Forgotten Passwords Cost Companies $200,000 a Year

A recent survey of 2,000 people in the U.S. and the U.K. has found that companies lose over $420 in productivity per employee per year due to workers struggling with passwords — for a 500-person company, that’s a loss of more than $200,000 per year.

The survey, conducted by Widmeyer and sponsored by Centrify, also found that 49 percent of respondents use their personal mobile devices for business purposes, and more than a third admit they don’t use passwords on those devices even though they keep office email, confidential documents, customer contact information and budget data on them.

“I think most would agree that passwords are broken, but it’s shocking when you quantify the magnitude of what passwords are costing organizations from both an efficiency and effectivity standpoint,” Centrify CEO Tom Kemp said in a statement.

Over a quarter of respondents said they enter a password online more than 10 times a day, and over a third said they’ve been locked out of online accounts because they couldn’t remember their password.

The survey also found that consumers generally underestimate the number of account profiles they have. While almost two thirds of respondents believe they have 10 or fewer online profiles, more than a third of respondents create one new account profile per week.

That’s true even though 81 percent of respondents say they’re concerned about having their identity stolen, 80 percent are concerned about having their credit card information stolen online, and 74 percent say they’re concerned about being a victim of cybercrime.

And respondents’ password practices are far from ideal — one quarter of respondents said they always use the same password whenever possible, one quarter rotate through a variety of similar passwords, and just under a quarter use personal information in their passwords.

Only 15 percent of respondents in the U.K. and 12 percent in the U.S. believe their passwords are “very secure.”

“This underscores the demand for a better approach, whether that’s unified identity management with benefits like single sign-on and multi-factor identification for corporations, or new types of encryption systems for public websites,” Centrify’s Kemp said.

“Bottom line, it’s time to kill passwords,” he added.

Soon after the study results were published, unidentified hackers claimed to have compiled a list of almost 7 million stolen Dropbox login credentials. Dropbox stated in response that any stolen credentials were the result of password reuse.

And last month, a hacker published almost 5 million Gmail addresses and matching passwords, which Google also claimed were accessed as a result of password reuse, not through a breach of Google’s systems.

“Often, these credentials are obtained through a combination of other sources,” Google stated at the time. “For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others.”

Recent eSecurity Planet articles have offered advice on how to enforce password complexity without alienating users, and examined a variety of different tools for enforcing password policies.