying a passwordless solution built on public key cryptography and biometrics, for example, security can be improved, as it is extremely difficult to phish a retina scan. User experience is also greatly enhanced as the user always has their own biometric features with them.
Password Fatigue and MFA Fatigue
Password fatigue also contributes to the growing problem of MFA fatigue. Once seen as the antidote to insecure passwords, multi-factor authentication has created its own set of user experience and security issues. Hackers took advantage of MFA fatigue in the MFA prompt bombing attack that recently breached Uber. In order to launch an MFA attack, attackers must first breach the password step in the authentication process. Password fatigue can make this trivial.
Conclusion
Password fatigue is a common and unsurprising reaction to the overwhelming proliferation of passwords used to access our online accounts. It’s exacerbated by supposed security mitigations such as regular password resets, or requiring lengthy passwords that use complex character combinations, and can lead to poor password hygiene that puts businesses at risk.
The only sure solution to password fatigue is to eliminate passwords from authentication processes completely. This can be done through phishing-resistant passwordless MFA solutions.
To see how HYPR can help your organization cut password fatigue by removing passwords from authentication, arrange a personal demo. To learn more about passwordless authentication basics, download our Passwordless Security 101 guide.
HYPR Team
Related Content