You might expect companies to exhibit better password hygiene than the average person. However, an alarming number do not take precautions after an employee with access to company passwords leaves their job.
In March, PasswordManager.com surveyed 1,000 U.S. workers who had access to company passwords at their previous jobs (e.g. company email, software, tools, etc.) to see how many continue to use those passwords after they leave the company.
The results:
Of U.S. employees who have had access to company passwords at their previous jobs, 47% say they have used at least one of these passwords to access accounts belonging to a previous employer.
When asked how they were able to access these accounts, 58% say the passwords had not changed since they left the company, and 44% say someone currently working at the company shared the passwords with them.
Write-in responses were a bit more dramatic, and included statements such as:
“First and foremost, companies should make it 100 percent clear to their employees what the standards of care and conduct are, including what is authorized and unauthorized handling of intellectual property and proprietary information,” says Daniel Farber Huang, Head of Privacy and Cybersecurity.
“Importantly, companies should create incentives for managing information properly and also consider penalties or corrections for intentional or negligent use of information, including passwords and company accounts,” he continues. “This can be spelled out in both new hire onboarding documents as well as communications with current employees, so everyone understands what is considered standard of care.”
A small percentage of respondents say they were able to access their former employers’ accounts because they actually guessed the passwords. Write-in responses to this question included:
“Cost factor is certainly one meaningful issue for most companies lacking proper security,” continues Huang. “The other aspect is having a staff person to manage the on-going process.”
“Let’s face it, most employees probably would not be jumping up and volunteering to be the official password wrangler. It’s too important of a role to simply outsource or pile onto a junior staffer, however, and companies should value the importance of the role accordingly,” he says.
When asked if they have been caught using passwords from their former companies, only 15% said they had. Additionally, 1 in 3 respondents say they were or have been using the passwords for upwards of two years.
It would appear that companies really aren’t keeping up on password security if respondents are able to continue using passwords for this amount of time, and the majority are not being caught.
“Beyond technical solutions or safeguards, the first line of defense is managing the human element – knowing an account password is not necessarily a problem, but making the conscious decision to use it for personal gain is a problem,” explains Huang.
When respondents were asked what they use the passwords for, 64% say they used them to access their company email, 49% to access paid tools or subscriptions, and 44% to access company data.
Twenty-eight percent of respondents say they are currently using their former employers’ passwords to access paid tools or subscriptions. Of this group, 1 in 4 say having access to these accounts saves them from having to pay $200/month or more for these tools.
“From a technical standpoint, it’s important for companies to understand what assets they have, which include services, information, and other types of accounts used by the company – whether by just a few employees or everyone – and classify or prioritize, starting with being highly valuable or critical and working down the list to what’s not as important to protect,” says Huang.
“Ideally the company creates standard operating procedures or consistent schedules of updating passwords based on criticality,” he says.
When asked to provide their reasons for needing access to former employers’ accounts, the largest group, at 56%, simply said it was for personal use. Concerningly, 10% say that they accessed these accounts in order to disrupt company activities.
“There can be huge implications for misuse of proprietary information,” warns Huang. “From an ex-employee standpoint, it’s important to keep in mind that companies always have more resources, more lawyers, and are more patient in trying to recover damages than an individual likely is.”
“Even if no legal action is ultimately taken, nobody wants to be threatened by a corporation – it’s just not worth the hassle and frustration. And I’m describing a non-malicious violation here. If someone were actually trying to inflict damage or loss on a former company, that’s a whole other scenario that can get ugly and litigious fast, and rightfully so,” he explains.
When respondents were asked to rate their former employers’ password security practices, 1 in 3 said they believe it is ‘unsafe’ (25%) or ‘very unsafe’ (6%). Interestingly enough, nearly half (47%) also say that they have had a previous employer reach out to them because they forgot or lost their passwords.
“Companies are responsible for the integrity of their operations and the safety and well-being of their people,” concludes Huang. “Presumably if a company is handling both sides well, one would hope there would be less likelihood of creating situations where a former employee would seek to inflict intentional damage.”
“This issue is one element in a broader framework of trust between entities and the individuals they rely on to operate and thrive,” he finishes.
This survey was commissioned by PasswordManager.com and conducted online by the survey platform Pollfish on March 28, 2023. In total, 1,000 participants in the U.S. completed the full survey. All participants had to meet demographic criteria ensuring they were age 25 or older and currently self-employed or employed for wages.
Additionally, respondents were screened to include only those who have had access to company passwords at their previous jobs and have used a password from a previous employer within the past five years.
The survey used a convenience sampling method, and to avoid bias from this component Pollfish employs Random Device Engagement (RDE) to ensure both random and organic surveying. Learn more about Pollfish’s survey methodology or contact [email protected] for more information.